Exclude findings from scan reports
Fluid Attacks offers the NOFLUID feature to allow you to exclude from reports some specific, potentially insecure lines within your application's source code or infrastructure-as-code (IaC) configurations. This way you can avoid findings that might not be relevant to your specific context.
The procedure to follow depends on the type of vulnerability you want to exclude. In this page you find a description of the different ways to declare an exclusion, along with the cases in which each one is used.
NOFLUID offers valuable control over scan results, it is crucial to use it responsibly. Excluding findings can mask potential vulnerabilities in your code or misconfigurations. Always ensure you fully understand the implications of excluding a finding and only do so when you have a clear justification. Using this feature means you acknowledge and accept the associated risks.Exclude with comments
To suppress a specific finding within your code, add the NOFLUID comment to the line before the one flagged by the scanner. Include a brief explanation of why you are excluding this issue.
import * as CryptoJS from "crypto-js";
function hasCryptoJsFunctions(arg) {
// NOFLUID This report is irrelevant, controlled variable.
const Utf16LE = CryptoJS.enc.Utf16LE.parse("a23ijl");
}
You could also use NOFLUID in dependency declaration files that accept comments in their format:
buildscript {
ext {
lombokVersion = '1.18.16'
}
}
dependencies {
// NOFLUID Assumed risk.
compile "io.springfox:springfox-swagger-ui:2.6.0"
}
Or use it in your IaC configuration file:
resource "test_cluster" "main" {
cluster_identifier = "test"
database_name = "test"
master_username = var.clusterUser
master_password = var.clusterPass
cluster_type = "single-node"
# NOFLUID The cluster is adequately hardened
publicly_accessible = true
...
}
After adding the NOFLUID comment, rerun the static analysis. The scanner now skips the potential security issue.
Exclude with configuration file
package-lock.json ) and d ynamic application security testing (DAST) scans (for URL environments), you can define a fluidattacks.yaml file at the root of your project. This file allows you to specify exclusions for specific dependencies or endpoints.SCA:- dependency_name: dependency namereason: short description of the reason to exclude all reports from this dependency
DAST:- endpoint: url endpointtarget_findings:- finding_code: short description of the reason to exclude reports from this specific finding
finding_code is the corresponding location of the vulnerability you want to exclude. You can obtain this from the output of your previous scan.
Example:
SCA:- dependency_name: boto3reason: impossible to upgrade- dependency_name: sqlitereason: waiting for qa approval to updateDAST:- endpoint: myapp.comtarget_findings:- f043: not relevant report- f086: will upgrade after next release- endpoint: web.example.comtarget_findings:- f313: certificates are secure enough
boto3 and sqllite dependencies are excluded. Additionally, the types of vulnerabilities f043 and f086 for the myapp.com endpoint and type f313 for the web.example.com endpoint are excluded.Exclude with tag in your AWS resources
To exclude a finding on your AWS resources, add a tag to the resource with the potential vulnerability. The tag's key must be NOFLUID, and the value should include the reason for the exclusion and the code of the type of vulnerability in the following format:
<finding_code>.<finding_code>..._<reason>
The following screenshot shows an example.
- iam:ListUsers
- iam:ListUserTags
- iam:ListRoles
- iam:ListRoleTags
- tag:GetResources
Here is an example:
resource "aws_instance" "example" {
ami = "ami-123456"
instance_type = "t2.micro"
tags = {
Name = "test"
NOFLUID = "f001.f002_non_relevant"
}
}