allow overriding Finding attrs #137
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DeepCode's analysis on #64ebf2 found:
Top issues
👉 View analysis in DeepCode’s Dashboard | Configure the bot |
nineinchnick
force-pushed
the
overrides
branch
from
91464de
to
1bc0b73
Compare
|
How about adding an example on readme ? |
nineinchnick
force-pushed
the
overrides
branch
from
1bc0b73
to
446c669
Compare
Great idea, done! I also added a bit more info in the usage section. |
|
Good stuff! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow overriding Finding attributes in particular data flows (or other assets). For example, this allows to set custom responses, CVSS scores (added as new attrs) or increase/lower the severity. See the new test for usage examples.
If there's an override defined for a particular threat, it'll always be added as a finding, even if the threat no longer applies. This is to include all mitigations in a report. To remove the finding, remove the override.
Overrides are defined per element because otherwise the original threat should be adjusted.
Overrides can be defined in an asset and then they'd apply to all dataflows. For more granularity, they should be defined only in particular dataflows. There's a check to avoid having two overrides for the same threat, since it would be hard to debug why an override doesn't get applied when it would be overwritten by another one.