Disable specific CWE

[MichaBub]

We have hundreds of Heuristic SQL Injection CWE-89 but we do not have any SQL at all.

It would be great to disable a CWE check by config or as interactive mode for all findings of that CWE

[de-jcup]

Link

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') https://cwe.mitre.org/data/definitions/89.html

Suggestion

Question

It seems the orchestrated SAST tool has a bug when it declares a heuristic SQL injection where no SQL is there at all. Could you please add some anonymized example source snippet for the part with the false positive in this issue ?

I would like to have an example here - maybe the matching could be enhanced before we try to find workarounds.

Alternative

If it's not possible to improve the product matching, we could maybe provide a possiblity inside the SecHub Go client to mark all findings of an report with a given CWE as false positives. Inside SecHub plugins (eclipse,intelliJ, vscode) we could provide this as well (in the future). But these features should be only the last option if it's not possible to improve the ouputs.

[Jeeppler]

Disabling of an entire CWE category might not make sense in this case. In my opinion it should be possible exclude the combination of CWE and class. In this case, the CWE category is 89 and the class is Heuristic SQL Injection. In addition, one could include the severity in the combination: CWE + class + severity. In this case: CWE 89 + Heuristic SQL Injection + Low.

In general, having the ability to mark false-positives based on different detection attributes could be a useful feature. This feature could be generalized to be able to filter not only SAST findings, but findings from DAST and Infrastructure scans as well.

[sven-dmlr]

Idea: Enable SecHub's IDE Plugins to select a bunch of findings and mark them all as false positives.

Either

• integrate server communication or
• generate a JSON file for upload with the SecHub client.