-
Notifications
You must be signed in to change notification settings - Fork 582
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add per-line whitelisting capabilities #900
Comments
Here's a list of whitelisting methods I'm aware of:
(1) and (2) can be done in the same way regardless of the target language. This is pretty nice to the user, who can reuse their knowledge to work across all languages. (3) and (4) are both useful. (3) could be done using an external mechanism ((1) or (2)) so it's not critical to support it. (4) however needs to be tackled on its own. A familiar solution to disable (or enable) a check locally consists in interpreting special comments. The syntax is typically described as:
The difficulty for (3) and (4) is that we need to establish a special syntax for comments, in all supported languages, and make sure it's easy and natural for the user. On the implementation side, it requires special work for each language, to parse special comments occurring in specific locations. This is commonly done for most languages, so there should be a way. In conclusion:
Personally, at this time:
|
Yep want that feature too! |
Note a huge fan of "nosem". What does "noqa" means btw? |
|
We currently support a few different means of whitelisting:
--exclude
,--exclude-dir
, andpattern-not
to some extent. These are useful, but don't have the level of precision an AppSec team may need. Often a security engineer will want to whitelist a specific line in a file, not the entire file. Let's add functionality around whitelisting a specific line in a file. For example:A good first pass would be simply including something like
noqa
as a comment to whitelist a line. A more fully featured version would be something like:Where
<rule-id>
is optional and will only whitelist the specific rule. A nakednoqa
will whitelist all rules. The<message>
is also optional and is used to describe why it's whitelisted. A common line will be something likenoqa command-injection-os-system: AppSec reviewed
.Here are how some other linter/static analysis apps do it:
flake8
: https://flake8.pycqa.org/en/latest/user/violations.html - they have a very comprehensive story for selecting and ignoring/whitelisting.bandit
: https://bandit.readthedocs.io/en/latest/config.html#suppressing-individual-lineseslint
: https://eslint.org/docs/user-guide/configuring#disabling-rules-with-inline-comments - they also have a good story here.The text was updated successfully, but these errors were encountered: