Skip to main content

Annotate .NET code

You can add Veracode custom cleanser annotations to your .NET code to improve mitigations when using Veracode Static Analysis.

To complete this task:

  1. Download the Veracode custom cleanser DLL file from this URL and add it as a dependency of your project: https://tools.veracode.com/customcleanser/VeracodeAttributes.dll

    note

    The Veracode custom cleansers DLL is compatible with .NET 4.x and later. It is also available from NuGet: https://www.nuget.org/packages/VeracodeAttributes

  2. Add the VeracodeAttributes and start the build using either the Visual Studio Package Manager or the .NET CLI.

    • Open your project in Visual Studio 2012 or later.

      a. In Visual Studio, go to View > Other Windows > Package Manager Console and run this command:

      Install-Package VeracodeAttributes

      b. Build the project.

    • Use the .NET CLI.

      a. Add the package to the project with this command:

      dotnet add package VeracodeAttributes

      b. Build the project with this command:

      dotnet build

  3. When compiling, ensure your project links against VeracodeAttributes.dll.

  4. Identify the appropriate cleansers for your .NET source file:

    CleanserDescription
    Veracode.Attributes.CRLFCleanserAttributeAnnotates a method that mitigates CWE-93, -113, or -117.
    Veracode.Attributes.FilePathCleanserAttributeAnnotates a method that mitigates CWE-73.
    Veracode.Attributes.RedirectURLCleanserAttributeAnnotates a method that mitigates CWE-601.
    Veracode.Attributes.SQLQueryCleanserAttributeAnnotates a method that mitigates CWE-89.
    Veracode.Attributes.XSSCleanserAttributeAnnotates a method that mitigates CWE-80.
  5. If you want to add custom mitigation text to provide additional information, enter a comment with this syntax:

    [FilePathCleanser(UserComment = "{your custom text}")]
  6. Annotate your method with one or more custom cleanser annotations, depending on how the method validates or sanitizes the user-controlled data provided to it, and apply the cleanser method to user-controlled data to ensure it is validated or sanitized before use. For example:

    using Veracode.Attributes;

    public class SecurityUtil
    {
    [FilePathCleanser]
    public static String myProprietaryFilePathCleanser(String filename)
    {
    // Example file path validatation/sanitization implementation

    return myCleansedFilePath;
    }
    }

    // ...

    String validatedPath = SecurityUtil.myProprietaryFilePathCleanser(userProvidedFilename);
    FileStream fs = File.OpenRead(validatedPath);

Results

Mitigations from Veracode custom cleanser mitigations, including custom mitigation text when provided, appear in the Triage Flaws page, the Application page, and the PDF reports.