Use Case: Excluding Vulnerabilities with a Sanitization Function

Developers often use sanitization functions in their application source code to sanitize user input for common attacks such as SQL Injection (SQLi). If you use sanitization functions, you want ShiftLeft to ignore vulnerabilities that have a sanitization function in the dataflow when analyzing your application.

The process is:

For additional information, refer to the articles:

Specifying the Policy

Add the following directive to the new Policy file

IMPORT io.shiftleft/default
IMPORT io.shiftleft/defaultdict
TAG "CHECK" METHOD -f "javax.servlet.http.HttpServletRequest.setAttribute:void(java.lang.String,java.lang.Object)"

where setAttribute is the actual method signature of the sanitization function.

The last line instructs ShiftLeft to add a check tag to all flows which contain a function that matches the method signature defined with the -f option.