As software projects grow and evolve, there may be times when developers require more control over analysis results. That's why we have introduced the NOFLUID
functionality. This allows specific reports within an application's code to be suppressed.
Depending on the type of vulnerability you want to suppress, you will have to follow a different procedure. Below, the different ways to declare an exclusion are listed, along with the cases for which each one is used.
NOFLUID
feature is provided to allow developers more control over their analysis results. However, its use can lead to overlooking potential vulnerabilities or issues in the code. Ensure you fully understand the implications of suppressing a report. By using this feature, you acknowledge and accept the associated risks. Always use this functionality judiciously and under your own responsibility.If you wish to suppress a specific report within your code, simply add the NOFLUID
comment to the line BEFORE the report. Also, you must add an explanation of why the report is being suppressed. Here's how:
import * as CryptoJS from "crypto-js";
function hasCryptoJsFunctions(arg) {
// NOFLUID This report is irrelevant, controlled variable.
const Utf16LE = CryptoJS.enc.Utf16LE.parse("a23ijl");
}
You could also use it in dependency declaration files that accept comments in their format:
buildscript {
ext {
lombokVersion = '1.18.16'
}
}
dependencies {
// NOFLUID Assumed risk.
compile "io.springfox:springfox-swagger-ui:2.6.0"
}
Or use it in your IaC configuration file:
resource "test_cluster" "main" {
cluster_identifier = "test"
database_name = "test"
master_username = var.clusterUser
master_password = var.clusterPass
cluster_type = "single-node"
# NOFLUID The cluster is adequately hardened
publicly_accessible = true
...
}
Upon running the static analysis again, our system will skip the report associated with the line containing the NOFLUID
comment.
.fluidattacks.yaml
at the root of the project, in which you can define exclusions for the project. This file only applies for SCA reports (for those files where comments are not allowed, such as a package-lock.json) and DAST reports (for URL environments).SCA:
- dependency_name: dependency name
reason: short description of the reason to exclude all reports from this dependency
DAST:
- endpoint: url endpoint
target_findings:
- finding_code: short description of the reason to exclude reports from this specific finding
finding_code
is the corresponding finding cardinality associated with the report you want to suppress. You can obtain this finding from the output of your previous scan.Example:
SCA: - dependency_name: boto3 reason: impossible to upgrade - dependency_name: sqlite reason: waiting for qa approval to update DAST: - endpoint: myapp.com target_findings: - f043: not relevant report - f086: will upgrade after next release - endpoint: web.example.com target_findings: - f313: certificates are secure enough
f043
and f086
finding for endpoint myapp.com
and on the f313
finding for endpoint web.example.com
will not be reported by the scanner.If you want to suppress a report on your AWS resources, what you need to do is add a tag to the resource on which the vulnerability exists. The tag's Key must be NOFLUID
, and in the value, you need to put the reason for the exclusion and the finding of the specific report using the following format:
<finding_code>.<finding_code>..._impossible_to_refac
Here is an example:
resource "aws_instance" "example" {
ami = "ami-123456"
instance_type = "t2.micro"
tags = {
Name = "test"
NOFLUID = "f001.f002_non_relevant"
}
}
If the resource you want to exclude does not support tags, you currently cannot use this feature. We are working to resolve this issue.