This guide will explain explains how to deactivate a Kiuwan rule and create a custom model.
Contents:
Table of Contents
How to deactivate a rule
Sometimes, and for different reasons, you need to de-activate a Kiuwan rule (see How to manage Kiuwan defects when I do not completely agree with them).
| Info |
|---|
To de-activate a rule means that Kiuwan will not execute that rule’s validation. |
The reasons can be of different nature (you are not interested in the validations the rule is performing, the rule for some reason is producing many false positives or any other reason).
This guide's purpose is to teach you how to do it.
Let’s start with some very basic concepts.
What are rules and models
When you execute a Kiuwan analysis, Kiuwan applies a set of rules of rules to your source code. For example, a rule can some rules may scan for SQL-Injections vulnerabilities, others other ones might be searching search for path-traversal issues, etc.
infoAny application you analyze is scanned by a set of rules.| Info |
|---|
The default set of rules that is activated rules (in other words, by default (the default model) is called CQM. |
Saying that CQM is the default model means that any application you create is, by default, scanned applying the active rules contained within CQM.
Every application is associated with a specific model. If you don’t make any configuration, every new application will be is associated with CQM, and therefore the rules to be applied will be are those active in CQM..
Sometimes, and for different reasons, you need to de-activate a Kiuwan rule (see How to manage Kiuwan defects when I do not completely agree with them).
To de-activate a rule means that Kiuwan will not execute that rule’s validation. The reasons can be of different nature (you are not interested in the validations the rule is performing, the rule for some reason is producing many false positives or any other reason).
To deactivate rules you do not needYou can, of course, create your own “custom models" models and associate different models to different applications.
See which model you are using for your application
You can either use CQM or a custom model.
If you are using Kiuwan Local Analyzer GUI, click Advanced to see which model you are using.
A window will be displayed like this:
If the Analysis model field value is Automatic, CQM is used by default.
If you are using any other model, another name will be is displayed.
Another way to know the model is through the Kiuwan website. Go to Application Management, find your application and select Model from the drop-down menu on the right.
A window will open opens with the Model associated with your application:
Create a new model from the CQM model
| Info |
|---|
CQM is the default Kiuwan model, and it’s read-only. You can use it but you cannot modify it. |
If you are using CQM and you want to modify it (for example, deactivating a rule), you must follow the next steps:
Create your own custom model (most probably as a copy of CQM)
Find the rule and deactivate it
Publish your model
Associate your application to your custom model and run again the analysis
1. Create your initial custom model
- To create your custom model please follow instructions detailed
Find the rule and deactivate it
- Go to the Rules tab of your custom model and find the rule using the filters (
rule is identified by two fields:
Its name
for example, “Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')”
Its rule - code
for example, OPT.JAVA.SEC_JAVA.SqlInjectionRule
So you can search the rule either by its name (or description)
or by its rule code
(in this case you must first enable the rule code filter
as in the image below)
and fill if with the rule code
Click the green circle
to de-activate or activate it.
Publish your model
-
All the changes
made to
the model are
saved in a
Draft
You can click Publish and
version.
Those changes will not be publicly available until you Publish your model.
To make the changes publicly available, click Publish and provide a version tag.
Once
published, any new analysis of an application associated with this model will use this latest version.
Associate your application to your custom model and run again the analysis
- Find your application in Application Management, click Model and
select the created model
.
Now, when you run the analysis of the application, your custom model
is used.
Create a new custom model when I already have one
If you are already using a custom model, just follow steps #2 (Find the rule and deactivate it) and #3 (Publish your model) as described above.
Then, re-run your analysis.
Content by Label showLabels false max 5 spaces K5 showSpace false sort modified reverse true type page cql label = "kb-troubleshooting-article" and type = "page" and space = "K5" labels kb-troubleshooting-article
| Page properties | ||
|---|---|---|
| ||
|