Configure Custom Data Flow Methods

Instruct the Java Agent to monitor custom data flow methods in your application by configuring them in an external file.

  1. In the <SEEKER_HOME_DIR> folder on the machine where the Agent is deployed, create a file named custom-methods.json.
  2. In this file, configure the data flow methods, such as sources, propagators, and sinks, that you want to monitor. For example: 
    {
    "sources": [
        {
            "class": "java.lang.System",
            "method": "getenv"
        }
    ],
    "propagators": [
      {
        "class": "com.mycompany.MyClass",
        "method": "processInput",
        "unsafeSources": ["THIS", "PARAM_1"],
        "newUnsafeObject": "RETURN"
      }
    ],
    "sinks": [
      {
        "checkerKey": "CMD-INJECT",
        "class": "java.lang.ProcessBuilder",
        "method": "start",
        "unsafeObjects": ["THIS"]
      }
    ]
  }
    Important:

    Make sure to comply with the following conventions:

    • The file can contain three optional sections: sources, propagators, and sinks. For example, if you don't need to include propagators, just omit this section. In each section, you can list multiple methods.
    • Sink methods are supported only for the following sink-based checkers: Command Injection, Connection String Injection, Cross-site Scripting, Expression Language Injection, Hibernate injection, LDAP Injection, Reflection Injection, Regular Expression Denial of Service (ReDoS), Trust Boundary Violation, Unsafe Deserialization, XPath Injection.
    • Source methods must receive only one string parameter and return a string value.

    • Possible values for the newUnsafeObject, unsafeSources, andunsafeObjects parameters are: THIS, PARAM_1, PARAM_2, PARAM_3, PARAM_4, PARAM_5, PARAM_6, RETURN.

      Note that unsafeSources and unsafeObjects are multivalue arrays, whereas newUnsafeObject is a single value.

    • To obtain the checkerKey value for a sink method:

      In the main menu, click (Projects), choose a project, and click Analysis. In the Checkers table, locate the required checker and copy the value from the Ref column.

    • If a listed sink method has overloading methods in the same class, they will be automatically included.
  3. Save the file and restart your application.

Results

If a vulnerability is detected in any of the configured methods, you should be able to see them in the vulnerability details and data flow stack traces along with unsafe parameters.