I have two questions regarding Fortify.
1 - Lets say I have a windows forms app, which asks for a username
and password, and the name of the textbox for password is
texboxPassword. So in the designer file, you have the following,
generated by the designer.
//
// texboxPassword
//
this.texboxPassword.Location = new System.Drawing.Point(16, 163);
this.texboxPassword.Name = "texboxPassword";
this.texboxPassword.Size = new System.Drawing.Size(200, 73);
this.texboxPassword.TabIndex = 3;
Fortify marks this as a password in comment issue. How can I suppress this by creating a custom rule? I don't want to suppress the whole issue because I still would like to catch certain patterns (such as password followed by = or : in comments) but the blanket search where any line that contains password is flagged is creating so many false positives. I looked into creating a structural rule but could not figure out how to remove the associated tag (where can I find the tag for password in comment anyways?)
2 - Let's say I have a custom UI control. This control html encodes everything and in my context, it is good enough to avoid XSS. Needless to say, it is being flagged by Fortify. How can I suppress XSS when I have a certain control type in my UI and all of its methods are safe for XSS (they sanitize) in my context? I have tried a DataflowCleanseRule (with a label just to test the concept) and wanted to mark get_Text() and set_Text() as sanitizer functions, but it did not make a difference and Fortify still flagged it for XSS.
<DataflowCleanseRule formatVersion="3.16" language="dotnet">
<RuleID>0D495522-BA81-440E-B191-48A67D9092BE</RuleID>
<TaintFlags>+VALIDATED_CROSS_SITE_SCRIPTING_REFLECTED,+VALIDATED_CROSS_SITE_SCRIPTING_PERSISTENT,+VALIDATED_CROSS_SITE_SCRIPTING_DOM,+VALIDATED_CROSS_SITE_SCRIPTING_POOR_VALIDATION</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>System.Web.UI.WebControls</Pattern>
</NamespaceName>
<ClassName>
<Pattern>Label</Pattern>
</ClassName>
<FunctionName>
<Pattern>_Text</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
Thank you in advance for your help