Supported annotations and attributes

Some annotations or attributes that are used to decorate code are processed during scans. When a supported annotation or attribute is found in your code during a scan, the information is used to mark the decorated method as a tainted callback. A method marked as a tainted callback is treated as if all of its arguments have tainted data. This results in more findings with traces. Supported annotations and attributes are listed in this help topic.

Supported Java annotations

Table 1. Supported Java annotations
Annotation Abbreviation
javax.xml.ws.WebServiceProvider @WebServiceProvider
javax.jws.WebService @WebService
javax.jws.WebMethod @WebMethod

Supported AppScan® Source Java annotations

When using AppScan® Source to scan Java, @ValidatorMethod, @CallbackMethod, and @SuppressSecurityTrace method-level annotations are supported.

Using AppScan® Source annotations

Annotations can be used by following these steps:

  1. Support for annotations is enabled by default. The annotation .jar file is <install_dir>\lib\SecurityAnnotations.jar (where <install_dir> is the location of your AppScan® Source installation).
  2. If you are scanning precompiled classes, .war files, or .jar files, locate the Java project that contains the annotated sources.
  3. Add SecurityAnnotations.jar to the project's class path.
  4. Rebuild the project.

Annotations can be added to source code before scanning - or they can be added after scanning and during triage to identify and eliminate false-positives.

Annotations are provided to allow you to insert your knowledge directly into source code in the form of security annotations. Since annotations may be used to declare portions of code safe, they should be used very carefully. They should not be used for code that should be scanned for security vulnerabilities. If you use annotations, a security analyst can choose to ignore them by disabling the feature in the <data_dir>\config\scanner.ozsettings (where <data_dir> is the location of your AppScan® Source program data, as described in Installation and user data file locations). In this file, locate this setting:

<Setting
name="process_security_annotations" 
value="true"
default_value="true" 
description="When turned on, security annotations in the 
     source code will be processed by AppScan Source." 
display_name="Process Security Annotations" 
type="bool" 
/> 

To disable the feature, change value="true" to value="false".

@ValidatorMethod

Validators are methods that perform checks on input data and often return a boolean value that indicates if the input is valid or not. Rather than accept or reject input using validators, you can change the user input to an acceptable format. These methods are called sanitizers.

Using the @ValidatorMethod annotation, you can identify all validator and sanitizer methods in the application source code. During AppScan® Source scans, this information will be used to remove data flows that pass through these methods since the data is now considered safe.

Note: Currently, there is no provision to specify which parameters of the annotated method should be considered as validated. During AppScan® Source scans, all input parameters will be assumed to be validated.

@SuppressSecurityTrace

All traces that flow through a method marked with this annotation are removed. This is useful when a certain group of traces are identified as false-positives or less important or interesting than the others. You can use this annotation to filter out these traces or to hide them for the purpose of reducing clutter.

@CallbackMethod

This annotation is used to identify callbacks or entry points to an application. All arguments are considered to be carrying taint.

Supported Microsoft .NET attributes

Table 2. Supported Microsoft .NET attributes
Attribute Abbreviation
System.Web.Services.WebServiceAttribute WebService
System.Web.Services.WebMethodAttribute WebMethod