Exclude findings from scan reports | Fluid Attacks Help

Exclude findings from scan reports

As software projects grow and evolve, there may be times when developers require more control over analysis results. That's why we have introduced the NOFLUID functionality. This allows specific reports within an application's code to be suppressed.

Depending on the type of vulnerability you want to suppress, you will have to follow a different procedure. Below, the different ways to declare an exclusion are listed, along with the cases for which each one is used.

Warning on excluding findings
Do this at your own risk. The NOFLUID feature is provided to allow developers more control over their analysis results. However, its use can lead to overlooking potential vulnerabilities or issues in the code. Ensure you fully understand the implications of suppressing a report. By using this feature, you acknowledge and accept the associated risks. Always use this functionality judiciously and under your own responsibility.

Exclude with comments

If you wish to suppress a specific report within your code, simply add the NOFLUID comment to the line BEFORE the report. Also, you must add an explanation of why the report is being suppressed. Here's how:

import * as CryptoJS from "crypto-js";

function hasCryptoJsFunctions(arg) {
  // NOFLUID This report is irrelevant, controlled variable.
  const Utf16LE = CryptoJS.enc.Utf16LE.parse("a23ijl");
}

You could also use it in dependency declaration files that accept comments in their format:

buildscript {
  ext {
    lombokVersion = '1.18.16'
  }
 }
dependencies {
  // NOFLUID Assumed risk.
  compile "io.springfox:springfox-swagger-ui:2.6.0"
}

Or use it in your IaC configuration file:

resource "test_cluster" "main" {
  cluster_identifier = "test"
  database_name      = "test"
  master_username    = var.clusterUser
  master_password    = var.clusterPass

  cluster_type    = "single-node"
  # NOFLUID The cluster is adequately hardened
  publicly_accessible  = true
  ...
}

Upon running the static analysis again, our system will skip the report associated with the line containing the NOFLUID comment.

Exclude with configuration file

Another option is to define a file called  .fluidattacks.yaml at the root of the project, in which you can define exclusions for the project. This file only applies for SCA reports (for those files where comments are not allowed, such as a package-lock.json) and DAST reports (for URL environments).

The format of the file is as follows:
    SCA:
      - dependency_name: dependency name
        reason: short description of the reason to exclude all reports from this dependency

    DAST:
      - endpoint: url endpoint
        target_findings:
           - finding_code: short description of the reason to exclude reports from this specific finding

Note that finding_code is the corresponding finding cardinality associated with the report you want to suppress. You can obtain this finding from the output of your previous scan.

You can add as many dependencies, URLs and findings as you want.

Example:

    SCA:
  - dependency_name: boto3
    reason: impossible to upgrade
  - dependency_name: sqlite
    reason: waiting for qa approval to update

DAST:
  - endpoint: myapp.com
    target_findings:
      - f043: not relevant report
      - f086: will upgrade after next release
  - endpoint: web.example.com
    target_findings:
      - f313: certificates are secure enough

Using this example configuration file, vulnerabilities for the boto3 and sqllite dependencies will not be reported, additionally, any vulnerabilities on the f043 and f086  finding for endpoint myapp.com and on the f313 finding for endpoint web.example.com will not be reported by the scanner.

Exclude with tag in your AWS resources

If you want to suppress a report on your AWS resources, what you need to do is add a tag to the resource on which the vulnerability exists. The tag's Key must be NOFLUID, and in the value, you need to put the reason for the exclusion and the finding of the specific report using the following format:

<finding_code>.<finding_code>..._impossible_to_refac

AWS tag

Info on AWS resources
In order for our scanner to be able to read all the exclusion tags from your resources,  the IAM role that our scanner assumes to access your AWS resources (see here) has to be able to execute the following actions:
  • iam:ListUsers
  • iam:ListUserTags
  • iam:ListRoles
  • iam:ListRoleTags
  • tag:GetResources
Otherwise, it will not be able to find the exclusions you added to your resources/users.
You can also define your tags in your Infrastructure as Code (IaC) tool of preference. This is especially useful for resources that have a transient lifespan; this way, you won't have to manually add the tag every time the resource is redefined.

Here is an example:

resource "aws_instance" "example" {
  ami           = "ami-123456"
  instance_type = "t2.micro"

  tags = {
    Name    = "test"
    NOFLUID = "f001.f002_non_relevant"
  }
}

If the resource you want to exclude does not support tags, you currently cannot use this feature. We are working to resolve this issue.

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.