Home
Developing
Learn how to develop by using the product.
AppScan® Source trace
With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
Code examples for tracing
This section provides code examples which illustrate tracking tainted data from a source to a sink - and how to create a validation and encoding routine.
Example 3: Different source and sink files

Developing
Learn how to develop by using the product.
- Scanning source code and managing assessments
  This section explains how to scan your source code and manage assessments.
- Triage and analysis
  Grouping similar findings allows security analysts or IT auditors to segment and triage source code problems. This section explains how to triage AppScan® Source assessments and analyze results.
- AppScan® Source trace
  With AppScan® Source trace, you can verify input validation and encoding that meets your software security policies. You can look at the findings that produce input/output traces and mark methods as validation and encoding routines, sources or sinks, callbacks, or taint propagators.
  - AppScan® Source trace scan results
    Scan results may include traces identified by AppScan® Source trace. The icon in the Trace column indicates the existence of a trace of the call graph.
  - Input/output tracing
    An input/output trace is generated when AppScan® Source for Analysis can track the data from a known source to a sink or lost sink.
  - Using the Trace view
  - Validation and encoding scope
    From the Trace view, you can specify custom validation and encoding routines that, once stored in the AppScan® Source Security Knowledgebase, marks data as checked instead of tainted. With the Custom Rules Wizard, you define these routines based on their scope.
  - Creating custom rules from an AppScan® Source trace
    You can create custom rules from the Trace view that allow you to filter out findings with traces that are taint propagators, not susceptible to taint, or sinks. You can also mark methods in the trace as validation/encoding routines (or indicate that they are not validation/encoding routines).
  - Code examples for tracing
    This section provides code examples which illustrate tracking tainted data from a source to a sink - and how to create a validation and encoding routine.
    - Example 1: From source to sink
    - Example 2: Modified from source to sink
      Example 2 is a modification of the Example 1 code. It enhances Example 1 by adding a validation routine, called getVulnerableSource, and an encoding routine called in writeToVulnerableSink.
    - Example 3: Different source and sink files
    - Example 4: Validation in depth
      When you scan the Example 4 code, the first scan includes three AppScan® Source traces with a root at the corresponding trace routines. Assume the selection of the FileInputStream.read method in trace1 and the addition of the validate routine. The section following the sample source code describes the effects of each scope for the validation routine.
- AppScan® Source for Analysis and defect tracking
  AppScan® Source for Analysis integrates with defect tracking systemsIBM® Rational Team Concert™ to deliver confirmed software vulnerabilities directly to the developer desktop. Defect submission to a defect tracking system contains a textual description of the bug and a file that contains only the findings submitted with the defect.
- Findings reports and audit reports
  Security analysts and risk managers can access reports of select findings or a series of audit reports that measure compliance with software security best practices and regulatory requirements. This section explains how to create reports of aggregate finding data.
- Creating custom reports
  In the Report Editor, you create report templates used to generate custom reports.

Example 3: Different source and sink files

The following example illustrates the source in a different file from the sink.

TestCase_IOT_Xfile_Part1.java:

public class TestCase_IOT_XFile_Part1 {
	public static void main(String[] args) {
		try {
			TestCase_IOT_XFile_Part1 testCase =
				new TestCase_IOT_XFile_Part1();
			TestCase_IOT_XFile_Part2 testCase2 =
				new TestCase_IOT_XFile_Part2();
			testCase2.writeToVulnerableSink(
				testCase.getVulnerableSource(args[0]));
		} catch (Exception e) {
		}
	}

	public String getVulnerableSource(String file)
		throws IOException, FileNotFoundException {
		FileInputStream fis = new FileInputStream(file);
		byte[] buf = new byte[100];
		fis.read(buf);
		String ret = new String(buf);
		fis.close();
		return ret;
	}
}

TestCase_IOT_Xfile_Part2.java:

public class TestCase_IOT_XFile_Part2 {
	public void writeToVulnerableSink(String str)
		throws FileNotFoundException {
		FileOutputStream fos = new FileOutputStream(str);
		PrintWriter writer = new PrintWriter(fos);
		writer.write(str);
	}
}

Tracing the data from TestCase_IOT_Xfile_Part1.java to TestCase_IOT_Xfile_Part2.java allows data flow to be traced through an entire program. The stack trace appears:

Trace view showing the data flow from TestCase_IOT_XFile_Part1 to TestCase_IOT_XFile_Part2

This example shows the data flowing from TestCase_IOT_XFile_Part1 to TestCase_IOT_XFile_Part2 through the main method.