In the previous lesson, you created a new Rule Set for a Java
project. In this lesson, you will edit the Rule Set to further
refine the capabilities of the scanner.
-
If you are not currently logged in to the Globalyzer Server, log in, and from your Home Page,
select My Rule Sets.
-
Click the rule set name that you created in the previous lesson,
my_ruleset. The Customize Rule Set page appears.
-
In the General Pattern Scan Rules section, click on the General Patterns
link next to the Detection Rules. The Edit General Patterns page
for my_ruleset displays. This page lets you create any regular
expression that you want to apply to a scan of your source code. You will see
many patterns beyond what is shown in this screenshot.
-
Click the New General Pattern button. The Create General
Pattern for my_ruleset page that displays contains six fields
that are used to describe a rule, Name, Pattern, Priority, Description,
Category,
and Help Page, plus a checkbox to enable the
pattern, set to
true
by default.
Three fields are required, Name,
Pattern and Priority. Use the Name field to
give your pattern a brief, meaningful name. Use the Pattern
field to delineate the pattern being referenced. Use the Priority
field to set the importance of the detected issue; 0
indicates that the found issue is a string concatenation, and 1-5 (with 1 being the
highest, that is, most likely to be an internationalization issue) ranks
other issues.
You'll then be able to sort and view
the issues that Globalyzer detects in your source code based on
this priority, concentrating on the highest priority methods
first. Use the Description field to (1) enter a more
indepth explanation of the pattern, (2) understand the reason for
its inclusion in the scan, and/or (3) describe a process to
correct the problem. The Category allows you to enable and
disable rules in bulk; as you add rules, you may want to specify
a category so you can find the rules that you added quickly, or
enable/disable these new rules quickly. The Help Page field allows you to
enter a URL to a page that would further explain the pattern
and/or the internationalization issue surrounding it. For its
default Locale-Sensitive Methods, Globalyzer provides help links.
-
In this section, you are going to create a new general pattern, MyDateFormat.
In the Name field, enter the following string:
MyDateFormat
In the Pattern field, enter the following string:
new\s+MyDateFormat\s*\(
In the Priority field enter the following string:
1
In the Description field, enter the following string:
Instances of MyDateFormat are locale-sensitive. Consider
using MyLocaleDateFormat instead.
In the Category field enter the following string:
my_java
The page should display the following data:
Please note the following string in the Pattern
field:
new\s+MyDateFormat\s*\(
This string is a regular expression pattern that will be
incorporated into the scanner's search. In this case, the scanner
will detect and report all occurrences in the source code where a
MyDateFormat object is created.
The pattern consists of "
new
" (look for the pattern "new"), followed by "
\s+
" (one or more "spaces"), followed by "
MyDateFormat
" (the pattern "MyDateFormat"), then "
\s*
" (zero or more "spaces"), then "
(
" (an opening parenthesis). So, for instance, if the string "new
MyDateFormat(" is in your code , this pattern will be found.
You might create this rule because you know that objects of
this type are locale-sensitive. Therefore, you want to flag all
instances in the source code so that they can be handled
appropriately, with a locale-neutral object. Globalyzer assists
in this process by clearly identifying each instance, and
allowing you to easily locate and edit the issue in your source
code, as you will see in a later lesson.
-
Click the Create button in the page. Globalyzer will
redisplay the Edit General Patterns with the newly added search
pattern. The newly added search pattern will be located on the
second page, but you can sort by priority to see the newly added
pattern on the first page, as below.
-
To modify an existing pattern, click on the name link. The Edit
General Pattern page displays. Make any modifications and click
the Update button. To remove a pattern from the scan, you
can uncheck it on the list page, or delete it here by clicking
the Delete button.
This screen looks a little bit different if you are working with an
inherited rule set. Here you can make the edits that will distinguish
it from the parent rule set. After making an edit, it will no longer
display as inherited. Pull up this page using your
my_ruleset_extended rule set.
Change the priority from 1 to 3. This change will overwrite the rule
inherited from my_ruleset. Click Create to return to the
previous page, and observe how the new pattern is no longer inherited,
but has locally overwritten the original rule.
This is an example of how inherited rule sets can be edited to suit
individual purposes. Return to your my_ruleset rule set, and
observe that the edit you just made does not show up in this
rule set.
-
Click Back to Summary to go back to the Customize Rule Set
page and click the String Content Filters link in
the Embedded String Scan Rules
section. The Edit String Content Filters page appears. This
category of rules comes with a number of defaults. It also lets
you define your own string filters. These filters tell the
scanner that when it is searching your source for embedded text,
it can ignore any embedded strings that contains one of
these patterns.
