Fortify Software Security Center Practitioners Forum
Showing results for 
Search instead for 
Do you mean 

How to write HP Fortify Custom Rules language Specific?

Occasional Collector

How to write HP Fortify Custom Rules language Specific?

Hi guys,

I'm running HP Fortify 5.16  and I'm writting some custom rules. The problem I'm facing is that Custom Rules are not language Specific. If I create a custom rule that matches SQL Injection for instance, This rule is presented either if I'm running a Java project or a .NET project.


Do you know how to make this custom description language specific. It seems like the match is performed by category and the language is ignored because the below description appears when both projects are scanned (.NET and Java).


I would expect that this custom description is displayed just for .NET because I used the language attribute (see below rule)


Note that I'm using the language attribute but it seems like it is ignored. This is an example of the Custom rule : Look that I used the Language attribute :


<?xml version="1.0" encoding="UTF-8"?>
<RulePack xmlns="xmlns://">
<Name>Secure Coding Rules, Core, .NET</Name>
<Description><![CDATA[Secure Coding Rules, Core, .NET]]></Description>
<Rules version="3.16" language="dotnet" >
<CustomDescriptionRule formatVersion="3.16" language="dotnet">
<Value>SQL Injection</Value>

<Description formatVersion="3.16" language="dotnet" >
<Explanation><![CDATA[SQL Injection custom rule
Hi There!, this is a .NET custom description!
<Tip><![CDATA[Validate all input:]]></Tip>
<Tip><![CDATA[ this is another Tip]]></Tip>
<Tip><![CDATA[<a href="">link</a> <h1> header </h1> text]]></Tip>
<ContentType value="HTML"/>



I appreciate your help!.