09-02-2013 09:19 AM
I'm running HP Fortify 5.16 and I'm writting some custom rules. The problem I'm facing is that Custom Rules are not language Specific. If I create a custom rule that matches SQL Injection for instance, This rule is presented either if I'm running a Java project or a .NET project.
Do you know how to make this custom description language specific. It seems like the match is performed by category and the language is ignored because the below description appears when both projects are scanned (.NET and Java).
I would expect that this custom description is displayed just for .NET because I used the language attribute (see below rule)
Note that I'm using the language attribute but it seems like it is ignored. This is an example of the Custom rule : Look that I used the Language attribute :
<?xml version="1.0" encoding="UTF-8"?>
<Name>Secure Coding Rules, Core, .NET</Name>
<Description><![CDATA[Secure Coding Rules, Core, .NET]]></Description>
<Rules version="3.16" language="dotnet" >
<CustomDescriptionRule formatVersion="3.16" language="dotnet">
<Description formatVersion="3.16" language="dotnet" >
<Explanation><![CDATA[SQL Injection custom rule
Hi There!, this is a .NET custom description!
<Tip><![CDATA[Validate all input:]]></Tip>
<Tip><![CDATA[ this is another Tip]]></Tip>
<Tip><![CDATA[<a href="http://www.google.com">link</a> <h1> header </h1> text]]></Tip>
I appreciate your help!.