Closed de-jcup closed 4 years ago
de-jcup
commented
4 years ago de-jcup
commented
4 years ago de-jcup
commented
4 years ago Idea: using of #204 product delegation server for the REST api, calling mechanism etc.
sechub-analyzer-cli is the cli part which will introspect zip file content and return json result
created issue for cli analyzer https://github.com/Daimler/sechub/issues/206
de-jcup
commented
4 years ago We will create an asciidoc file for the concept
sechub-doc/src/docs/asciidoc/documents/shared/concepts/false-postitive-handling/false-postitive-handling.adoc
de-jcup
commented
4 years ago Last commit, generated diagram look like this:
de-jcup
commented
4 years ago
We will create an asciidoc file for the concept
sechub-doc/src/docs/asciidoc/documents/shared/concepts/false-postitive-handling/false-postitive-handling.adocAt the moment false positive handling must be done inside the security products
But what happens when somebody switches products or does use two products for same purpose ? => You got false positives again.
Code scan
Mark false positives in code by developers
One thing how this could be handled very smooth by developers could be a single line comment option before the false positive
// NOSECHUB:${identifier}E.g. Having a medium finding like:"description": "\n<br>Location:java/com/daimler/sechub/docgen/AsciidocGenerator.java - line:28, column:35\\n<br>For details..."name": "Absolute Path Traversal",A developer could add a comment before ala
// NOSECHUB:Absolute Path TraversalSecHub would let use scan results from products, but filter the corresponding findings, by mapping with the found NOSECHUB lines.
This has the benefit, that when developers refactor their code and the method comes up at another position or even at another file the false/positive handling would be still working!
Web scan
Infra scan
TBD