How to submit a code review that uses custom rules
Question
I scanned our application using a custom rulepack. What information should be included with the V&V Code Review submission package?
Answer
When a custom rulepack is used in the scan of an application, the developers must include the custom rulepack(s) in the materials provided for review. As part of the review, each of the rules in the rulepack will be examined to ensure that the rule is appropriate and does not remove true positive findings from the scan results. If custom rules do remove valid findings, this will result in scan issues being reported and a failed code review validation report.
A custom Fortify rule definition by itself does not provide enough information for the reviewer to determine whether or not it is appropriate so the developers must provide additional information about the rule. The following materials must be provided in a code review submission that uses custom rules:
- The XML custom rule file(s)
- A scan (FPR) of the application that does not use the custom rulepack(s) must be provided along with the scan that does use them. This additional scan does not need to be audited
- If it is not obvious, please indicate in a readme file which FPR uses the custom rules and is meant to be reviewed
- An explanation of why the rules are valid and why the affected findings should be removed - the same type of information that would be provided when auditing the findings normally within Audit Workbench (this information can be provided in the notes within the rule file or in a separate document)
- This information should include the category (e.g., Privacy Violation) of the findings that the rule affects
If not enough information is provided to determine whether or not a rule is appropriate, it will be reported as a scan issue in the report which will result in an overall failure for the review.