How to ignore a vulnerability for a specific file

Question

The following Snyk vulnerability is being reported when I run

% snyk code test

Testing /mydir ...

 ✗ [High] Cross-Site Request Forgery (CSRF)
     Path: src/com/xxx/ConfigSecurity.java, line 22
     Info: CSRF protection is disabled by disable. This allows the attackers to execute requests on a user's behalf.


✔ Test completed

What I should do to ignore this vulnerability?

I got the vulnerability id running:

% snyk code test --json

And then I could see the vulnerability id in the response:

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "version": "2.1.0",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "SnykCode",
          "semanticVersion": "1.0.0",
          "version": "1.0.0",
          "rules": [
            {
==>           "id": "java/DisablesCSRFProtection",
              "name": "DisablesCSRFProtection",
              ...

Then I created a Snyk config file running:

% snyk ignore --id=java/DisablesCSRFProtection

And now the snyk config file contains:

# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
version: v1.25.0
# ignores vulnerabilities until expiry date; change duration by modifying expiry date
ignore:
  java/DisablesCSRFProtection:
    - '*':
        reason: None Given
        expires: 2022-07-24T11:41:53.787Z
        created: 2022-06-24T11:41:53.791Z
patch: {}

However, when I run snyk in the same directory which contains the Snyk config file I created, the same error is reported:

% snyk code test

Testing /Users/sergiostateri/projects/payment-notification-relay ...

 ✗ [High] Cross-Site Request Forgery (CSRF)
     Path: src/main/java/com/xxx/ConfigSecurity.java, line 22
     Info: CSRF protection is disabled by disable. This allows the attackers to execute requests on a user's behalf.


✔ Test completed

Organization:      customer-retention
Test type:         Static code analysis
Project path:      /Users/sergiostateri/projects/payment-notification-relay

1 Code issues found
1 [High]

Note, the point of this question isn't Why I want to ignore these vulnerability (I have good reasons), but just how to ignore it.

Nathan Tarbert · Answer 1 · 2022-07-01T21:35:10.627

0

I'm a Snyk employee and wanted to mention that Snyk code is constantly evolving. Currently you can exclude folders/files via the CLI and there is work planned for later this year to enhance the ignore capabilities. Here are the docs on the subject.

An alternative approach to achieve what you are looking for is to use the git import (ie. Github) in which case there is an ignore button when reviewing the results that would let you ignore specific issues/source-sink paths. Subsequent scans would also ignore the previously ignored issues if initiated through the git integration. You can review ignored issues by changing the ignore filter seen on the right hand side of the web UI.

edited Jul 01 '22 at 21:35

answered Jun 24 '22 at 21:14

Nathan Tarbert

34
2

1

Do you work for snyk? The first part of your answer reads kind of like rah-rah-marketing-speak. It's generally requested that you disclose your affiliation if you have one. – Roddy of the Frozen Peas Jun 24 '22 at 21:17
I did update my answer to reflect I'm a Snyk employee(Community Engineer and Developer Advocate). – Nathan Tarbert Jun 28 '22 at 16:54
1

This doesn't actually answer the question. The docs you point to don't adequately explain what is supposed to be, or how it is derived from the json output. I followed the same directions as OP, with the same results. – Stephen Talley May 25 '23 at 01:25

How to ignore a vulnerability for a specific file

1 Answers1