Exclusions
As software projects grow and evolve,
there may be times
when developers require
more control over analysis results.
That's why we have introduced the NOFLUID
functionality.
This allows specific reports within an application's code to be suppressed.
Depending on the type of vulnerability you want to suppress, you will have to follow a different procedure. Below, the different ways to declare an exclusion are listed, along with the cases for which each one is used.
Comments
If you wish to suppress a specific report within your code, simply add the NOFLUID comment to the line BEFORE the report. Also, you MUST add an explanation of why the report is being suppressed. Here's how:
import * as CryptoJS from "crypto-js";
function hasCryptoJsFunctions(arg) {
// NOFLUID This report is irrelevant, controlled variable.
const Utf16LE = CryptoJS.enc.Utf16LE.parse("a23ijl");
}
You could also use it in dependency declaration files that ACCEPT comments in their format:
buildscript {
ext {
lombokVersion = '1.18.16'
}
}
dependencies {
// NOFLUID Assumed risk.
compile "io.springfox:springfox-swagger-ui:2.6.0"
}
Or use it in your IaC configuration file:
resource "test_cluster" "main" {
cluster_identifier = "test"
database_name = "test"
master_username = var.clusterUser
master_password = var.clusterPass
cluster_type = "single-node"
# NOFLUID The cluster is adequately hardened
publicly_accessible = true
...
}
Upon running the static analysis again, our system will skip the report associated with the line containing the NOFLUID comment.
Root config file
Another option is
to define a file called .fluidattacks
at the root of the project,
in which you can define general exclusions
for the project.
Keep in mind that in this file,
only exclusions for SCA
and DAST reports are supported.
The format of the file is as follows:
[SCA]
<pkg_name>=<reason>
[DAST]
<domain>/<finding>=<reason>
Note that <finding>
is
the corresponding finding id associated
with the report you want to suppress.
You can obtain this finding from
the output
of your previous scan.
Example:
[SCA]
boto3=Impossible to upgrade
[DAST]
app.fluidattacks.com/f001=Non relevant report
You can add as many lines as you want.
Upon running the analysis again,
our system will skip
the report associated
with the package boto3
and the one that appears
on app.fluidattacks.com
with finding id f001
.
Tagging your AWS resources
If you want to suppress
a report on your AWS resources,
what you need to do is add a tag
to the resource on
which the vulnerability exists.
The tag's Key MUST be NOFLUID
,
and in the value,
you need to put the reason for the exclusion
and the finding of the specific report
using the following format:
<finding_code>.<finding_code>..._impossible_to_refac
You can also define your tags in your Infrastructure as Code (IaC) tool of preference. This is especially useful for resources that have a transient lifespan; this way, you won't have to manually add the tag every time the resource is redefined.
Here is an example:
resource "aws_instance" "example" {
ami = "ami-123456"
instance_type = "t2.micro"
tags = {
Name = "test"
NOFLUID = "f001.f002_non_relevant"
}
}
If the resource you want to exclude does not support tags, you currently cannot use this feature. We are working to resolve this issue.
Do this at your own risk
The NOFLUID
feature is provided
to allow developers more control over their analysis results.
However,
its use can lead to overlooking potential vulnerabilities
or issues in the code.
Ensure you fully understand the implications of suppressing a report.
By using this feature, you acknowledge and accept the associated risks.
Always use this functionality judiciously and under your own responsibility.