...
Defects muting can be applied to different scopes:
- Defect-specific
- By Line Number:
- A specific
- defect (identified by the rule and the line number of a source file) is muted
- This kind of mute means that the defect will be kept muted in subsequent analyses if, and only if, the defect appears in the same line
- By Source Code: (NEW)
- A specific defect (identified by the rule, the file and the source code line) is muted
- This kind of mute means that the mute is based in the content of the source line number and, therefore, it will be kept muted in subsequent analyses regardless the line number where it appears
- By Line Number:
- File-scope
- To mute all the defects of a certain file, regardless of the nature (rule) of the defect
- Rule-scope
- To mute all the defects coming from a specific rule, regardless of the file where the defects are appearing
- Rule-File or File-Rule scope
- Rule-File: To mute all the defects of a certain rule belonging to a specific file (or to a set of files)
- File-Rule: To mute all the defects of a certain file coming for from a specific rule
Kiuwan allows you to declare mute patterns for all the above situations, letting you to suite Kiuwan muting mechanism to your specific needs.
What is important to remember is that muted defects will not be considered when passing an Audit or calculating any Indicator.
Muted defects are still there (you can inspect them) but will not be part of the calculations made by Kiuwan.
Probably, you might be wondering at this moment some questions:
- Muting a rule is the same than deactivating that rule?
- Yes, muting a rule will mute all the current defects of that rule as well as future defects of that rule in further analyses. This way, you don’t need to deactivate the rule (that would imply to deactivate the rule for all the applications that use that model). Also, defects of that rule still exists (but muted) , but will not be considered in Audits or in the Indicators. You can later un-mute again at a later stage and will be considered as “live” again.
- Muting a file is the same as “excluding” that file from the analysis?
- Yes, the final effect is the same. Muting a file will mute all the current defects of that file as well as future defects for that file. As above, those defects will remain in the analysis, but muted, not being considered in Audits and Indicators.
Some considerations when muting at Defect-specific Level
If you mute a defect "by line", bear in mind that modifying the line number where that defect appears (by adding/removing lines before the defect line) will make the defect appear again.
Instead, if you mute that defect "by text", you can freely add/remove lines before that defect, the defect will be silenced as long as the source line text does not change.
When you mute a defect "by text", there's a condition that you must bear in mind:
- If, for example, you get 3 defects in different lines but the source code line is equal in all those defects, if you mute one of them "by text", the side-effect is that all three will be muted as well
.. This is a side-effect you mut know because the mute-engine cannot distinguish between them (the source code line is the same for all of them, and the line numer is not considered)
Finally, when the defect is an injection Vulnerability (i.e. a defect coming from a injenction Security rule), the defect is uniquely identified by three factors: the sink, the source and the propagatin path
In this case, if you mute "by line", the defect will be muted based on line numbers of sink and source code lines. As above, if line numbers of sink or source change, the mute will not be applied and the defect will rise again.
But, if you mute "by text", the mute applied to the source code of the sink, the source and the propagation path. That means that although the sink and source code lines do not change, any change in the propagation path will be considered as a new defect and the mute will dissapear.
Muting Defects in Kiuwan Lyfe Cyle (baseline and deliveries)
...