Rule engine
Sometimes the result of a scanner doesn't fit to the product's needs. Either the severity or the status need to be adjusted. To avoid having to do many manual assessments regularly, a built-in rule engine can adjust severity and/or status directly with the import of observations.
This can remove a lot of noise, for example by setting observations to False positive
, in case the ruleset of the scanner can not be adjusted appropriately.
Rules can be managed in two ways:
- General rules will be applied for all products. A product can be excluded from general rules in its settings.
- Product Rules are only valid for one product.
These fields are used to decide if a rule shall be applied for an observation:
- Parser (mandatory): The observation has been imported with this parser.
- Scanner prefix (optional): The observation has been generated by a scanner which name starts with this prefix. A prefix is used here because the scanner field in the observation often contains the version of the scanner as well, which is typically irrelevant for the rule.
- Observation title (optional): Regular expression to match the observation's title
- Origin component name:version (optional): Regular expression to match the component name:version
- Origin docker image name:tag (optional): Regular expression to match the docker image name:tag
- Origin endpoint URL (optional): Regular expression to match the endpoint URL
- Origin service name (optional): Regular expression to match the service name
- Origin source file (optional): Regular expression to match the source file
If an observation matches all fields containing a value, than the new severity and/or new status is set in the observation and a comment is stored in the Observation Log
.