This guide explains how to deactivate a Kiuwan rule and create a custom model.
What are rules and models
When you execute a Kiuwan analysis, Kiuwan applies a set of rules to your source code. For example, some rules may scan for SQL-Injections vulnerabilities, other ones might search for path-traversal issues, etc.
Saying that CQM is the default model means that any application you create is, by default, scanned applying the active rules contained within CQM.
Every application is associated with a specific model. If you don’t make any configuration, every new application is associated with CQM, and therefore the rules to be applied are those active in CQM.
Sometimes, and for different reasons, you need to de-activate a Kiuwan rule (see How to manage Kiuwan defects when I do not completely agree with them).
To de-activate a rule means that Kiuwan will not execute that rule’s validation. The reasons can be of different nature (you are not interested in the validations the rule is performing, the rule for some reason is producing many false positives or any other reason).
To deactivate rules you do not need, create your own custom models and associate different models to different applications.
See which model you are using for your application
If you are using Kiuwan Local Analyzer GUI, click Advanced to see which model you are using.
A window will be displayed like this:
If the Analysis model field value is Automatic, CQM is used by default.
If you are using any other model, another name is displayed.
Another way to know the model is through the Kiuwan website. Go to Application Management, find your application and select Model from the drop-down menu on the right.
A window opens with the Model associated with your application:
Create a new model from the CQM model
CQM is the default Kiuwan model, and it’s read-only. You can use it but you cannot modify it.
If you are using CQM and you want to modify it (for example, deactivating a rule), you must follow the next steps:
Create your own custom model (most probably as a copy of CQM) - To create your custom model please follow instructions detailed at Advanced Model Management#CreatinganewModel
Find the rule and deactivate it - Go to the Rules tab of your custom model and find the rule using the filters (Rules Management#Rulessection)
A rule is identified by two fields:
for example, “Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')”
Its rule - code
for example, OPT.JAVA.SEC_JAVA.SqlInjectionRule
So you can search the rule either by its name (or description)
or by its rule code (in this case you must first enable the rule code filter as in the image below)
Click the green circle to de-activate or activate it.
Publish your model - All the changes made to the model are saved in a Draft version.
To make the changes publicly available, click Publish and provide a version tag.
Once published, any new analysis of an application associated with this model will use this latest version.
Associate your application to your custom model and run again the analysis - Find your application in Application Management, click Model and select the created model.
Now, when you run the analysis of the application, your custom model is used.
Create a new custom model when I already have one
If you are already using a custom model, follow steps #2 (Find the rule and deactivate it) and #3 (Publish your model) as described above.
Then, re-run your analysis.