This guide will explain how to deactivate a Kiuwan rule and create a custom model.
When you execute a Kiuwan analysis, Kiuwan applies a set of rules to your source code. For example, some rules may scan for SQL-Injections vulnerabilities, other ones might search for path-traversal issues, etc.
The set of rules that is activated by default (the default model) is called CQM.
Saying that CQM is the default model means that any application you create is, by default, scanned applying the active rules contained within CQM.
Every application is associated with a specific model. If you don’t make any configuration, every new application will be associated with CQM, and therefore the rules to be applied will be those active in CQM.
Sometimes, and for different reasons, you need to de-activate a Kiuwan rule (see How to manage Kiuwan defects when I do not completely agree with them).
To de-activate a rule means that Kiuwan will not execute that rule’s validation. The reasons can be of different nature (you are not interested in the validations the rule is performing, the rule for some reason is producing many false positives or any other reason).
To deactivate rules you do not need, create your own custom models and associate different models to different applications.
If you are using Kiuwan Local Analyzer GUI, click Advanced to see which model you are using.
A window will be displayed like this:
If the Analysis model field value is Automatic, CQM is used by default.
If you are using any other model, another name will be displayed.
Another way to know the model is through the Kiuwan website. Go to Application Management, find your application and select Model from the drop-down menu on the right.
A window will open with the Model associated with your application:
CQM is the default Kiuwan model, and it’s read-only. You can use it but you cannot modify it.
If you are using CQM and you want to modify it (for example, deactivating a rule), you must follow the next steps:
Create your own custom model (most probably as a copy of CQM)
Find the rule and deactivate it
Publish your model
Associate your application to your custom model and run again the analysis
To create your custom model please follow instructions detailed at Advanced Model Management#CreatinganewModel
Go to the Rules tab of your custom model and find the rule using the filters (Rules Management#Rulessection)
A rule is identified by two fields:
for example, “Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')”
Its rule - code
for example, OPT.JAVA.SEC_JAVA.SqlInjectionRule
So you can search the rule either by its name (or description)
or by its rule code (in this case you must first enable the rule code filter as in the image below)
Click on the green circle to de-activate or activate it.
All the changes made to the model are saved in a Draft version.
To make the changes publicly available, click Publish and provide a version tag.
Once published, any new analysis of an application associated with this model will use this latest version.
Find your application in Application Management, click Model and select the created model.
Now, when you run the analysis of the application, your custom model will be used.
If you are already using a custom model, follow steps #2 (Find the rule and deactivate it) and #3 (Publish your model) as described above.
Then, re-run your analysis.
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.