Improving Security Analysis
The CxSAST web interface comes with an extensive list of pre-configured queries to identify known security vulnerabilities in source code using the standard code libraries of each programming language. However, if your code project includes less common libraries or custom code elements, CxSAST may not identify all vulnerabilities and/or may point out false-positive vulnerabilities.
You can use CxAudit to teach CxSAST's queries how to recognize these elements. The Cx queries structure allows you to easily teach multiple high-level queries to recognize code elements, by making changes to building-block queries (see Query Structure). CxAudit provides intuitive tools for adding code elements directly from the source code into the building-block queries.
The following workflow illustrates, with an example, how to eliminate a false-positive result by teaching the query set to recognize a sanitizing code element.
Open either an existing CxSAST project or create a new local project for auditing (CxAudit Workspace).
Notice
You can work on a smaller, representative section of a project, by copying part of the source code project to a locally accessible folder and creating a new project from it (see CxAudit Workspace).
Examine the project results (see Working with Scan Results). If there are no results (for example, if you just created a new local project), run the query you want to check, or run multiple queries including the one you want to check (see Running Queries).
In the Audit window's lower-left pane, go to the Results tab, and select the query you want to check.
For example, let's say you want to check the results of the Java CGI_Stored_XSS query.
Check the results list in the pane to the right for a false positive. For example, let's say you identify that the first found vulnerability instance, originating in line 87 of the code, is a false positive.
Find the unrecognized code element in the source code. You can use the Path for this. In case of a false positive, you're looking for a sanitation element; in case of an unidentified vulnerability – for an output (database command, operating system, or other output) or input element.
In the above example, let's say you identify that the add element in line 89 of the code actually sanitizes the input.
Add the unrecognized element to the relevant building-block query.
In the lower-left pane, go to the Query tab and find the same query. Select it to view its code on the right. In the above example, CGI_Stored_XSS is found in the Java_Medium_Threat group.
Examine the query code to identify the building-block query that needs to be changed to include the unrecognized code element. In the case of a false positive due to unrecognized sanitation, this will be a query for finding sanitation. In the case of an unidentified vulnerability due to an unrecognized input or output, this will be a query for finding inputs or outputs.
In the example, you can see that the sanitizing query is Find_XSS_Sanitize. In the Source Code pane, right-click the unrecognized element. In the resulting context menu, make sure that the FindbyName command is displaying the right code element. Select Add all instances to > <current language> > <building-block query>.
CxAudit creates an overriding same-name building-block query with the change, under Corp > General:
To test the effects of the change on the high-level query, go back to the query, run it and check the results. To check the effects on other queries that might be using the same building-block query, run multiple (or all) queries and check the results.
If the effects of your changes are acceptable, click Save All Queries to save the changes. The changes will take effect for all future scans.