Qwiet offers a variation of the default policy with sensitive data dictionary that includes best practices. With this policy, Qwiet will show findings that are violations of best practices violations and attacker-reachable findings.
For example, one such finding might be a SQL injection vulnerability involving a string append operation that isn't attacker reachable. Another might involve code that dynamically generates SQL statements. These finding would be shown in the Qwiet Dashboard and flagged as
To use this policy, modify your invocation of
sl analyze to include the
--policy flag and the name of the policy as follows:
sl analyze --policy io.shiftleft/defaultWithDictAndBestPractices --app yourAppName ...
The use of this policy will likely increase the number of findings for your app, and it may slow down the speed of analysis.