Analyzing security vulnerability search results

To make Pega Platform applications more secure, you can run the Rule Security Analyzer. This tool searches through non-autogenerated rules to find specific JavaScript or SQL coding patterns that match regular expression rules, some of which might indicate security vulnerabilities, as detailed below.

To use the analyzer, you must have the pxSecurityVA privilege in your access group's role. Standard developer roles such as SysAdm4 include this privilege.

Note that:

The Rule Security Analyzer tool examines only custom code, not autogenerated rules.
Blocked rules are ignored. These rules are identified by the property .pyRuleAvailable = "Blocked".
The tool scans rules in your own applications, not rules in standard Pega Platform rulesets.

The Rule Security Analyzer tool finds potential security vulnerabilities in code by searching for matches to regular expressions that are defined in Rule Analyzer Regular Expression rules. The system provides the following standard regular expressions. You can supplement these standard regular expressions with regular expressions that you create.

Expression Name	Description
pyCrossSiteScriptingActiveValue	Finds possible cross-site scripting vulnerabilities from unencoded output to the browser. Calls to `tools.getActiveValue()` should be wrapped in `StringUtils.crossScriptingFilter` or converted to the appropriate non-string value. For example, the following expressions are allowed: `String x = StringUtils.crossScriptingFilter(tools.getActiveValue())` `int y = Integer.parseInt(tools.getActiveValue())` For more information, see the Pega Community article Best practices to avoid cross-site scripting (XSS) vulnerabilities.
pyCrossSiteScriptingFromParam	Finds possible cross-site scripting vulnerabilities from unencoded output to the browser. Calls to `tools.getParamValue()` should be wrapped in `StringUtils.crossScriptingFilter` or converted to the appropriate non-string value. For example, the following expressions are allowed: `String x = StringUtils.crossScriptingFilter(tools.getParamValue("x"))` `int y = Integer.parseInt(tools.getParamValue("y"))` For more information, see the Pega Community article Best practices to avoid cross-site scripting (XSS) vulnerabilities.
pyDatabase	This is an old version of the pySQLInjection rule, which is described below. Finds direct calls to the database, for example: `executeRDB()`, `createRDBListSpec()`, `RDBExecute()`.
pyLogStatements	Rules that call `oLog` or `System` are flagged, and should be reviewed manually to ensure that no critical or confidential data is logged.
pySQLInjection	Finds patterns and APIs that might inject unfiltered user input to an SQL query. Direct SQL queries that could be maliciously modified at run time should not be allowed, for example: `executeRDB()`, `createRDBListSpec()`, `RDBExecute()`, `executeDBSchemaUpdates()`. Validate all input from the user and use parameterized queries with bind variables where possible.
pySystemCall	Finds system calls, for example: `getRuntime()`, `ProcessBuilder`. These calls are permitted but should be manually reviewed.
pyUnsafeURL	To prevent data from being misinterpreted as having a special meaning, finds URLs and query parameters that are not encoded.
pyXMLExternalEntity	Finds instances of XML parsing with `DocumentBuilderFactory` or `XMLInputFactory` (among others) that are not protected against XML External Entity (XXE) attack vectors. For a complete list of the validations performed by this rule, see the GitHub web site for OWASP CheatSheetSeries (XML_External_Entity_Prevention_Cheat_Sheet.md). For example, the following are considered safe when using `DocumentBuilder.newInstance()`: `setExpandedEntityReferences(false)` `setFeature("http://apache.org/xml/features/disallow-doctype-decl",true)` `setFeature("http://xml.org/sax/features/external-general-entities",false)`

The following regular expressions are also provided and can be used with the analyzer, although they are not specifically related to security.

Expression Name	Description
pyCustomJS	Finds rules that attempt to obtain node information and other information that might interfere with an upgrade. For example, rules cannot contain expressions such as `CHILDNODES`, `PARENTNODE`, `FIRSTCHILD`, `LASTCHILD`, `NEXTSIBLING`, `PREVIOUSSIBLING`, and so forth.
pyGetThreadInRules	Finds references to `getThread()`.
pyNbspInDSDefaultCaption	Finds DynamicSelect controls that contain a default caption that includes `&nbsp`.
pyNbspInSections	Finds controls that contain the value `&nbsp`.
pyUnsafeURL	Finds dynamic generation of URLs that do not use the encoding API.