Suppressing findings based on defined patterns

ShiftLeft allows you to suppress findings, removing them from inclusion with the remaining vulnerabilities on a per-scan basis (completed scans are unaffected). This can be helpful if there are findings you consider to be false positives.

See sl remediation for detailed CLI information.

  1. Run sl remediation config <filename>.yaml to create a sample config file that you can modify:

    # Example analysis remediation config
    methods:
    # - method: org.slf4j.Logger.info:void(java.lang.String,java.lang.Object)
    # tags:
    # - key: category
    # value: Sensitive Data Leak
    # - pattern: Logger.debug
    # tags:
    # - key: category
    # value: Sensitive Data Leak

    You can specify exact methods, or you can specify patterns that you want ShiftLeft to identify. You can also modify the specified methods or patterns using tags, and only results that match all of the criteria (i.e., matches the method and all tags) will be returned.

  2. Add the methods that you want ShiftLeft to identify and suppress to the configuration file you generated. You can test the changes you make using the dry-run command option:

    sl remediation dry-run --config <filename>.yaml --app <yourApplication>

    Doing so will print to the command line the methods ShiftLeft has identified as matching the parameters you defined.

    When you are finished making changes, save your config file.

  3. To run your scans using the configuration file you defined, include the --remediation-config flag:

    sl analyze --app <yourApplication> --remediation-config example.yaml --java <path-to-target>

Reverting changes

You can undo any changes you make by updating or removing the configuration file. Subsequent scans will show the findings restored.