Custom Cleansers

Results and Reports

You can annotate Veracode custom cleanser functions in your code to mitigate findings that the Veracode Static Analysis normally finds.

Security Leads can specify the default mitigation state for findings with custom cleansers.

Custom cleanser functions must be designed to consume non-validated or unmitigated data and return validated or mitigated data. Ensure all data paths that can reach the finding pass through your custom cleanser or an approved cleanser. If any unmitigated input reaches the finding, it is still reported.

Custom cleanser functions can facilitate how you manage your results by minimizing false positives and accelerating the review process. Sanitizing or cleansing user input to remove the risk of attack addresses many common security issues. Open-source and commercial cleansing functions exist, but many developers at large organizations implement their own enterprise cleansing libraries, which Veracode may not recognize.

These cleansing functions provide application security managers and their teams a safe way to avoid and fix security findings. For developers, using cleansing functions can lower noise in reports by reducing the number of findings that a development team has to review.

Note: If your custom cleanser implementation uses one of the Veracode supported cleansing functions, the function can assess the findings as reported and mitigated according to the custom cleanser settings. Otherwise, the Veracode Static Analysis would either not report the findings or would report them as fixed.
Table. Supported Flaw Classes and CWEs
Flaw Class CWE
CRLF Injection 93,113,117
File Path Injection 73
Open Redirect 601
SQL Injection 89
Cross-Site Scripting 80

Source Code

Veracode recognizes that users may want to see the source code for these files because they are including them in their own software projects. Veracode has made the custom cleanser annotations open-source available on GitHub at: