Add a custom validation function
This article will show you how to create a policy that marks a specific method to be treated as a validation; this results in preZero suppressing some of the findings that would otherwise appear.
We will use the shiftleft-java-example repo to demonstrate this process. We want to mark the isAdmin method in AdminController.java so that preZero treats it as a validation, suppressing some of preZero's findings.
Creating the policy
In the source code, look at the
AdminController.javafile and make a note of the following pieces of information:- Package name
- Class name
- Method name
- Return type
- Parameter(s) accepted
Please note that you must express all types using the complete form (e.g., strings should be expressed as
java.lang.Stringand objects should be expressed asjava.lang.Object). You can express primitive types, such asint,float, andBoolean.IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict
### These methods are approved by AppSec ###
### TAG "CHECK" METHOD - This prefix indicates that the method is an approved validation method
### Pass the full name after -f using the below syntax
### Package name . Class name . Method name : Return type ( Argument type )
# Package name: io.shiftleft.controller
# Class name: AdminController
# Method name: isAdmin
# Return type: boolean
# Arguments: String (Expressed as java.lang.String in full form)
TAG "CHECK" METHOD -f "io.shiftleft.controller.AdminController.isAdmin:boolean(java.lang.String)"Validate, push, and assign your policy when invoking
sl analyze.