Comments (7)
skosten
commented on June 23, 2024
Really like this idea. However, would give the tool the option of exposing
those, e.g., where developer silences issue but isn't really fixed. Would
like security auditor to be able to see if needed.
Steve Kosten
Make a Loan, Make a Difference: Kiva.org
…On Sun, Sep 10, 2017 at 11:54 PM, Eric Johnson ***@***.***> wrote:
@joshbw <https://github.com/joshbw> proposed a standard format for
suppressing false positives using commands on a line of code in our
extension tools.
Fields proposed:
- ToolName
- Identifier (SEC###, DS###)
- Comment
- Expiration Date
- Hash code
What other fields would be helpful?
Format could be something simple:
- //ToolName:Identifier:HashCode:Comment:EndDate
Thoughts on the format?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#34>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AIAEI55USi3uJWaXMwfAj5vBRAjsA_cTks5shMsfgaJpZM4PSqvi>
.
from puma-scan.
ejohn20
commented on June 23, 2024
Agree - on our side we can easily add a configuration option to ignore suppression if desired.
Also, I think we should track who is suppressing what. I added an Author tag above, which could be the login id of the person that triggers the suppression.
from puma-scan.
felickz
commented on June 23, 2024
Are you looking to address an issue that the native suppression mechanisms do not support? (compiler pragma directives and Suppress Message attributes)
The existing GlobalSuppressions file seems to be the best place to store false positives as we can then put a watch on the suppression file and audit any changes made there.
Style Analyzers "CodeAnalysisSuppressionMustHaveJustification" rule seems to help enforce some level of documentation: SA1404
from puma-scan.
ejohn20
commented on June 23, 2024
@felickz this is mainly for the non-code file analyzers, which the built in suppression does not support. The standard code warnings work just fine using the built in suppression.
from puma-scan.
ejohn20
commented on June 23, 2024
Next release will include a .pumafile that allows suppression of findings (code and non-code).
from puma-scan.
brettpostin
commented on June 23, 2024
I've just come across this issue as I was looking for a way to prevent developers easily suppressing rules without oversight. This sounds like a timely addition!
Are you able to give any timescales for the next release?
from puma-scan.
ejohn20
commented on June 23, 2024
@brettpostin We just released this feature in our professional edition last week. We will iron the documentation out for this over the next few weeks. It is something that will be contributed back to the open source edition in time, but likely not until Q2 2019.
from puma-scan.
Related Issues (20)
- SEC0108 warning with recommended overload HOT 1
- Visual Studio 2019 support HOT 8
- integrate with sonarqube HOT 8
- How to create the nuget pacakage manually for this project HOT 1
- Taint Analysis HOT 4
- error when added as nuget package to some vulnerable application
- Flow sensitive analysis HOT 1
- Using RoslynSDKgenerator jar is not getting created HOT 6
- Package version was not found: 2.0.0 HOT 1
- XmlException when used in a project with PostSharp HOT 7
- Is it possible to update dependency on Microsoft.CodeAnalysis 2.9.0 HOT 4
- SEC0108 warning false reporting
- Invalid Certificate HOT 2
- 2.4.7 release on marketplace.visualstudio but no release nor commits here HOT 1
- jwt AuthorizeAttribute ignored HOT 1
- Only .net supported? HOT 1
- Visual Studio 2022 Support HOT 2
- SEC0120 False positivites when using policy with required authenticated user
- Supression Pragmas or way to turn off warnings ?
- I don't understand how to fix problems (SEC0112, SEC0032)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puma-scan.