Closed aakanshaverma1310 closed 1 year ago
Go into the artifacts of your AzDevOps build:
You will find a file named msdo.sarif.
Inside that file, find the vulnerability you would like suppressed. In the below example, it is BinSkim rule BA2006 for the vulnprocess.exe file.
-- snip -- "results": [ -- snip -- { "ruleId": "BA2006", "ruleIndex": 2, "level": "error", "message": { "id": "Error", "arguments": [ "vulnprocess.exe", "C (17.0.65501.17013), Cxx (17.0.65501.17013)", "Microsoft (R) Optimizing Compiler : c -- snip -- \r\n" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///D:/a/1/a/SecureApplication/bin/Debug/binaries/vulnprocess.exe" } } } ], "fingerprints": { "gdnPrimarySignature": "1111111111222222222233333333334444444444555555555566666666667777", "gdnAlternativeSignature0": "2222222222111111111144444444443333333333666666666655555555557777" } },
In the root of your repository, create a file named .gdn/.gdnsuppress. Copy the gdnPrimarySignature, the portion of the artifactLocation uri that is relative to your repo root, and the ruleId as in the example below: { "version": "1.0.0", "suppressionSets": { "default": { "name": "default", "createdDate": "2020-08-25 21:30:26Z", "lastUpdatedDate": "2021-04-06 19:07:13Z" } }, "results": { "1111111111222222222233333333334444444444555555555566666666667777": { "signature": "1111111111222222222233333333334444444444555555555566666666667777", "target": "SecureApplication/bin/Debug/binaries/vulnprocess.exe", "memberOf": [ "default" ], "tool": "BinSkim", "ruleId": "BA2006", "justification": null, "createdDate": "2023-04-14 00:58:36Z", "expirationDate": null, "type": null } } }
Set the createdDate and lastUpdatedDate as appropriate. Also ensure the tool and ruleId matches the finding in the msdo.sarif file. The tool name can be found early in the msdo.sarif file.
Check this file in and rerun your build. Note that results is an array, so you can add additional suppressions as needed. I would also recommend that you set the expirationDate to the date you expect to have this fixed, as it specifies how long the suppression should stay in force.
@chrisnielsen-MS @will477 @dotpaul - Can you guide me how to suppress false positives for credscan. I'm using below task for cred scan in azure devops pipeline.
- task: MicrosoftSecurityDevOps@1
displayName: Credential Scanner- CredScan
inputs:
categories: 'secrets'
break: true
@chrisnielsen-MS @will477 @dotpaul - Any update on above?
How to suppress the security violation that is captured in template-analyzer in the below task
I don't find any option to do that if using this task in azure devops Please suggest