Comments (3)
Go into the artifacts of your AzDevOps build:
- In AzDO, inside your pipline, click the job, then click on artifact.
You will find a file named msdo.sarif.
Inside that file, find the vulnerability you would like suppressed. In the below example, it is BinSkim rule BA2006 for the vulnprocess.exe file.
-- snip --
"results": [
-- snip --
{
"ruleId": "BA2006",
"ruleIndex": 2,
"level": "error",
"message": {
"id": "Error",
"arguments": [
"vulnprocess.exe",
"C (17.0.65501.17013), Cxx (17.0.65501.17013)",
"Microsoft (R) Optimizing Compiler : c -- snip --
\r\n"
]
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///D:/a/1/a/SecureApplication/bin/Debug/binaries/vulnprocess.exe"
}
}
}
],
"fingerprints": {
"gdnPrimarySignature": "1111111111222222222233333333334444444444555555555566666666667777",
"gdnAlternativeSignature0": "2222222222111111111144444444443333333333666666666655555555557777"
}
},
In the root of your repository, create a file named .gdn/.gdnsuppress. Copy the gdnPrimarySignature, the portion of the artifactLocation uri that is relative to your repo root, and the ruleId as in the example below:
{
"version": "1.0.0",
"suppressionSets": {
"default": {
"name": "default",
"createdDate": "2020-08-25 21:30:26Z",
"lastUpdatedDate": "2021-04-06 19:07:13Z"
}
},
"results": {
"1111111111222222222233333333334444444444555555555566666666667777": {
"signature": "1111111111222222222233333333334444444444555555555566666666667777",
"target": "SecureApplication/bin/Debug/binaries/vulnprocess.exe",
"memberOf": [
"default"
],
"tool": "BinSkim",
"ruleId": "BA2006",
"justification": null,
"createdDate": "2023-04-14 00:58:36Z",
"expirationDate": null,
"type": null
}
}
}
Set the createdDate and lastUpdatedDate as appropriate. Also ensure the tool and ruleId matches the finding in the msdo.sarif file. The tool name can be found early in the msdo.sarif file.
Check this file in and rerun your build. Note that results is an array, so you can add additional suppressions as needed. I would also recommend that you set the expirationDate to the date you expect to have this fixed, as it specifies how long the suppression should stay in force.
from security-devops-azdevops.
@chrisnielsen-MS @will477 @dotpaul - Can you guide me how to suppress false positives for credscan.
I'm using below task for cred scan in azure devops pipeline.
- task: MicrosoftSecurityDevOps@1
displayName: Credential Scanner- CredScan
inputs:
categories: 'secrets'
break: true
from security-devops-azdevops.
@chrisnielsen-MS @will477 @dotpaul - Any update on above?
from security-devops-azdevops.
Related Issues (20)
- Credscan: Support suppression in files that does not allow comments, such as JSON documents HOT 1
- Template analyzer Azure DevOps pipeline HOT 2
- [Q] How to configure suppressions file for CredScanner and use it? HOT 2
- Having a 'packageVersion' variable causes the task to fail HOT 2
- Trivy version is very out of date HOT 2
- Pipeline task 'MicrosoftSecurityDevOps@1' fails to detect the Secrets/passwords in Python files. HOT 6
- TemplateAnalyzer missing an report format argument in wiki HOT 3
- Installing Microsoft Security DevOps Cli: Not supported error (v1.7.1) HOT 6
- Microsoft Security DevOps - Error calling url: Error: connect ECONNREFUSED 13.107.246.67:443
- Build not failing even if there are some bugs detected HOT 5
- Error: Failed to install the MSDO CLI nuget package while running behind proxy HOT 3
- Pipeline Run Successful But Results not Visible HOT 5
- Eslint is not installing in the self hosted agent HOT 2
- Microsoft security DevOps task is breaking when we use 3rd party modules/private repositories. HOT 1
- Path is undefined in release pipeline HOT 2
- Improve Task Documentation HOT 7
- Unknown header detected while attempting to read CredScan Tsv output HOT 5
- Antimalware Scan not Supported on Linux Build Agents HOT 1
- Slowness in task completion HOT 4
- Wrong paths for files in scan results with multi-checkouts. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from security-devops-azdevops.