Suppressing findings based on defined patterns

ShiftLeft allows you to suppress findings, removing them from inclusion with the remaining vulnerabilities, on a per-scan basis (completed scans are unaffected). This can be helpful if there are findings you consider false positives.

See sl remediation for detailed CLI information.

  1. Run sl remediation config <filename>.yaml to create a sample config file that you can modify:

    # Example analysis remediation config
    methods:
    # - method: org.slf4j.Logger.info:void(java.lang.String,java.lang.Object)
    # tags:
    # - key: category
    # value: Sensitive Data Leak
    # - pattern: Logger.debug
    # tags:
    # - key: category
    # value: Sensitive Data Leak

    You can specify the exact methods or patterns that you want ShiftLeft to identify. You can also modify the specified methods or patterns using tags, and only results that match all of the criteria (i.e., matches the method and all tags) will be returned.

    If you'd like to match all findings of a category, you can provide .*. For example, to match all header injection findings:

    methods:
    - pattern: ".*"
    tags:
    - key: category
    value: Header Injection
  2. Add the methods you want ShiftLeft to identify and suppress to the configuration file you generated. You can test the changes you make using the dry-run command option:

    sl remediation dry-run --config <filename>.yaml --app <yourApplication>

    Doing so will print the methods ShiftLeft has identified as matching the parameters you defined to the command line.

    When you are finished making changes, save your config file.

  3. To run your scans using the configuration file you defined, include the --remediation-config flag:

    sl analyze --app <yourApplication> --remediation-config example.yaml --java <path-to-target>

Reverting changes

You can undo any changes by updating or removing the configuration file. Subsequent scans will show the findings restored.