-
Click the New String Content Filter button and enter the
following values for the fields in the Create String Content
Filter page:
Name: Number(s) with letter
Pattern: \A[0-9]+[A-Za-z]+\Z
Description: Filters strings that contain only number(s)
followed by a letter.
This regular expression pattern detects words that begin
with numbers. The rationale for this rule is to ignore hardcoded
strings in your source code that begin with numbers, because such
strings are unlikely to be displayed to users. For instance, the
scanner would detect the string "Error", but would
ignore the string "01Error".
-
Click Create to add the filter to the string filters list.
-
Then click on the Back to Summary link to return to the
Customize Rule Set page.
-
Click the String Method Filters link
under Embedded String Scan Rules. The Edit String Method
Filters page displays.
This category of rules is similar to the previous, except that
instead of filtering strings that contain the listed regular
expressions, it filters strings that are passed as
arguments to the listed methods, functions or constructors. It
is important to remember that when you add a method, function or
constructor to the list, add the name only.
Available for Java rule sets, you can associate Class or Variable Type(s) with the
method name so filtering will only take place when embedded strings are passed
to the method of the specified Class/Type. This gives you finer control over
issues being filtered.
Where it pertains, you may add the calling static class name
prior to the method name. Be sure to escape any special
characters (such as a dot) that come between the class name and
the method name. If there is an object, as in the following
example, that will always be called the same thing - such as
myBundle
- you may place that prior to the method call, but the scanner
will only pick up instances where that specific object precedes
the method call. This may not be necessary for Java rule sets,
since they have the Class or Variable Type(s) field, but may
be useful for rule sets in other languages.
Finally, do not follow the method name with a parenthesis.
The scanner automatically looks for trailing parentheses to
determine whether a string is being passed in as an argument.
-
Click the New String Method Filter button and enter the
following values for the fields in the Create String Method
Filter page:
Name: getString
Pattern: getString
Class or Variable Type(s): java.util.ResourceBundle
Description: This is a method that takes a String ID as a
parameter. String IDliterals must be filtered from the Scan
Results.
This regular expression pattern detects getString() method calls
when called via a ResourceBundle object instance.
As summarized in the Description field, the
rationale for this rule is to ignore any string literals passed
into these methods because we know the method parameters include
string literals that will not be viewed publicly by users. For
example, the string literal parameters in the method call:
String myButtonLabel =
myBundle.getString("Cancel");
would be ignored by the scanner because we know that the
word "Cancel" is not actually a label, rather the key
to retrieve the translated label from a resource file.
-
Click the Create button in the page. Notice the message at
the top of the list of method string: StringMethodFilter
getString created
-
Click the Back to Summary link.
-
Click the String Line Filters link
under Embedded String Scan Rules. The Edit String Line
Filters page appears. This category of rules is similar to Edit
String Content Filters, except that it filters embedded strings
that appear on a line that contains one of these
patterns.
-
As described above, to add a new filter, you would click on the New
String Line Filter button, enter values for the Name, Pattern,
Description, and optionally the Category and Help Page fields, click the Create
button in the Create String Line Filter page, and then the Back
to Summary link to return to the Customize Rule Set page.
-
Click the link for String Variable Filters
under Embedded String Scan Rules. The Edit String Variable
Filters page appears. This category of rules is similar to Edit
String Content Filters, except that it filters embedded strings
that are compared/assigned to configured patterns. For example,
if you know that the value of a variable will not be displayed
to the end user, you could create a String Variable Filter with
the variable name as the pattern. This will filter out all embedded
strings that are assigned to or compared with the variable.
-
As described above, to add a new filter, you would click on the New
String Variable Filter button, enter values for the Name, Pattern,
Description, and optionally the Category and Help Page fields, click the Create
button in the Create String Variable Filter page, and then the Back
to Summary link to return to the Customize Rule Set page.
-
Globalyzer supports additional filters: the first one is for
filtering methods, the Method Line Filters, which will
filter any locale-sensitive method detection that is found on the
same line as a method line filter. The other one is for filtering
static file references, the Static File Filters and the Static
File Line Filters, which operate similarly to the string file
and line filters. And lastly, is the General Pattern Line
Filters which filter general pattern detections that are on the
same line as a general pattern line filter.
In the next two lessons, you will start the Globalyzer
Workbench and prepare to scan your source code using my_ruleset.
