Friday, 4 November 2011
Common Pitfalls in Custom Rules -- constantValue and null
« Misunderstandings on HttpOnly Cookie | Main | No correlation is interesting too. Part 2: SCA customization: Custom Source rules »To get the most out of a static analysis scan, one of the important features is the ability to write custom rules. The Custom Rules Editor, available as a part of HP Fortify Audit Workbench, contains wizards that generate templates rules for many common rule types. These templates provide a great starting point for writing more complex custom rules to suit your organization's needs.
One of our last updates to the wizard contains a customizable structural rules for hardcoded, empty, and null passwords. These rules demonstrate one of the fine points of the structural language and the constantValue field. Understanding how the constantValue field works will greatly help you write your own custom structural rules from scratch.
Here is the generated rule for hardcoded passwords:
FieldAccess fa: fa.field.name matches "password" and
fa in [AssignmentStatement: lhs.location is fa and
not rhs.constantValue.null and
not rhs.constantValue is [Null: ] and
not rhs.constantValue == ""] and
fa.field is [Field f:]*
One of the most common points of confusion is the difference between not rhs.constantValue.null, not rhs.constantValue is [Null: ], and not rhs.constantValue == "". Looking at the structural type reference, it tells us that AssignmentStatement.rhs is an Expression, which in turn contains the following structural property:
| Name | Type | Description |
|---|---|---|
| constantValue | Value | The constant value of this expression. Will be null if this expression doesn't have a constant value or if SCA is unable to determine it. |
With this definition in mind, let's look at each of them in turn and discuss what each of the clauses mean.
- First, let's look at constantValue.null. From the structural type definition above, we see that the constantValue field is null if the expression does not have a constant value. In other words, not rhs.constantValue.null matches an expression whose value is a constant.
- constantValue is [Null: ]. Again, according to the structural type reference, constantValue is of type Value, of which Null is a subtype. Null simply refers to "A null program value." Thus, not rhs.constantValue is [Null: ] simply means that the right-hand side is a non-null constant value.
- constantValue == "". It signifies that the value is a non-null empty string. Therefore, not rhs.constantValue == "" refers to an expression that is a non-empty constant string.
To summarize:
| not rhs.constantValue.null | means | right hand side is a constant value, |
| not rhs.constantValue is [Null: ] | means | right-hand side is non-null, |
| not rhs.constantValue == ""] | means | right-hand side is a non-empty string. |
[Trackback URL for this entry]
