SCA - Custom Cross Site Scripting Encoder Recognition?
We have a custom static java method that handles stripping and converting characters per the OWASP XSS Prevention Cheat Sheet. Unfortunately SCA doesn't recognize strings passed through this function as having been validated.
We'd like to resolve this, but I can't seem to find any documentation in the SCA User Guide for 18.10 that actually explains how. Filtering individual issue ids, marking as not an issue, or suppressing them aren't really and option due to the size of the codebase.
Replacing our filter code with ESAPI.encoder().encodeForHtml() which has nearly matching output to our method (ours is a little more aggressive) makes fortify happy, but I'd really rather avoid the overhead and extra dependencies of the ESAPI module.
Re: SCA - Custom Cross Site Scripting Encoder Recognition?
This would require a custom rule which marks all data going through that function as validated for XSS according to your description.
You should check out the custom rules guide for this