Meterian
  • Meterian
    • The Platform
    • SSO and MFA
    • Support
  • Codebase scanner
    • The Thin Client
      • How does the client work?
      • How does the client authenticate me?
      • How do I get the client?
      • What if I need a previous release?
      • Use the thin client on Windows
    • Using the client from your command line
      • Authorization in interactive mode
      • Interrupting the client
      • Example: running the client in interactive mode
    • Using the client in your CI/CD pipeline
      • Authorization in non-interactive mode
      • Providing the project branch
      • Concurrent mode
      • Two phases build
      • Controlling the exit code
      • Example: running the client in non-interactive mode
    • General operations
      • Running the analysis remotely
      • Interrupting the client
      • Generating a report
      • Forcing or avoiding specific scans
      • Excluding (and including) specific folders
      • Connecting through a proxy
    • System requirements
    • Command line parameters
      • General configuration
      • Overriding scores
      • Overriding scopes
      • Producing reports
      • Selecting scanners
      • Defining projects
      • Advanced options
        • Autofix
        • Pull Requests
      • System information
      • Specific controls
        • Maven specific controls
        • Dotnet specific controls
        • Npm/Yarn specific controls
        • Gradle specific controls
        • Ant/Ivy specific controls
    • The Dockerized Client
      • Basic usage
      • Advanced usage
        • Invoking via Docker
        • Platform-specific images
        • Usage on a CI/CD platform
        • Disable the client auto-update
      • Troubleshooting
        • Client auto update failure
        • Docker specifics
    • How scores work
    • Guide: your first scan!
      • Your first scan (java thin client)
      • Your first scan (dockerized client)
      • Your first scan (GitHub Action)
  • Scan behaviour matrix
  • THE METERIAN DASHBOARD
    • The Web Dashboard
      • Projects
      • Insights
      • Tokens
      • Badges
      • Policies
      • Tags
      • Teams
      • Configuration
        • Automatic Temporary Branches Clean-up
    • Advanced functionalities
      • Multi-factor Authentication
      • Safe versions
      • Software Bill Of Materials (SBOM)
      • Auto-grouping
        • Domain auto-grouping
        • Github auto-grouping
      • How to set a vulnerability exclusion
        • From the report page
        • From the dashboard
        • The .meterian file
        • Generate the .meterian file
    • Troubleshooting
      • Login with credentials
  • Notifications
    • Sentinel
      • Notifications for Slack
      • Notifications for Email
    • Allerta
  • Github Badges
    • Introduction
    • Public repository
    • Private repository
  • ONLINE INTEGRATIONS
    • Introduction
    • GitHub Action
      • Using the Thin Client
      • Code scanning
    • Bitbucket Pipe
    • Azure DevOps Pipelines
  • Languages support
    • Introduction
    • C/C++
    • Clojure
    • Dart / Flutter
    • Elixir (erlang)
    • Golang
    • Java/Kotlin/Scala
      • Scanning EAR or WAR files
    • Javascript
    • .NET
      • Scanning DLLs
    • NodeJS
    • Perl
    • PHP
    • Python
    • R
    • Ruby
    • Rust
    • Swift / Objective-C
    • Generic (third party)
  • Special platfoms
  • Unity Packages
  • Jupyter Notebooks
    • License detection
  • Yocto license manifests
  • Container scanner
    • Container Scanner
      • Introduction
      • General usage
      • Command line parameters
        • General configuration
        • Overriding scores
        • Producing reports
        • Defining projects
        • Advanced Options
        • System information
      • How to set a vulnerability exclusion
  • IaC SCANNER
    • Introduction
    • General usage
    • Command line parameters
      • Producing reports
      • Defining projects
    • Policy management page
    • How to set a vulnerability exclusion
  • CI INTEGRATIONS
    • Introduction
    • AWS CodeBuild
    • Azure DevOps
      • Using the Docker image
      • Using the Java Thin client
    • Bamboo
    • Bitrise
    • CircleCI
    • CodeShip
    • Concourse CI
    • Generic CI
    • GitLab CI/CD
      • Docker-in-Docker configuration
      • Meterian Docker image configuration
      • Non-Meterian Docker image configuration
    • Jenkins
      • Pipeline
    • TeamCity
    • TravisCI
  • DevOps Integrations
    • GitLab Ultimate
    • SonarQube
      • Compatibility
      • Download and installation
      • Plugin properties
      • Usage
      • Report page
  • Management Platforms
    • Threadfix
    • DefectDojo
      • Uploading from a CI
    • Armorcode
    • Jira
  • Dedicated Instance
    • Introduction
    • On Cloud (MC/CC)
    • On Premises (OP)
      • Requirements and install
      • Managing the system
        • Admin dashboard
        • Managing your license
        • Managing accounts
    • Using the scanners
      • Thin client
      • Dockerized client
      • Container Scanner
      • IaC Scanner
  • Meterian API
  • API basics
  • Authorizing the APIs
  • Account APIs
    • Knowing your account
    • Listing your projects
  • Samples
  • Guides
    • Managing teams and members
    • Generating reports via APIs
Powered by GitBook
On this page
  • Security exclusions
  • Accepted Values

