Annotate .NET Code
You can add Veracode custom cleanser annotations to your .NET code to improve mitigations when using Veracode Static Analysis.
To complete this task:
Download the Veracode custom cleanser DLL file from this URL and add it as a dependency of your project: https://tools.veracode.com/customcleanser/VeracodeAttributes.dll
noteThe Veracode custom cleansers DLL is compatible with .NET 4.x and later. It is also available from NuGet: https://www.nuget.org/packages/VeracodeAttributes
Add the
VeracodeAttributes
and start the build using either the Visual Studio Package Manager or the .NET CLI.Open your project in Visual Studio 2012 or later.
a. In Visual Studio, go to View > Other Windows > Package Manager Console and run this command:
Install-Package VeracodeAttributes
b. Build the project.
Use the .NET CLI.
a. Add the package to the project with this command:
dotnet add package VeracodeAttributes
b. Build the project with this command:
dotnet build
When compiling, ensure your project links against
VeracodeAttributes.dll
.Identify the appropriate cleansers for your .NET source file:
Cleanser Description Veracode.Attributes.CRLFCleanserAttribute
Annotates a method that mitigates CWE-93, -113, or -117. Veracode.Attributes.FilePathCleanserAttribute
Annotates a method that mitigates CWE-73. Veracode.Attributes.RedirectURLCleanserAttribute
Annotates a method that mitigates CWE-601. Veracode.Attributes.SQLQueryCleanserAttribute
Annotates a method that mitigates CWE-89. Veracode.Attributes.XSSCleanserAttribute
Annotates a method that mitigates CWE-80. If you want to add custom mitigation text to provide additional information, enter a comment with this syntax:
[FilePathCleanser(UserComment = "{your custom text}")]
Annotate your method with one or more custom cleanser annotations, depending on how the method validates or sanitizes the user-controlled data provided to it, and apply the cleanser method to user-controlled data to ensure it is validated or sanitized before use. For example:
using Veracode.Attributes;
public class SecurityUtil
{
[FilePathCleanser]
public static String myProprietaryFilePathCleanser(String filename)
{
// Example file path validatation/sanitization implementation
return myCleansedFilePath;
}
}
// ...
String validatedPath = SecurityUtil.myProprietaryFilePathCleanser(userProvidedFilename);
FileStream fs = File.OpenRead(validatedPath);
Results
Mitigations from Veracode custom cleanser mitigations, including custom mitigation text when provided, appear in the Triage Flaws page, the Application page, and the PDF reports.