How to use sobelow_skip in .eex files or the router?

nccgroup / sobelow

Security-focused static analysis for the Phoenix Framework

Apache License 2.0

1.66k stars 92 forks source link

Closed bitboxer closed 3 years ago

bitboxer commented 3 years ago

I am currently trying to skip some tests, for example the CSRF test in the :api pipeline, but I am not able to just skip it in this example:

pipeline :api do
  plug :accepts, ["json"]
end

without disabling it completely.

I have the same problem with trying to skip some checks in .eex files.

Is this possible somehow? Or do I need to disable some checks completely?

danturn commented 3 years ago

Agreed, we have a graphiql endpoint with absinthe in dev only i'd like to skip the same check for

GriffinMB commented 3 years ago

Hi! Sorry for the delayed response, I was affected by the Texas power outages last week and have had to play some catch up :)

The best way to manage false-positives is through the --mark-skip-all functionality. You can get some detail on that here: https://sobelow.io/#v090

bitboxer commented 3 years ago

I saw that, but I thought there would be a better way to document it in the code. Will use that for now.