Friday, February 6, 2009

SuppressMessage in code for CAT.NET

If you are using Microsoft's CAT.NET threat vulnerability static analysis tool, you may find that sometimes it is giving you false positives. If you need to suppress a vulnerability, it gives you several options:

  • Manual Suppression of found vulnerabilities in the CAT.NET UI
  • A Suppresions.xml file (located in the current project directory) - Entries in the Suppress tab of the UI get saved here
  • Method and Asemmbly level suppresions in code, using the SuppressMessageAttribute class.

I find the Method and assembly Level suppressions to be most helpful when you want to suppress a false positive from your code, when preparing it for Security Review by some other team or developer. In code suppressions are also a good way of documenting your code, and can be easily searched for.

Prerequisites for In Code suppression:

#define CODE_ANALYSIS
using System.Diagnostics.CodeAnalysis;

Assembly level suppresion:

[assembly: SuppressMessage("Microsoft.ACESec.CATNet.Core.Rules", "ACESEC05"]
namespace Project.Common
{...

Method Level Suppresion:

public class SomeClass
{
[SuppressMessage("Microsoft.ACESec.CATNet.Core.Rules", "ACESEC05")]
public string MyFalsePositiveMethod()
{...


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)