More on Annotations...

In addition to their other capabilities, Fortify Java Annotations can be used to identify new vulnerabilities in code. For example, the following code writes sensitive user information to a log file, but Fortify SCA cannot report a warning out-of-the-box because it has no knowledge of the sensitivity of the data in question.

String query = "Select credentialA, keyB, elementC from userTable where userid = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setInt(1, userid); ResultSet results = pstmt.executeQuery();  // extract data from the ResultSet while (results.next()) {   String credentialA = results.getString(1);   int keyB =  results.getInt(2);   Blob elementC = results.getBlob(3); 	   String stringBlobRepresenation = new String(elementC.getBytes(1, (int) elementC.length()));   logger.info("Retrieved info for user " + userid + ": " + stringBlobRepresenation); } 

This code snippet queries the application’s database using Java Prepared statements to retrieve information about the user userid. The userTable table contains a sensitive column elementC that must never be handled in an insecure way. As part of the debugging effort, a developer has insecurely logged elementC to disk, thus compromising the sensitive information it contains.

By adding the @FortifyPrivate annotation to the code above, a developer can tell Fortify that elementC is sensitive and allow Fortify SCA to identify dangerous uses of this variable.

String query = "Select credentialA, keyB, elementC from userTable where userid = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setInt(1, userid); ResultSet results = pstmt.executeQuery();  // extract data from the ResultSet while (results.next()) {   String credentialA = results.getString(1);   int keyB =  results.getInt(2);   @FortifyPrivate Blob elementC = results.getBlob(3); 	   String stringBlobRepresenation = new String(elementC.getBytes(1, (int) elementC.length()));   logger.info("Retrieved info for user " + userid + ": " + stringBlobRepresenation); } 

Fortify SCA now reports the privacy violation that occurs when elementC is logged.

As we mentioned in a previous post, Fortify 360 2.0 and the Q1-2009 update to the Fortify Secure Coding Rulepacks now recognize the following Fortify Java Annotations:

• Dataflow: Source, Sink, Passthrough, and Validation
• Field and Variable: Password, NotPassword, Private, NotPrivate, NonNegative, NonZero
• Other: Dangerous Class, Method, Field, and Variable and CheckReturnValue

A detailed sample that demonstrates the full capabilities of Fortify Java Annotations is available with supported versions of Fortify 360 and through the Premium Content section of the Customer Portal.

Technorati Tags: annotations java false positives false negatives libraries jars libs