You can add Veracode custom cleanser annotations in your code to mitigate findings that the Veracode Static Analysis normally finds.
Security Leads can specify the default mitigation state for findings that arise when the data in the application has passed through custom cleanser functions.
Custom cleanser functions must be designed to consume non-validated or unmitigated data and return validated or mitigated data. Ensure all data paths that can reach the finding pass through your custom cleanser or an approved cleanser. If any unmitigated input reaches the finding, it is still reported.
Custom cleanser functions can facilitate how you manage your results by minimizing false positives and accelerating the review process. Sanitizing or cleansing user input to remove the risk of attack addresses many common security issues. Open-source and commercial cleansing functions exist, but many developers at large organizations implement their own enterprise cleansing libraries, which Veracode may not recognize.
These cleansing functions provide application security managers and their teams a safe way to avoid and fix security findings. For developers, using cleansing functions can lower noise in reports by reducing the number of findings that a development team needs to review.
If your custom cleanser implementation uses one of the Veracode supported cleansing functions, the function can assess the findings as reported and mitigated according to the custom cleanser settings. Otherwise, the Static Analysis would either not report the findings or would report them as fixed.
This table lists the supported Flaw classes and CWEs:
|File Path Injection||73|
Veracode recognizes that users may want to see the source code for these files because they are including them in their own software projects. Veracode has made the custom cleanser annotations open-source available on GitHub at: