Home/ Questions/Q 8703571
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T02:53:50+00:00

I was trying to write a fortify rule which just checks for a function

  • 0

I was trying to write a fortify rule which just checks for a function and flags it when the function comes up. I created a java file with the following code:

class t {
public static void main(String[] args) {
System.out.println("test");
}
}

class DialogError {
int getErrorCode() {
return 10;
}}

The intention of the fortify rule I wrote is to detect any occurrence of getErrorCode inside DialogError and flag the same.

<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
    <RulePackID>FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</RulePackID>
    <Name><![CDATA[my test ruleset]]></Name>
    <Version>1.0</Version>
    <Description><![CDATA[Rule to identify an instance of getErrorCode]]></Description>
    <Rules version="3.10">
        <RuleDefinitions>
            <SemanticRule formatVersion="3.10" language="java">
                <MetaInfo>
                    <Group name="Accuracy">5.0</Group>
                    <Group name="Impact">5.0</Group>
                    <Group name="RemediationEffort">5.0</Group>
                    <Group name="Probability">5.0</Group>
                </MetaInfo>
        <Label>label lololololol</Label>
                <RuleID>01239X14-ASDF-41AA-BDFA-DF134asdf79A</RuleID>
                <Notes><![CDATA[Checks if DialogError class if found yo]]></Notes>
                <VulnKingdom>Security Features</VulnKingdom>
                <VulnCategory>Function is evil</VulnCategory>
                <VulnSubcategory>Some ol category</VulnSubcategory>
                <DefaultSeverity>3.0</DefaultSeverity>
                <Description formatVersion="3.2">
                    <Abstract><![CDATA[YO FIRING YO]]></Abstract>
                    <Explanation><![CDATA[YOYOYOYOYO]]></Explanation>
                    <Recommendations><![CDATA[YOYOYOYOY]]></Recommendations>
                    <References>
                        <Reference>
                            <Title><![CDATA[YO]]></Title>
                            <Source><![CDATA[YOYOYOYOYOYO]]></Source>
                        </Reference>
                    </References>
                </Description>
                <Type>default</Type>
                <FunctionIdentifier>
                    <ClassName>
                        <Value>DialogError</Value>
                    </ClassName>
                    <FunctionName>
                        <Value>getErrorCode</Value>
                    </FunctionName>
                    <ApplyTo implements="true" overrides="true" extends="true"/>
                </FunctionIdentifier>
            </SemanticRule>
        </RuleDefinitions>
    </Rules>
</RulePack>

What am I doing wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First, your test code never calls the bad function. Here’s the corrected code.

    class t {
public static void main(String[] args) {
System.out.println(DialogError.getErrorCode());
}
}

class DialogError {
int getErrorCode() {
return 10;
}}

    Second, the SKU tag is missing from the Rules definition. The Custom Rules editor will show incorrect XML in the XML view window.

    <?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://www.fortifysoftware.com/schema/rules">
  <RulePackID>FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF</RulePackID>
  <SKU>SKU-8F66A5A4-CFDA-419B-97D8-4BF26B78EED9</SKU>
  <Name><![CDATA[my test ruleset]]></Name>
  <Version>1.0</Version>
  <Description><![CDATA[Rule to identify an instance of getErrorCode]]></Description>
  <Rules version="3.10">
    <RuleDefinitions>
      <SemanticRule formatVersion="3.10" language="java">
        <MetaInfo>
          <Group name="Accuracy">5.0</Group>
          <Group name="Impact">5.0</Group>
          <Group name="RemediationEffort">5.0</Group>
          <Group name="Probability">5.0</Group>
        </MetaInfo>
        <Label>label lololololol</Label>
        <RuleID>01239X14-ASDF-41AA-BDFA-DF134asdf79A</RuleID>
        <Notes><![CDATA[Checks if DialogError class if found yo]]></Notes>
        <VulnKingdom>Security Features</VulnKingdom>
        <VulnCategory>Function is evil</VulnCategory>
        <VulnSubcategory>Some ol category</VulnSubcategory>
        <DefaultSeverity>3.0</DefaultSeverity>
        <Description formatVersion="3.2">
          <Abstract><![CDATA[YO FIRING YO]]></Abstract>
          <Explanation><![CDATA[YOYOYOYOYO]]></Explanation>
          <Recommendations><![CDATA[YOYOYOYOY]]></Recommendations>
          <References>
            <Reference>
              <Title><![CDATA[YO]]></Title>
              <Source><![CDATA[YOYOYOYOYOYO]]></Source>
            </Reference>
          </References>
        </Description>
        <Type>default</Type>
        <FunctionIdentifier>
          <ClassName>
            <Value>DialogError</Value>
          </ClassName>
          <FunctionName>
            <Value>getErrorCode</Value>
          </FunctionName>
          <ApplyTo implements="true" overrides="true" extends="true"/>
        </FunctionIdentifier>
      </SemanticRule>
    </RuleDefinitions>
  </Rules>
</RulePack>
    • 0