Skip to main content

Annotate .NET Code

You can add Veracode custom cleanser annotations to your .NET code to improve mitigations when using Veracode Static Analysis.

To complete this task:

  1. Download the Veracode custom cleanser DLL file from this URL and add it as a dependency of your project: https://tools.veracode.com/customcleanser/VeracodeAttributes.dll

    note

    The Veracode custom cleansers DLL is compatible with .NET 4.x and later. It is also available from NuGet: https://www.nuget.org/packages/VeracodeAttributes

  2. Add the VeracodeAttributes and start the build using either the Visual Studio Package Manager or the .NET CLI.

    • Open your project in Visual Studio 2012 or later.

      a. In Visual Studio, go to View > Other Windows > Package Manager Console and run this command:

        Install-Package VeracodeAttributes

      b. Build the project.

    • Use the .NET CLI.

      a. Add the package to the project with this command:

        dotnet add package VeracodeAttributes

      b. Build the project with this command:

        dotnet build

  3. When compiling, ensure your project links against VeracodeAttributes.dll.

  4. Identify the appropriate cleansers for your .NET source file:

    CleanserDescription
    Veracode.Attributes.CRLFCleanserAttributeAnnotates a method that mitigates CWE-93, -113, or -117.
    Veracode.Attributes.FilePathCleanserAttributeAnnotates a method that mitigates CWE-73.
    Veracode.Attributes.RedirectURLCleanserAttributeAnnotates a method that mitigates CWE-601.
    Veracode.Attributes.SQLQueryCleanserAttributeAnnotates a method that mitigates CWE-89.
    Veracode.Attributes.XSSCleanserAttributeAnnotates a method that mitigates CWE-80.

  5. If you want to add custom mitigation text to provide additional information, enter a comment with this syntax:

    [FilePathCleanser(UserComment = "{your custom text}")]

  6. Annotate your method with one or more custom cleanser annotations, depending on how the method validates or sanitizes the user-controlled data provided to it, and apply the cleanser method to user-controlled data to ensure it is validated or sanitized before use. For example:

    using Veracode.Attributes;

    public class SecurityUtil
    {
        [FilePathCleanser]
        public static String myProprietaryFilePathCleanser(String filename)
        {
            // Example file path validatation/sanitization implementation

            return myCleansedFilePath;
        }
    }

    // ...

    String validatedPath = SecurityUtil.myProprietaryFilePathCleanser(userProvidedFilename);
    FileStream fs = File.OpenRead(validatedPath);

Results

Mitigations from Veracode custom cleanser mitigations, including custom mitigation text when provided, appear in the Triage Flaws page, the Application page, and the PDF reports.