Comments (6)
Okay, I'll add some kind of filtering mechanism. It may not come in the next release, but shouldn't be too far out.
from sobelow.
Hi, thanks for opening this issue! The ability to filter the output based on confidence level is something I've considered, but decided against implementing for a handful of reasons. I'd prefer to keep it this way unless there is some functionality that can't be achieved with other flags.
You might find the exit
flag useful; it was created for exactly this use-case. For example, the following should only return a non-zero exit code for findings that are at least medium confidence:
mix sobelow --exit medium
Would this work for your pipeline? Or is there something else you had in mind?
from sobelow.
We are planning on implementing the --exit
flag for more confident security issues after fixing a the current existing issues, however this is coming from a standpoint where I don't want my devs getting used to seeing issues that are ok to overlook in the output. I only want to show issues in the output that are worthy of causing the build to fail. Maybe a warning could be issued every time the flag is used?
from sobelow.
Thank you. Much appreciated
from sobelow.
Hi @Electronickss!
I've added a threshold
flag to master. It is currently undocumented, but works like this:
mix sobelow --threshold medium
This scan will only return findings that have a confidence level of medium or high. Please test it out and let me know if you run into any bugs. I will leave this issue open for now, but will look to close and push to Hex by early next week if there are no unexpected issues.
Thanks!
from sobelow.
This is now live on Hex, so you can install with mix archive.install hex sobelow
and start using the --threshold
flag. It is also documented in the README now.
Thanks again for opening the issue!
from sobelow.
Related Issues (20)
- Add new output format for sonarqube HOT 1
- multiple routers (not an umbrella :) ) HOT 1
- Add support for --version opt
- Plans for ongoing maintenance? HOT 4
- Traversal.FileModule Issue. HOT 1
- Macro.to_string/2 deprecation warning HOT 3
- Please match hex version code with github? HOT 1
- Support detecting for Wildcard check_origin Vulnerability
- Create robust testing suite against other popular Elixir repos
- Suggestion for installation instructions HOT 1
- Add production runtime config to the missing HTTPS check HOT 3
- LiveView Support
- castore vsn requirement HOT 3
- CAStore error when running as standalone script HOT 7
- DevEx: consider defaulting to [FILE_PATH]:[LINE_NUMBER] format for default vulnerability output HOT 2
- Too much info in --details / -d output HOT 2
- Creating Performance Testing Suite
- Misc.BinToTerm with [:safe] option HOT 2
- (Protocol.UndefinedError) error HOT 8
- Source code with range traversal crashes sobelow HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sobelow.