Page History

This guide explains how to deactivate a Kiuwan rule

and create a custom model.

Contents:

What are rules and models

When you execute a Kiuwan analysis, Kiuwan applies a set

of rules to your source code.

 For example,

some rules may scan for SQL-Injections vulnerabilities, other ones might

search for path-traversal issues, etc.

Saying that CQM is the default model means that any application you create is, by default, scanned applying the active rules contained within CQM.

Every application is associated with a specific model. If you don’t make any configuration, every new application

is associated with CQM, and therefore the rules to be applied

are those active in CQM

.

Sometimes, and for different reasons, you need to de-activate a Kiuwan rule (see How to manage Kiuwan defects when I do not completely agree with them).

To de-activate a rule means that Kiuwan will not execute that rule’s validation. The reasons can be of different nature (you are not interested in the validations the rule is performing, the rule for some reason is producing many false positives or any other reason).

To deactivate rules you do not need

, create your own

custom

models and associate different models to different applications.

See which model you are

using

for your application

If you are using Kiuwan Local Analyzer GUI,

click Advanced to see which model you are using. 

A window will be displayed like this:

Image Added

If the Analysis model field value is Automatic, CQM is

used by default.

If you are using any other model,

another name

is displayed.

Another way to know the model

is through the Kiuwan website.

Go to Application Management, find

your application and select Model

from the drop-down menu on the right.

Image Added

A

window opens with the Model associated

with your application:

Image Added

Create a new model from the CQM model

If you are using CQM and you want to modify it (for example, deactivating a rule), you must follow the next steps:

1. Create your own custom model (most probably as a copy of CQM)

1. - To create your custom model please follow instructions detailed

1. at Advanced Model Management#CreatinganewModel
   

1. Find the rule and deactivate it

1. - Go to the Rules tab of your custom model and find the rule using the filters (

1. Rules Management#Rulessection)
   

   A

1. rule is identified by two fields:

1. • Its name

   • for example, “Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')”

1. • Its rule - code

   • for example, OPT.JAVA.SEC_JAVA.SqlInjectionRule

   So you can search the rule either by its name (or description)

1. Image Added

   or by its rule code

1. (in this case you must first enable the rule code filter

1. as in the image below)

1. Image Added
   

   Image Added

   Click

1. the green circle

1. to de-activate or activate it.

1. Publish your model

1. - 

1. All the changes

1. made to

1. the model are

1. saved in a

1. Draft

1.  version.

1. To make the changes publicly available, click Publish and provide a version tag. 

1. Image Added

   Once

1. published, any new analysis of an application associated

1. with this model will use this latest version.

1. Associate your application to your custom model and run again the analysis

1. - Find your application in Application Management, click

1. Model

1. and

1. select the created model

1. .

1. Image Added

   Now, when you run the analysis of the application, your custom model

1. is used.

Create a new custom model when I already have one

 If you are already using a custom model,

follow steps #2 (Find the rule and deactivate it) and #3 (Publish your model) as described above.

Then, re-run your analysis.