How to Create Good Filters for your Project

Aim

The aim of this guide is to help you work out how to create the filters that are most useful to your project. It provides some best-practices, and gives examples of good and bad filters.

Filter creation best practices

Generally, having identified a call to the cryptography library that we do not want to appear in future results, we have to decide: is it just this call that we want to filter? Alternatively, are there a group of similar nearby calls? Or would we like to exclude the whole package? We then need to write a filter that removes the unwanted calls, but no others.

  • Filters should be as specific as possible to avoid removing and calls other than those identified for filtering.
  • Including both a fully-qualified classname and a method name will reduce the chances of accidentally removing other code.
  • If you want to remove multiple methods from a class, consider adding multiple filters rather than filtering out the entire class.
  • If you want to remove an entire module, make sure to use its fully-qualified name to avoid accidentally removing other modules.
  • While whitelists can be useful to restrict your project to a certain package, blacklists are often better for targetting specific portions of your code.
  • Generally you should avoid blacklisting inbuilt java functions, as this is highly likely to obscure other valid results.
  • To see which calls are being filtered after you change the filter settings (or at any time), go to the “Filtered” tab in the report view.

Examples of Filters

  • The filter javax.crypto.Cipher is a bad filter, as it will remove all calls to ciphers from your reports.
  • The filter toString is a bad filter, as it is highly likely to accidentally remove other calls.
  • The filter org.myorg.mypackage.MyClass.myMethod is a good filter – it is very unlikely to start removing unintended calls.
  • The filter mypackage.MyClass. is a good filter, as the trailing . will stop it accidentally matching similar classes like mypackage.MyClassFactory.

Further Reading

For more information on how to create and remove filters, please see the support documentation for filters.

Try a Free 14-day Trial

Cryptosense Analyzer audits your applications and infrastructure to find vulnerabilities and understand your crypto landscape. Use it to optimise bug-fix resources and demonstrate compliance.
Start free trial