8000 Whitelisting keywords or specific lines · Issue #11 · OWASP/SEDATED · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Whitelisting keywords or specific lines #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of 8000 service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pavankumarbugga opened this issue Oct 15, 2019 · 4 comments
Open

Whitelisting keywords or specific lines #11

pavankumarbugga opened this issue Oct 15, 2019 · 4 comments

Comments

@pavankumarbugga
Copy link
pavankumarbugga commented Oct 15, 2019
edited
Loading

Hi @SimeonCloutier & team

Thanks for the great product. We are using SEDATED in our organization.

We have some customization's on whitelisting some specific keywords or skipping lines of code for scanning for false positives. Is any specific work going on here or do you have any suggestions on this ?

Thanks.
@sclouts
Copy link
Collaborator
sclouts commented Oct 16, 2019

@BuggaPavanKumar That is really great to hear that you are using SEDATED!

As for whitelisting specific keywords, yes this has been something I've been considering already (it's on our enhancements list). Just for clarity sake, could you provide me a simple example of a couple lines of code and the part that you would want whiteslisted? Just to make sure we understand the ask.

In regards to skip lines of code, I see this is problematic because as the file is modified (lines add/deleted) then the lines will shift in the file and so whitelisting a line of code seems to not work. Would you agree?

Thanks!

@pavankumarbugga
Copy link
Author

Thanks @SimeonCloutier for quick response.
Really great that our whitelisting keywords is in your enhancements list. Looking forward for the feature.
In our environment we are looking to whitelist keywords which are in general keywords used by developers such as "nexusPassword","javapasswordsdk","cf_password" and many more.

Whitelisting of lines is pretty customization we wanted to give to the developers for their false positives by adding an comment to the line which has to be skipped. Though there are some multiple scenarios to think about here, we are just looking out option of giving flexibility for false positives.

Your thoughts and suggestions are welcomed.

Thanks.

@sp3nx0r
Copy link
sp3nx0r commented Oct 24, 2019

I think this gets a bit trickier if you allow a whitelist keyword (like #nosec in Bandit), it removes the strictness that SEDATED currently provides. Better solution would be to maintain a whitelist of regex expressions that can be updated via PR if there are indeed things that are fine. Our example would be a puppet config file with SSH public keys and hashed sudo passwords. Or API keys that you don't necessarily care as much about.

Another great addition would be the addition of whitelisting particular files. In the example above, those SSH keys / sudo pwds are stored in a yaml file that would be nice to whitelist the /path/to/filename.yaml

@sclouts
Copy link
Collaborator
sclouts commented Jun 17, 2020

@BuggaPavanKumar @sp3nx0r FYI, we just released a new version of SEDATED®, with lots of improvements (see below). Potentially what you mentioned above might not be as much of an issue with the new version and so we encourage you to sync up if/when possible!

https://github.com/OWASP/SEDATED/releases/tag/v1.2.0

@ambernormand ambernormand mentioned this issue May 25, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sp3nx0r @pavankumarbugga @sclouts
0