Closed de-jcup closed 4 years ago
Idea: using of #204 product delegation server for the REST api, calling mechanism etc.
sechub-analyzer-cli
is the cli part which will introspect zip file content and return json result
created issue for cli analyzer https://github.com/Daimler/sechub/issues/206
We will create an asciidoc file for the concept
sechub-doc/src/docs/asciidoc/documents/shared/concepts/false-postitive-handling/false-postitive-handling.adoc
Last commit, generated diagram look like this:
We will create an asciidoc file for the concept
sechub-doc/src/docs/asciidoc/documents/shared/concepts/false-postitive-handling/false-postitive-handling.adoc
At the moment false positive handling must be done inside the security products
But what happens when somebody switches products or does use two products for same purpose ? => You got false positives again.
Code scan
Mark false positives in code by developers
One thing how this could be handled very smooth by developers could be a single line comment option before the false positive
// NOSECHUB:${identifier}
E.g. Having a medium finding like:"description": "\n<br>Location:java/com/daimler/sechub/docgen/AsciidocGenerator.java - line:28, column:35\\n<br>For details...
"name": "Absolute Path Traversal",
A developer could add a comment before ala
// NOSECHUB:Absolute Path Traversal
SecHub would let use scan results from products, but filter the corresponding findings, by mapping with the found NOSECHUB lines.
This has the benefit, that when developers refactor their code and the method comes up at another position or even at another file the false/positive handling would be still working!
Web scan
Infra scan
TBD