Annotate Java Code

Results and Reports

To add Veracode custom cleanser annotations to your Java code:

  1. Download the Veracode annotations JAR file from the following URL:
    Note: Custom cleanser annotations for Java are also available from Maven Central:
  2. Reference the custom cleanser annotations package in the project pom.xml file. For example:
    <project xmlns="" xmlns:xsi="" xsi:schemaLocation="">
  3. Build the code using Maven. For example:
    mvn package
  4. When compiling, ensure VeracodeAnnotations.jar is in your classpath.
  5. Import one or more of the following cleansers into your Java source file:
    Cleanser Description
    com.veracode.annotation.CRLFCleanser Annotates a method that mitigates CWE 93, 113, or 117.
    com.veracode.annotation.FilePathCleanser Annotates a method that mitigates CWE 73.
    com.veracode.annotation.RedirectURLCleanser Annotates a method that mitigates CWE 601.
    com.veracode.annotation.SQLQueryCleanser Annotates a method that mitigates CWE 89.
    com.veracode.annotation.XSSCleanser Annotates a method that mitigates CWE 80.
  6. If you want to add custom mitigation text to provide additional information, enter a user comment with the following syntax:
    @FilePathCleanser(userComment = "<your custom text>")
  7. Annotate your method with one or more custom cleanser annotations, depending on how the method validates or sanitizes the user-controlled data provided to it, and apply the cleanser method to user-controlled data to ensure it is validated or sanitized before use. For example:
    import com.veracode.annotation.FilePathCleanser
    public class SecurityUtil
       public static String myProprietaryFilePathCleanser(String path) {
         // Example file path validatation/sanitization implementation 
         return myCleansedFilePath;
    // ...
    String validatedPath = SecurityUtil.myProprietaryFilePathCleanser(userProvidedFilename);
    File myFile = new File(validatedPath);
Mitigations from Veracode custom cleanser mitigations, including custom mitigation text when provided, appear in the Triage Flaws page, the Application page, and the PDF reports.