Settings
The settings tab of the application details section allows you to:
- Set a default branch for your application;
- Configure the version control integration, which allows you to review the affected source code corresponding to the finding.
Default branches
For each application that you scan with Qwiet preZero, you can set a default branch—setting a default branch essentially "pins" a branch so that the scan information for that branch displays whenever you open up an application in the dashboard.
If you do not have a default branch selected, Qwiet will display information for the latest scan of that application, regardless of branch.
Set a default branch
To set your default branch:
- Log into Qwiet and navigate into the application of interest.
- In the menu bar, click Settings.
- Under Default Branch, use the drop-down menu to select the branch you want to be your default.
- Click Set Branch to save your changes.
Default branches are set per user; the default branch for one Qwiet user may differ from that of another Qwiet user, even though they're working with the same application.
Version control integration
For each application whose code is analyzed and results are tracked by Qwiet, the dashboard allows you to view the source code location where Qwiet identified a vulnerability. In other words, Qwiet can provide URLs that, when used, will direct you to the specific source code lines where the vulnerability occurs.
Background
By default, Qwiet attempts to infer the correct URL schema automatically. For example, if you run Qwiet preZero from a directory that's also a Git repo, Qwiet automatically attempts to read the URL of the remote contained in the Git metadata. This URL informs the UI regarding hyperlink behavior.
However, if you are:
- Running Qwiet from a directory that's not a Git repository
- Using a version control system that does not follow the URL conventions of GitHub, GitLab, or Bitbucket
You can provide the modifications necessary so that Qwiet can show you where your code-specific vulnerabilities can be found.
Configuring the version control integration
Under Settings, click Configure VCS URL.
To integrate your version control system with Qwiet, provide your application's source code URL. Qwiet offers a series of templates based on the version control system you use to format the URL correctly:
VCS | Template |
---|---|
GitHub | https://github.com/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to} |
GitLab | https://gitlab.com/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to} |
Bitbucket | https://bitbucket.org/{repo_user}/{repo_name}/{repo_path}/{file_path}#lines-{line_from},{line_to} |
Custom | https://{repo_host}/{repo_user}/{repo_name}/{repo_path}/{file_path}/{file_path}#L{line_from}-L{line_to} |
Notes:
- You can append
_escaped
to any of these placeholders (i.e.,{file_path_escaped}
), which escapes the values for URL queries. - You can use
{commit_or_ref}
instead of{ref}
. If so, the placeholder will be replaced with the commit hash if available (otherwise, it will be replaced with ref). However, some version control systems may not accept this value since the commit hash may correspond only to a local copy.
Once you've provided the URL to your source code, click Save VCS URL. At this point, your dataflow information contains active hyperlinks that will lead you to where the identified vulnerability is in the source code.
Editing your VCS URL
You can change the URL or see the templates again at any time by clicking Edit URL after the initial configuration.
Modifying the source code file paths used
If your repo's file structure doesn't match the predefined templates Qwiet preZero uses, you can provide modifications when running sl analyze.
The --vcs-prefix-correction
flag allows you to append information to create the correct file paths for your code:
sl analyze <parameters omitted> --vcs-prefix-correction "prefixToMatch=prefixToAdd"
Sample usage / usage notes
If you include the following flag when running sl analyze...
:
--vcs-prefix-correction "/io/shiftleft=/path/prefix/to"
Qwiet preZero will find all instances of /io/shiftleft
and prepend /path/prefix/to
to form /path/prefix/to/io/shiftleft
.
You can include as many --vcs-prefix-correction
flags as necessary, but each prefix is mutually exclusive (the exception is if you use *
). So, if you run:
sl analyze ... --vcs-prefix-correction "*=/src/main" --vcs-prefix-correction "/io/shiftleft=/path/prefix/to"
Then Qwiet preZero converts:
/com/shiftleft/utils
into/src/main/com/shiftleft/utils
/io/shiftleft/stream/utils
into/src/main/path/prefix/to/io/shiftleft/stream/utils
The *
is a special case that means "prefix all" and will be applied with any other prefixes you supply; it is not a wildcard. So, if you use *=/src/main
, Qwiet preZero will add /src/main
to the start of all your file paths.
Inferences
Qwiet preZero may infer version control information and provide links based on the running containers' environment variables.
For example, if the GITHUB_RUN_ID
is present, Qwiet preZero assumes that you're running Qwiet preZero against a GitHub repo via GitHub Actions. Alternatively, if you're running Qwiet preZero using Jenkins, the GIT_URL
or GITHUB_REPO_GIT_URL
plus BRANCH_NAME
, GIT_LOCAL_BRANCH
, or GIT_BRANCH
provides branch-related information.
However, Qwiet preZero supports the use of the following environment variables; if you set any of these, they will be used instead of the values that Qwiet preZero inferred from your run environment. Note that these values are inferred using the information available on a per-scan basis (and not per project).
SL_VCS_TEMPLATE
: A custom VCS template (e.g., formula to use to determine how Qwiet preZero creates your VCS links such ashttps://{repo_host}/{repo_user}/{repo_name}/blob/{ref}/{repo_path}/{file_path}#L{line_from}-L{line_to}
)SL_VCS_REPO_NAME
: The custom name to be used as your repository nameSL_VCS_USER_NAME
: The custom username you want to be used (can be an organization name)SL_VCS_COMMIT_ID
: The commit ID you want Qwiet preZero to useSL_VCS_BRANCH_REF
: The branch reference you would like Qwiet preZero to useSL_VCS_RELATIVE_PATH
: The relative path between the root of your repository and the project that you're analyzing (e.g., the path between the rootgithub.com/yourOrg/monorepo
and the app being scannedgithub.com/yourOrg/monorepo/java/apps/appScanned
)SL_VCS_ORIGIN_URL
: A custom upstream URL
For Azure users
When setting up VCS in the dashboard, select a Custom URL template and use the following:
https://dev.azure.com/<YOUR_AZURE_ORG>/<YOUR_PROJECT_NAME>/_git/<YOUR_REPO_NAME>?path={file_path_escaped}&version=GB{commit_or_ref}&line={line_from}&lineEnd={line_to}&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents
Be sure to replace <YOUR_AZURE_ORG>
, <YOUR_PROJECT_NAME>
, and <YOUR_REPO_NAME>
with your values.
Enable AI-derived findings
If you'd like Qwiet AI to generate dynamic policies and display AI-derived findings for your application, you can toggle this feature on/off using AI-derived findings. You can choose one of the following settings:
- Inherit: Inherits the org-level setting (i.e., if you have AI-derived findings enabled for your org, then you'll also have it enabled for the app)
- Enable: Enable AI-derived findings for only the app
- Disable: Disable AI-derived findings for the app
Once you've enabled this finding, you'll see AI-derived findings in the results for your application.