Feature Request: Add a filter on confidence level about sobelow HOT 6 CLOSED

Okay, I'll add some kind of filtering mechanism. It may not come in the next release, but shouldn't be too far out.

from sobelow.

Hi, thanks for opening this issue! The ability to filter the output based on confidence level is something I've considered, but decided against implementing for a handful of reasons. I'd prefer to keep it this way unless there is some functionality that can't be achieved with other flags.

You might find the exit flag useful; it was created for exactly this use-case. For example, the following should only return a non-zero exit code for findings that are at least medium confidence:

mix sobelow --exit medium

Would this work for your pipeline? Or is there something else you had in mind?

from sobelow.

We are planning on implementing the --exit flag for more confident security issues after fixing a the current existing issues, however this is coming from a standpoint where I don't want my devs getting used to seeing issues that are ok to overlook in the output. I only want to show issues in the output that are worthy of causing the build to fail. Maybe a warning could be issued every time the flag is used?

from sobelow.

Thank you. Much appreciated

from sobelow.

Hi @Electronickss!

I've added a threshold flag to master. It is currently undocumented, but works like this:

mix sobelow --threshold medium

This scan will only return findings that have a confidence level of medium or high. Please test it out and let me know if you run into any bugs. I will leave this issue open for now, but will look to close and push to Hex by early next week if there are no unexpected issues.

Thanks!

from sobelow.

This is now live on Hex, so you can install with mix archive.install hex sobelow and start using the --threshold flag. It is also documented in the README now.

Thanks again for opening the issue!

from sobelow.