Skip false positive in .eex template

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework

Apache License 2.0

1.66k stars 92 forks source link

Skip false positive in .eex template #101

Closed taobojlen closed 1 year ago

taobojlen commented 2 years ago

I have the following in a .html.eex template:

<%# sobelow_skip ["XSS.Raw"] %>
<%= raw @body %>

This is a false positive. However, the sobelow_skip comment doesn't seem to be working -- when I run mix sobelow --skip it still appears in the results:

XSS.Raw: XSS - Low Confidence
File: lib/shroud_web/templates/email/email.html.eex
Line: 7
Variable: @body

Am I missing some trip to skip false positives in templates, or is it not possible?

GriffinMB commented 2 years ago

Hey! sobelow_skip only works on function definitions in .ex files. If you have false positives, the best way to suppress them is to run --mark-skip-all which will mark all returned findings as false positive. Then running with --skip will ignore those results.