Skip to main content

Exclusions

As software projects grow and evolve, there may be times when developers require more control over analysis results. That's why we have introduced the NOFLUID functionality. This allows specific reports within an application's code to be suppressed.

Depending on the type of vulnerability you want to suppress, you will have to follow a different procedure. Below, the different ways to declare an exclusion are listed, along with the cases for which each one is used.

Comments

If you wish to suppress a specific report within your code, simply add the NOFLUID comment to the line BEFORE the report. Also, you MUST add an explanation of why the report is being suppressed. Here's how:

import * as CryptoJS from "crypto-js";

function hasCryptoJsFunctions(arg) {
  // NOFLUID This report is irrelevant, controlled variable.
  const Utf16LE = CryptoJS.enc.Utf16LE.parse("a23ijl");
}

You could also use it in dependency declaration files that ACCEPT comments in their format:

buildscript {
  ext {
    lombokVersion = '1.18.16'
  }
 }
dependencies {
  // NOFLUID Assumed risk.
  compile "io.springfox:springfox-swagger-ui:2.6.0"
}

Or use it in your IaC configuration file:

resource "test_cluster" "main" {
  cluster_identifier = "test"
  database_name      = "test"
  master_username    = var.clusterUser
  master_password    = var.clusterPass

  cluster_type    = "single-node"
  # NOFLUID The cluster is adequately hardened
  publicly_accessible  = true
  ...
}

Upon running the static analysis again, our system will skip the report associated with the line containing the NOFLUID comment.

Root config file

Another option is to define a file called .fluidattacks at the root of the project, in which you can define general exclusions for the project. Keep in mind that in this file, only exclusions for SCA and DAST reports are supported.

The format of the file is as follows:

[SCA]

<pkg_name>=<reason>

[DAST]

<domain>/<finding>=<reason>

Note that <finding> is the corresponding finding id associated with the report you want to suppress. You can obtain this finding from the output of your previous scan.

Example:

[SCA]

boto3=Impossible to upgrade

[DAST]

app.fluidattacks.com/f001=Non relevant report

You can add as many lines as you want.

Upon running the analysis again, our system will skip the report associated with the package boto3 and the one that appears on app.fluidattacks.com with finding id f001.

Tagging your AWS resources

If you want to suppress a report on your AWS resources, what you need to do is add a tag to the resource on which the vulnerability exists. The tag's Key MUST be NOFLUID, and in the value, you need to put the reason for the exclusion and the finding of the specific report using the following format:

<finding_code>.<finding_code>..._impossible_to_refac

AWS tag

You can also define your tags in your Infrastructure as Code (IaC) tool of preference. This is especially useful for resources that have a transient lifespan; this way, you won't have to manually add the tag every time the resource is redefined.

Here is an example:

resource "aws_instance" "example" {
  ami           = "ami-123456"
  instance_type = "t2.micro"

  tags = {
    Name    = "test"
    NOFLUID = "f001.f002_non_relevant"
  }
}

If the resource you want to exclude does not support tags, you currently cannot use this feature. We are working to resolve this issue.

caution

Do this at your own risk

The NOFLUID feature is provided to allow developers more control over their analysis results. However, its use can lead to overlooking potential vulnerabilities or issues in the code. Ensure you fully understand the implications of suppressing a report. By using this feature, you acknowledge and accept the associated risks. Always use this functionality judiciously and under your own responsibility.

Last updated on