Searching for security vulnerabilities in rules
In the header of Dev Studio, click.
Complete the Search Criteria section.
Rulesets – To scan all rulesets, make sure the All Rulesets check box is selected. To scan specific rulesets, clear the check box and select one or more rulesets.
Ruleset version – To analyze all versions, leave this field blank. To limit the analysis, enter the version information in one of the following ways.
- Major version only (05)
- Major and minor version (05-05)
- Major version, minor version, and patch (05-05-05)
Allow highest version only – To scan only the highest version of each rule, make sure the check box is selected. To scan all versions, clear the check box.
Updated Since – To scan rules regardless of update date and time, leave this field blank. To scan only rules updated after a certain date and time, click the Calendar button and enter the date and time.
Rule Types – To scan all ruletypes within the chosen ruleset or rulesets, make sure the All Ruletypes check box is selected. To scan specific rule types within the chosen ruleset or rulesets, clear the check box and select one or more rule types.
Allow unauthenticated activities visited in the list – If you keep this check box selected, the tool analyzes activities that have Allow direct invocation from the client or service selected and Require authentication to run unselected on the Security tab of the Activity rule form.
Expression List – Click Add expression and select the regular expression to use for analyzing rules.
Click Run Analyzer.
The summarized search statistics are displayed in the Search Statistics section. For each rule type, the number of vulnerable rules and the number of analyzed rules are shown.
To see the detailed results in an Excel spreadsheet, click Export as Excel.
An Excel file is downloaded to your browser. For each vulnerability that is found, the Excel file lists ruleset name and version, rule name, and other information.
- Rule Security Analyzer
- Regular Expression rules
Regular Expression rules support operation of the Rule Security Analyzer by defining patterns of text that when found in the code being examined, cause the analyzer to report potential security issues.