SEDATED icon indicating copy to clipboard operation
SEDATED copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Whitelisting keywords or specific lines

Open pavankumarbugga opened this issue 6 years ago • 4 comments

Hi @SimeonCloutier & team

Thanks for the great product. We are using SEDATED in our organization.

We have some customization's on whitelisting some specific keywords or skipping lines of code for scanning for false positives. Is any specific work going on here or do you have any suggestions on this ?

Thanks.

pavankumarbugga avatar Oct 15 '19 10:10 pavankumarbugga

@BuggaPavanKumar That is really great to hear that you are using SEDATED!

As for whitelisting specific keywords, yes this has been something I've been considering already (it's on our enhancements list). Just for clarity sake, could you provide me a simple example of a couple lines of code and the part that you would want whiteslisted? Just to make sure we understand the ask.

In regards to skip lines of code, I see this is problematic because as the file is modified (lines add/deleted) then the lines will shift in the file and so whitelisting a line of code seems to not work. Would you agree?

Thanks!

sclouts avatar Oct 16 '19 11:10 sclouts

Thanks @SimeonCloutier for quick response. Really great that our whitelisting keywords is in your enhancements list. Looking forward for the feature. In our environment we are looking to whitelist keywords which are in general keywords used by developers such as "nexusPassword","javapasswordsdk","cf_password" and many more.

Whitelisting of lines is pretty customization we wanted to give to the developers for their false positives by adding an comment to the line which has to be skipped. Though there are some multiple scenarios to think about here, we are just looking out option of giving flexibility for false positives.

Your thoughts and suggestions are welcomed.

Thanks.

pavankumarbugga avatar Oct 16 '19 15:10 pavankumarbugga

I think this gets a bit trickier if you allow a whitelist keyword (like #nosec in Bandit), it removes the strictness that SEDATED currently provides. Better solution would be to maintain a whitelist of regex expressions that can be updated via PR if there are indeed things that are fine. Our example would be a puppet config file with SSH public keys and hashed sudo passwords. Or API keys that you don't necessarily care as much about.

Another great addition would be the addition of whitelisting particular files. In the example above, those SSH keys / sudo pwds are stored in a yaml file that would be nice to whitelist the /path/to/filename.yaml

sp3nx0r avatar Oct 24 '19 14:10 sp3nx0r

@BuggaPavanKumar @sp3nx0r FYI, we just released a new version of SEDATED®, with lots of improvements (see below). Potentially what you mentioned above might not be as much of an issue with the new version and so we encourage you to sync up if/when possible!

https://github.com/OWASP/SEDATED/releases/tag/v1.2.0

sclouts avatar Jun 17 '20 17:06 sclouts