Fortify Java Annotations

Fortify Java Annotations allow developers to give Fortify SCA hints about how their code works, which can prevent both false positives or false negatives. Like custom rules, annotations work by augmenting Fortify's model of the program with additional information and allow for more accurate analysis.

Consider the following code, which loads a password prompt for a login screen, logs it, and returns the loaded string to its caller.

private String loadPasswordLabel() {   String passwordLabel = props.getProperty("passwordLabel");    logger.info("Password label loaded: " + passwordLabel); // false positive!   return passwordLabel; } 

A rule built into the Fortify Secure Coding Rulepacks causes Fortify SCA to guess that the contents of the variable passwordLabel are sensitive because its name contains the string 'password', which causes Fortify SCA to report a false positive privacy violation issue when the variable is written to the log.

The code below demonstrates how Fortify Java Annotations can be used to eliminate this false positive:

private String loadPasswordLabel() {   @FortifyNotPassword String passwordLabel = props.getProperty("passwordLabel");    logger.info("Password label loaded: " + passwordLabel); // no issue reported   return passwordLabel; } 

The @FortifyNotPassword annotation informs Fortify SCA that the variable to which it is applied does not contain a password.

As of Fortify 360 2.0 and the Q1-2009 update to the Fortify Secure Coding Rulepacks, Fortify SCA recognizes the following Fortify Java Annotations:

• Dataflow: Source, Sink, Passthrough, and Validation
• Field and Variable: Password, NotPassword, Private, NotPrivate, NonNegative, NonZero
• Other: Dangerous Class, Method, Field, and Variable and CheckReturnValue

A detailed sample that demonstrates the full capabilities of Fortify Java Annotations is available with supported versions of Fortify 360 and through the Premium Content section of the Customer Portal.

Technorati Tags: annotations java