Was this helpful?

  1. THE METERIAN DASHBOARD
  2. Advanced functionalities
  3. How to set a vulnerability exclusion

The .meterian file

To set an exclusion from within the codebase create a file named '.meterian'.

The .meterian file is bound to have the structure specified below:

{ 
    "exclusions": {    
        "licensing": {
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rspec"
                },
                "version": "*",
                "description": "Internal library by Acme inc. so a license is implied"
            }]
        },
    
        "security": {
            "advices": [{
                "uuid": "ffb4763c-7af7-4499-804e-11165888e1f3",                             
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "cves": [{
                "cve": "CVE-2018-1783",                                                     
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rack"                                                          
                },
                "version": "*",                                                             
                "description": "Check if exclusion on library works!"                       
            }]
        },
    
        "stability": {
            "libraries": [{
                "library": {
                    "language": "java",
                    "name": "acme*"
                },
                "version": "*",
                "description": "Acme on java is notorioiusly stable"
            }]
        }
    }
}

Security exclusions

There are three different type of security exclusions:

  • Advices: This exclusion is very similar to the one users can set from the report page as it only affects the single vulnerability. This type of exclusion can be set only if the vulnerability UUID is known to the user.

  • CVE: This exclusion affects all the vulnerabilities with the specified CVE ID

  • Libraries: This exclusion affects all the vulnerabilities related to a specific version of a library

Accepted Values

Security

{
    "exclusions":{
        "security": {
            "advices": [{
                "uuid": "ffb4763c-7af7-4499-804e-11165888e1f3",                             
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "cves": [],
            "libraries": []
        }
    }
}
    
  • uuid: "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - (it has to have this format and it must be known by the user - unique vulnerability identificator provided by Meterian).

{
    "exclusions":{
        "security": {
            "advices": [],
            "cves": [{
                "cve": "CVE-2018-1783",                                                     
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "libraries": []
        }
    }
}
    
  • cve: "CVE-XXXX-XXXXX" - (it has to have this format and it must be a valid CVE id - unique vulnerability identificator and it is provided by Mitre and NVD).

{
    "exclusions":{
        "security": {
            "advices": [],
            "cves": [],
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rack"                                                          
                },
                "version": "*",                                                             
                "description": "Check if exclusion on library works!"                       
            }]
        }
    }
}
  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: the exact name of the library to exclude.

  • version: the exact version of the library to exclude | * will exclude all the versions.

Common fields

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded.

  • reason: report | unapplicable | mitigated - (a different value or the omission of this field will replaced by the default value 'unapplicable').

Stability

{
    "exclusions":{
        "stability": {
            "libraries": [{
                "library": {
                    "language": "java",
                    "name": "acme*"
                },
                "version": "*",
                "description": "Acme on java is notorioiusly stable"
            }]
        }
    }
}
  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: name of the library - (a glob pattern can also be used in field to exclude more than one library).

  • version: version of the library to exclude | * will exclude all the versions - (a glob pattern can also be used in field to exclude more than one version).

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded

Licensing

{
    "exclusions":{
        "licensing": {
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rspec"
                },
                "version": "*",
                "description": "Internal library by Acme inc. so a license is implied"
            }]
        }
    }
}
  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: name of the library - (a glob pattern can also be used in field to exclude more than one library).

  • version: version of the library to exclude | * will exclude all the versions - (a glob pattern can also be used in field to exclude more than one version).

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded

For every single type of exclusion some of the fields are mandatory, and the wrong usage could lead to an invalidation of the exclusion.

PreviousFrom the dashboardNextGenerate the .meterian file

Last updated 4 years ago

Was this helpful?