Views:
If Trend Micro Artifact Scanner (TMAS) reports a vulnerability or secret which has been determined to be a false positive or any other finding you want to ignore, you can instruct TMAS to override these findings by defining one or more rules in an override configuration file (for example, ~/tmas_overrides.yml). Overriding malware findings is not supported at this time.
You can execute a scan using these rules by providing TMAS with a path to the override file using the --override flag.
tmas scan <artifact_to_scan> -VMS --override path/to/tmas_overrides.yml
The override file uses a YAML structure with rules defined under each scan type, like vulnerabilities or secrets, for example. When providing overrides for both secrets and vulnerabilities, specify all the overrides in the same YAML file.

Override vulnerability findings

The vulnerability overrides are structured as a list of rules. Each rule can specify any combination of the following criteria:
  • vulnerability ID (for example, "CVE-2008-4318")
  • fix state (allowed values: "fixed", "not-fixed", "wont-fix", or "unknown")
  • package name (for example, "libcurl")
  • package version (for example, "1.5.1")
  • package type (for example, "npm", "go-package", "rpm", or any package type appearing in the Trend Micro Artifact Scanner JSON vulnerability report)
  • package location (for example, "/usr/local/lib/node_modules/**"; supports glob patterns)
Each rule must also be accompanied by a reason indicating why the rule was implemented (for example, "false positive", "mitigated", "vulnerable package function is not called", and so on).
vulnerabilities:
  # This is the full set of supported rule fields:
  - rule:
      vulnerability: CVE-0000-0000
      fixState: unknown
      package:
        name: libcurl
        version: 1.5.1
        type: npm
        location: "/usr/local/lib/node_modules/**"
    reason: A descriptor specifying why the override rule implemented
A given vulnerability finding is overridden if any of the rules specified in the override file apply to the finding. A rule is considered to apply to a finding only if all the fields in the rule match those found in the vulnerability finding.
vulnerabilities:
  # Override vulnerability findings whose CVE-ID is CVE-0000-0000
  - rule:
      vulnerability: CVE-0000-0000
    reason: Not executed
  # Override vulnerability findings detected on libcurl version 1.5.1
  - rule:
      package:
        name: libcurl
        version: 1.5.1
    reason: Dev dependency
Any vulnerability finding that matches a rule is presented in the JSON report in an "Overridden" section, rather than classified under its severity. 
{
   "vulnerabilities": { 
     "totalVulnCount": 1,
     "criticalCount": 0,
     "highCount": 0,
     "mediumCount": 0,
     "lowCount": 0,
     "negligibleCount": 0,
     "unknownCount": 0,
     "overriddenCount": 1,
     "findings": {
       "High": [],
       "Low": [],
       "Medium": [],
       "Negligible": [],
       "Overridden": [
         {
           "name": "libcurl",
           "type": "npm",
           "version": "1.5.1",
           "id": "CVE-0000-0000",
           "source": "https://nvd.nist.gov/vuln/detail/CVE-0000-0000",
           "severity": "Low",
           "fix": "not-fixed",
           "locations": ["/usr/local/lib/node_modules/**"],
           "cvssSummaries": [],
           "relatedVulnerabilities": []
         }
       ]
     }
   }
 }

Override secret findings

Secret overrides support multiple targets:
  • paths
  • rules
  • findings
Each override is a list of regular expression patterns, which cause the target to be excluded. Each list of patterns must also be accompanied by a reason for implementing the rule (for example, "false positive", "third party dependencies", and so on).
secrets:
  paths:
    - patterns:
        - node_modules
        - .tox
      reason: Third party dependencies
    - patterns:
        - .*_test.go
      reason: Development resources
  rules:
    - patterns:
        - generic_api_key
      reason: A descriptor specifying why the override is implemented
  findings:
    - patterns:
        - ".*example"
      reason: "Used in testing"
A given secret finding is overridden if any of the regular expression specified in the override file apply to the finding.
Any secret finding that matches a rule is presented in the JSON report in an overridden.
{
  "secrets": {
    "totalFilesScanned": 3,
    "unmitigatedFindingsCount": 0,
    "overriddenFindingsCount": 1,
    "findings": {
      "overridden": [
        {
          "ruleID": "aws-access-token",
          "description": "Identified a pattern that may indicate AWS credentials, risking unauthorized cloud resource access and data breaches on AWS platforms.",
          "secret": "AKIAIRYLJVKMPEXAMPLE",
          "location": {
            "path": "/workdir/test-fixtures/aws_access_key",
            "startLine": 1,
            "endLine": 1,
            "startColumn": 1,
            "endColumn": 20,
          }
        }
      ]
    }
  }
}