Annotate .NET Code

Results and Reports

About this task

To add Veracode custom cleanser annotations to your .NET code:

Procedure

  1. Download the Veracode custom cleanser DLL file from the following URL and add it as a dependency of your project: https://tools.veracode.com/customcleanser/VeracodeAttributes.dll
    Note: The Veracode custom cleansers DLL is compatible with .NET 4.x and later. It is also available from NuGet: https://www.nuget.org/packages/VeracodeAttributes
  2. Open your project in Visual Studio 2012 or later.
  3. In Visual Studio, go to View > Other Windows > Package Manager Console and run the following command:
    Install-Package VeracodeAttributes
  4. Build the code using Maven. For example:
    mvn package
  5. When compiling, ensure your project links against VeracodeAttributes.dll.
  6. Identify the appropriate cleansers for your .NET source file:
    Cleanser Description
    Veracode.Attributes.CRLFCleanserAttribute Annotates a method that mitigates CWE 93, 113, or 117.
    Veracode.Attributes.FilePathCleanserAttribute Annotates a method that mitigates CWE 73.
    Veracode.Attributes.RedirectURLCleanserAttribute Annotates a method that mitigates CWE 601.
    Veracode.Attributes.SQLQueryCleanserAttribute Annotates a method that mitigates CWE 89.
    Veracode.Attributes.XSSCleanserAttribute Annotates a method that mitigates CWE 80.
  7. If you want to add custom mitigation text to provide additional information, enter a user comment with the following syntax:
    [FilePathCleanser(UserComment = "<your custom text>")]
  8. Annotate your method with one or more custom cleanser annotations, depending on how the method validates or sanitizes the user-controlled data provided to it, and apply the cleanser method to user-controlled data to ensure it is validated or sanitized before use. For example:
    using Veracode.Attributes;
    
    public class SecurityUtil
    {
        [FilePathCleanser]
        public static String myProprietaryFilePathCleanser(String filename)
        {
            // Example file path validatation/sanitization implementation 
            
            return myCleansedFilePath;
        }
    }
    
    // ...
    
    String validatedPath = SecurityUtil.myProprietaryFilePathCleanser(userProvidedFilename);
    FileStream fs = File.OpenRead(validatedPath);

Results

Mitigations from Veracode custom cleanser mitigations, including custom mitigation text when provided, appear in the Triage Flaws page, the Application page, and the PDF reports.