NAV Navbar
Logo pro
JSON

Overview

Configuring Puma Scan Professional can be done by editing the Settings.json file in the following directory:

%appdata%\Microsoft\VisualStudio\Puma.Security.Rules

Puma Scan Professional has many configuration options that allow development teams to control the scanner, rules, edit tainted sources, and edit cleanse methods. The following documentation describes the configuration options and how each one affects the scanning engine.

NOTE: The VSIX extension will add an Options -> Puma Scan options menu. This is currently under construction. The configuration must be done by editing the Settings.json file directly.

Teams customizing the Settings.json file should keep a separate copy in a secure backup location. While we don’t expect future versions, updates, or reinstallation to overwrite your customization, it would be a shame to lose work. Please consider keeping the master Settings.json file in a source control repository to ensure the scanner configuration history is properly tracked.

General Settings

The following JSON block shows the general setting options:

"GeneralSettings": {
    "LicenseFileDirectory": "C:\\Users\\BobbyTables\\AppData\\Roaming\\Microsoft\\VisualStudio\\Puma.Security.Rules",
    "DataflowAnaylsisEnabled": true,
    "DataflowAnalysisReportIndeterminates": false,
    "ProductionConfigurationTransform": "Release"
  },

The GeneralSettings section of the Settings.json file contains global options that affect how the scanner works. The following options are supported:

LicenseFileDirectory

Defines the directory that contains the Puma Scan Professional license file. The default location is %appdata%\Microsoft\VisualStudio\Puma.Security.Rules.

NOTE: Double slashes are required to escape the C# escape character (\).

DataflowAnaylsisEnabled

Puma Scan Professional performs data flow analysis in many analyzers to determine if the source of an input comes from an untrusted source (e.g. request parameter, web service API, etc.). This setting turns the data flow feature on (true) or off (false). If you are experiencing performance issues in Visual Studio, disabling this feature will improve performance. However, more false positives will occur. The default value is true.

NOTE: Yes, we realize there is a typo in the name of this argument. This will be corrected in the next beta release.

DataflowAnalysisReportIndeterminates

Puma Scan Professional performs data flow analysis in many analyzers to determine if the source of an input comes from an untrusted source (e.g. request parameter, web service API, etc.). In some cases, the data flow analyzer may be unable to perform a complete trace and cannot confidently determine if a vulnerability exists. These sinks are marked as indeterminate. This setting tells the scanner if indeterminate issues should be reported in the scan results (true) or be suppressed by the scanner (false). The default is false.

ProductionConfigurationTransform

Puma Scan Professional will perform a web.config transformation prior to running configuration analysis if a transform file exists. This setting tells the analyzer which configuration transform file you would like to use for analysis. For example, if your configuration transform is called “Web.Production.config”, then you should change this setting to “Production”. The default value is “Release”, which tells the analyzers to look for a file called “Web.Release.config”.

Rule Options

The Puma Scan Professional edition provides configuration options for each analysis rule (e.g. SEC0001). The configuration options are defined in the RuleOptions list.

All Rules

The following example shows the default configuration options that exist for all rules.

{
    "Id": "SEC0001",
    "Enabled": true
},

All analysis rules have the following options:

Enabled

Turns an analysis rule on (true) or off (false). The default is true.

SEC0007 - Forms Authentication: Weak Timeout

{
    "Id": "SEC0007",
    "TimeoutMax": 30,
    "Enabled": true
},

The following options allow users to configure their forms authentication timeout policy.

TimeoutMax

Defines the maximum forms authentication timeout value (in minutes). The default value is 30.

SEC0017 - Identity Weak Password Complexity

{
      "Id": "SEC0017",
      "Length": 10,
      "RequireNumber": true,
      "RequireLowerCase": true,
      "RequireUpperCase": true,
      "RequireSpecialCharacter": true,
      "Enabled": true
    },

The following options allow users to configure their own custom password policy.

Length

Defines the minimum number of characters to require for the password length. The default value is 10.

RequireNumber

Indicates if the password complexity should require a numeric character. The default value is true.

RequireLowerCase

Indicates if the password complexity should require a lower case character. The default value is true.

RequireUpperCase

Indicates if the password complexity should require an upper case character. The default value is true.

RequireSpecialCharacter

Indicates if the password complexity should require a special character. The default value is true.

SEC0020 - Weak Session Timeout

{
    "Id": "SEC0020",
    "TimeoutMax": 30,
    "Enabled": true
},

The following options allow users to configure their session state timeout policy.

TimeoutMax

Defines the maximum session state timeout value (in minutes). The default value is 30.

Tainted Sources

The Puma Scan Professional scanner performs data flow analysis from data entering a vulnerable sink to the original source of the data. For rules performing data flow analysis, the source type (e.g. request parameter) ultimately determines if a diagnostic is raised by the scanner. The following documentation provides a list of the sources automatically built into the scanner and examples showing how to create custom tainted sources.

Default Tainted Sources

The following example shows a default tainted source that flags all data coming from the System.Web.HttpRequest object as tainted.

{
    "RuleIds": [],
    "Flag": "Web",
    "Syntax": "ElementAccessExpressionSyntax",
    "Namespace": "System.Web",
    "Type": "HttpRequest",
    "Property": "this[]",
    "Method": "*"
}

The following example shows a default tainted source that flags all methods (including the parameters) in classes inheriting from System.Web.Mvc.Controller as tainted.

{
    "RuleIds": [],
    "Flag": "Web",
    "Syntax": "SimpleBaseTypeSyntax",
    "Namespace": "System.Web.Mvc",
    "Type": "Controller",
    "Property": "*",
    "Method": "*"
}

The following tainted sources are built into the

Web

Web Service

Database

Cleanse Methods

Coming soon