If Trend Micro Artifact Scanner
reports a vulnerability which has been determined to be a false positive or any other
vulnerability finding you wish to ignore, you can instruct Trend Micro Artifact to
override
these findings by defining one or more rules in an override configuration file (for
example,
~/tmas_vuln_overrides.yml
).You execute a scan using these rules by
providing Trend Micro Artifact Scanner with a path to the override file using the
--override
flag.tmas scan <artifact_to_scan> --override
path/to/tmas_vuln_overrides.yml
The override file is structured as a list of
rules. Each rule can specify any combination of the following criteria:
- vulnerability ID (for example,
"CVE-2008-4318"
) - fix state (allowed values:
"fixed"
,"not-fixed"
,"wont-fix"
, or"unknown"
) - package name (for example,
"libcurl"
) - package version (for example,
"1.5.1"
) - package type (for example,
"npm"
,"go-package"
,"rpm"
, or any package type appearing in the Trend Micro Artifact Scanner JSON vulnerability report) - package location (for example,
"/usr/local/lib/node_modules/**"
; supports glob patterns)
Each rule must also be accompanied by a reason indicating why the rule was implemented
(for example, "false positive", "mitigated", "vulnerable package function is not called",
and so on).
vulnerabilities: # This is the full set of supported rule fields: - rule: vulnerability: CVE-0000-0000 fixState: unknown package: name: libcurl version: 1.5.1 type: npm location: "/usr/local/lib/node_modules/**" reason: A descriptor specifying why the override rule implemented
A given
vulnerability finding is overridden if any of the rules specified in the override
file apply
to the finding. A rule is considered to apply to a finding only if all the fields
in the
rule match those found in the vulnerability
finding.
vulnerabilities: # Override vulnerability findings whose CVE-ID is CVE-0000-0000 - rule: vulnerability: CVE-0000-0000 reason: Not executed # Override vulnerability findings detected on libcurl version 1.5.1 - rule: package: name: libcurl version: 1.5.1 reason: Dev dependency
Any vulnerability finding that matches a rule is
presented in the JSON report in an
"Overridden"
section, rather than
classified under its severity.{ "totalVulnCount": 1, "criticalCount": 0, "highCount": 0, "mediumCount": 0, "lowCount": 0, "negligibleCount": 0, "unknownCount": 0, "overriddenCount": 1, "findings": { "High": [], "Low": [], "Medium": [], "Negligible": [], "Overridden": [ { "name": "libcurl", "type": "npm", "version": "1.5.1", "id": "CVE-0000-0000", "source": "https://nvd.nist.gov/vuln/detail/CVE-0000-0000", "severity": "Low", "fix": "not-fixed", "locations": ["/usr/local/lib/node_modules/**"], "cvssSummaries": [], "relatedVulnerabilities": [] } ] } }