search

mercedes-benz / sechub

SecHub provides a central API to test software with different security tools.
https://mercedes-benz.github.io/sechub/
MIT License
273 stars 66 forks source link

Extend false positive handling for web scans #2633

Closed winzj closed 3 months ago

winzj commented 1 year ago

Situation

The current approach to mark false positives for web scans is not sufficient because a lot of the web scan findings contain dynamic parts e.g. random inputs inside URL query parameters. If these inputs differ on the next web scan, the previously marked false-positive could show up as finding again, because the URL containing these inputs is used to mark false positives.

Wanted

We want a generic approach to mark false positives. We want to introduce projectData, where a project can define the false positive information for their project. As discussed, the generic approach to mark false positives for web scans, could look like this:

{
  "apiVersion" : "1.0",
  "type" : "falsePositiveJobDataList", 
  "falsePositiveProjectData" : [ { /* use the rest service that is already available for jobData. */
    "webScan" : {
      "cweId" : 323, /* optional - does a default make sense? */
      "ports" : [ "8443", "8441", "*" ], /* optional - defaults: 80, 443 */
      "protocols" : [ "ws", "wss" ], /* optional - defaults https, http */
      "urlPatterns" : [ "/api/projects/*", "/api/users/*", "/api/admin/profiles/*" ], /* mandatory - at least one!*/
      "servers" : [ "dev.myapp.com", "prod.myapp.com" ], /* mandatory - at least one!*/
      "methods" : [ "GET", "POST" ], /* optional - does a default make sense? */
      "response" : { /* optional */
        "body" : {
          "contains" : {
            "allOf" : [ "UUID", "xyz" ],
            "oneOf" : [ "UUID", "xyz" ]
          }
        },
        "header" : {
          "contains" : {
            "allOf" : [ "UUID", "xyz" ],
            "oneOf" : [ "UUID", "xyz" ]
          }
        }
      },
      "comment" : "This is a false positive because ... " /* optional */
    }
  } ]
}

Solution

winzj commented 4 months ago

We could start with a reduced and slightly updated version, that might be sufficient:

{
  "apiVersion" : "1.0",
  "type" : "falsePositiveDataList", 
  "projectData" : [ { /* use the rest service that is already available for jobData. */
    "webScan" : {
      "cweId" : 323, /* mandatory - can be omitted when the corresponding finding ahs no cwe id */
      "ports" : [ "8443", "8441", "*" ], /* optional - defaults: 80, 443 */
      "protocols" : [ "ws", "wss" ], /* optional - defaults https, http */
      "urlPathPatterns" : [ "/api/projects/*", "/api/users/*", "/api/admin/profiles/*" ], /* mandatory - at least one, wildcards allowed!*/
      "hostPatterns" : [ "dev.myapp.com", "prod.myapp.com" ], /* mandatory - at least one, wildcards allowed!**/
      "methods" : [ "GET", "POST" ] /* optional - does a default make sense? */
    },
    "comment" : "This is a false positive because ... ", /* optional */
    "id" : "unique-identifier" /* mandatory */
  } ]
}