At the end of the review, the developer should be sure that in its context the implementation of this protection improves the overall application's security. Those questions should help the developer to decide whether or not a missing protection has to be implemented based on the context of the application.įor example, if the highlighted missing protection (such as secure cookie flag) helps protect a bit against MITM attacks, list all mandatory protections that, at the contrary, greatly lower this risk (such as encryption)." when there is one risk and it is easy to describe in a short manner.Īsk Yourself Whether - set of questions that the developer should ask herself/himself. The "is security sensitive" part can be replaced with "can lead to. Rationale (unlabeled) - explaining why this rule makes sense.
Rule descriptions should contain the following sections in the listed order: Creating cookies without the "secure" flag is security-sensitive.Avoid creation of cookies without the "secure" flag.The title should end with "is security-sensitive".The title should start with a verb in the present participle form (-ing).See RSPEC-2092 for an example of Hotspot rule. S4567 - Rule title here Guidelines for Hotspot rules MITRE, CWE-580 - clone() Method Without super.clone().For most languages, an SSLR Toolkit is provided to help you navigate the AST. The rules must be written in XPath (version 1.0) to navigate the language's Abstract Syntax Tree (AST).
If you're writing rules for XML, skip down to the Adding your rule to the server section once you've got your rules written.įor other languages how to access a variable, for example, in XPath is less obvious, so we've provided tools. For XML, which is already immediately accessible to XPath, you can simply write your rules and check them using any of the freely available tools for examining XPath on XML. SonarQube provides a quick and easy way to add new coding rules directly via the web interface for certain languages using XPath 1.0 expressions. See the following pages to see samples and details about how to create coding rules