Annotate .NET Code

Results and Reports

You can add Veracode custom cleanser annotations to your .NET code to improve mitigations when using Veracode Static Analysis.

Steps

  1. Download the Veracode custom cleanser DLL file from this URL and add it as a dependency of your project: https://tools.veracode.com/customcleanser/VeracodeAttributes.dll

    Note: The Veracode custom cleansers DLL is compatible with .NET 4.x and later. It is also available from NuGet: https://www.nuget.org/packages/VeracodeAttributes

  2. Add the VeracodeAttributes and start the build using either the Visual Studio Package Manager or the .NET CLI.

    • Open your project in Visual Studio 2012 or later.

      a. In Visual Studio, go to View > Other Windows > Package Manager Console and run this command:

      Install-Package VeracodeAttributes
      

      b. Build the project.

    • Use the .NET CLI.

      a. Add the package to the project with this command:

      dotnet add package VeracodeAttributes
      

      b. Build the project with this command:

      dotnet build
      
  3. When compiling, ensure your project links against VeracodeAttributes.dll.

  4. Identify the appropriate cleansers for your .NET source file:

    Cleanser Description
    Veracode.Attributes.CRLFCleanserAttribute Annotates a method that mitigates CWE-93, -113, or -117.
    Veracode.Attributes.FilePathCleanserAttribute Annotates a method that mitigates CWE-73.
    Veracode.Attributes.RedirectURLCleanserAttribute Annotates a method that mitigates CWE-601.
    Veracode.Attributes.SQLQueryCleanserAttribute Annotates a method that mitigates CWE-89.
    Veracode.Attributes.XSSCleanserAttribute Annotates a method that mitigates CWE-80.
  5. If you want to add custom mitigation text to provide additional information, enter a comment with this syntax:

    [FilePathCleanser(UserComment = "{your custom text}")]
    
  6. Annotate your method with one or more custom cleanser annotations, depending on how the method validates or sanitizes the user-controlled data provided to it, and apply the cleanser method to user-controlled data to ensure it is validated or sanitized before use. For example:

    using Veracode.Attributes;
    
    public class SecurityUtil
    {
        [FilePathCleanser]
        public static String myProprietaryFilePathCleanser(String filename)
        {
            // Example file path validatation/sanitization implementation 
    
            return myCleansedFilePath;
        }
    }
    
    // ...
    
    String validatedPath = SecurityUtil.myProprietaryFilePathCleanser(userProvidedFilename);
    FileStream fs = File.OpenRead(validatedPath);
    

Results

Mitigations from Veracode custom cleanser mitigations, including custom mitigation text when provided, appear in the Triage Flaws page, the Application page, and the PDF reports.