Add a Custom Validation Function

This article will show you how to create a policy that marks a specific method to be treated as a validation; this results in NG SAST suppressing some of the findings that would otherwise appear.

To demonstrate this process, we will use the shiftleft-java-example repo. We want to mark the isAdmin method in AdminController.java so that NG SAST treats it as a validation, suppressing some of NG SAST's findings.

Creating the Policy

  1. In the source code, look at the AdminController.java file and make a note of the following pieces of information:

    • Package name
    • Class name
    • Method name
    • Return type
    • Parameter(s) accepted

    Please note that you must express all types using the complete form (e.g., strings should be expressed as java.lang.String and objects should be expressed as java.lang.Object). You can express primitive types, such as int, float, and Boolean as-is.

  2. Create a new policy.

    IMPORT io.shiftleft/default
    IMPORT io.shiftleft/defaultdict
    ### These methods are approved by AppSec ###
    ### TAG "CHECK" METHOD - This prefix indicates that the method is an approved validation method
    ### Pass the full name after -f using the below syntax
    ### Package name . Class name . Method name : Return type ( Argument type )
    # Package name: io.shiftleft.controller
    # Class name: AdminController
    # Method name: isAdmin
    # Return type: boolean
    # Arguments: String (Expressed as java.lang.String in full form)
    TAG "CHECK" METHOD -f "io.shiftleft.controller.AdminController.isAdmin:boolean(java.lang.String)"
  3. Validate, push, and assign your policy when invoking sl analyze.