search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
60 stars 16 forks source link

Suppress the security violation in template-analyzer #38

Closed aakanshaverma1310 closed 1 year ago

aakanshaverma1310 commented 1 year ago

How to suppress the security violation that is captured in template-analyzer in the below task

  - task: MicrosoftSecurityDevOps@1
        continueOnError: true
        displayName: Templates Analyser Scanner- TemplatesScan
        inputs:
          categories: 'IaC'
          break: true

I don't find any option to do that if using this task in azure devops Please suggest

will477 commented 1 year ago

Go into the artifacts of your AzDevOps build:

You will find a file named msdo.sarif.

Inside that file, find the vulnerability you would like suppressed. In the below example, it is BinSkim rule BA2006 for the vulnprocess.exe file.

-- snip -- "results": [ -- snip -- { "ruleId": "BA2006", "ruleIndex": 2, "level": "error", "message": { "id": "Error", "arguments": [ "vulnprocess.exe", "C (17.0.65501.17013), Cxx (17.0.65501.17013)", "Microsoft (R) Optimizing Compiler : c -- snip -- \r\n" ] }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///D:/a/1/a/SecureApplication/bin/Debug/binaries/vulnprocess.exe" } } } ], "fingerprints": { "gdnPrimarySignature": "1111111111222222222233333333334444444444555555555566666666667777", "gdnAlternativeSignature0": "2222222222111111111144444444443333333333666666666655555555557777" } },

In the root of your repository, create a file named .gdn/.gdnsuppress. Copy the gdnPrimarySignature, the portion of the artifactLocation uri that is relative to your repo root, and the ruleId as in the example below: { "version": "1.0.0", "suppressionSets": { "default": { "name": "default", "createdDate": "2020-08-25 21:30:26Z", "lastUpdatedDate": "2021-04-06 19:07:13Z" } }, "results": { "1111111111222222222233333333334444444444555555555566666666667777": { "signature": "1111111111222222222233333333334444444444555555555566666666667777", "target": "SecureApplication/bin/Debug/binaries/vulnprocess.exe", "memberOf": [ "default" ], "tool": "BinSkim", "ruleId": "BA2006", "justification": null, "createdDate": "2023-04-14 00:58:36Z", "expirationDate": null, "type": null } } }

Set the createdDate and lastUpdatedDate as appropriate. Also ensure the tool and ruleId matches the finding in the msdo.sarif file. The tool name can be found early in the msdo.sarif file.

Check this file in and rerun your build. Note that results is an array, so you can add additional suppressions as needed. I would also recommend that you set the expirationDate to the date you expect to have this fixed, as it specifies how long the suppression should stay in force.

aakanshaverma1310 commented 1 year ago

@chrisnielsen-MS @will477 @dotpaul - Can you guide me how to suppress false positives for credscan. I'm using below task for cred scan in azure devops pipeline. 

      - task: MicrosoftSecurityDevOps@1
        displayName: Credential Scanner- CredScan
        inputs:
          categories: 'secrets'
          break: true
aakanshaverma1310 commented 1 year ago

@chrisnielsen-MS @will477 @dotpaul - Any update on above?