Meterian
Meterian
Meterian
Meterian
Meterian
The client
Meterian Thin Client
Using the client from your command line
Using the client in your CI/CD pipeline
General operations
System requirements
Command line parameters
The Dockerized Client
THE METERIAN DASHBOARD
The Web Dashboard
Advanced functionalities
Auto-grouping
How to set a vulnerability exclusion
From the report page
From the dashboard
The .meterian file
Generate the .meterian file
Sentinel - Meterian Notifications service
Troubleshooting
Github Badges
Introduction
Public repository
Private repository
ONLINE INTEGRATIONS
GitHub Action
Bitbucket Pipe
Azure DevOps Pipelines
Languages support
Introduction
Java/Kotlin/Scala
NodeJS
Javascript
Python
Ruby
PHP
.NET
Golang
Swift / Objective-C
Rust
Elixir (erlang)
Perl
C/C++
Special platfoms
Jupyter Notebooks
Unity Packages
Containers support
Container Scanner
CI SERVER INTEGRATIONS
Introduction
Generic CI
Jenkins
Azure DevOps
Bamboo
TravisCI
CircleCI
TeamCity
GitLabCICD
CodeShip
AWS CodeBuild
Meterian API
API basics
Authorizing the APIs
Account APIs
Samples
Management Platforms
Threadfix
DefectDojo
Powered by GitBook

The .meterian file

To set an exclusion from within the codebase create a file named '.meterian'.

The .meterian file is bound to have the structure specified below:

{ 
    "exclusions": {    
        "licensing": {
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rspec"
                },
                "version": "*",
                "description": "Internal library by Acme inc. so a license is implied"
            }]
        },
    
        "security": {
            "advices": [{
                "uuid": "ffb4763c-7af7-4499-804e-11165888e1f3",                             
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "cves": [{
                "cve": "CVE-2018-1783",                                                     
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rack"                                                          
                },
                "version": "*",                                                             
                "description": "Check if exclusion on library works!"                       
            }]
        },
    
        "stability": {
            "libraries": [{
                "library": {
                    "language": "java",
                    "name": "acme*"
                },
                "version": "*",
                "description": "Acme on java is notorioiusly stable"
            }]
        }
    }
}

​

Security exclusions

There are three different type of security exclusions:

  • Advices: This exclusion is very similar to the one users can set from the report page as it only affects the single vulnerability. This type of exclusion can be set only if the vulnerability UUID is known to the user.

  • CVE: This exclusion affects all the vulnerabilities with the specified CVE ID

  • Libraries: This exclusion affects all the vulnerabilities related to a specific version of a library

​

Accepted Values

Security

{
    "exclusions":{
        "security": {
            "advices": [{
                "uuid": "ffb4763c-7af7-4499-804e-11165888e1f3",                             
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "cves": [],
            "libraries": []
        }
    }
}

  • uuid: "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - (it has to have this format and it must be known by the user - unique vulnerability identificator provided by Meterian).

​

{
    "exclusions":{
        "security": {
            "advices": [],
            "cves": [{
                "cve": "CVE-2018-1783",                                                     
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "libraries": []
        }
    }
}

  • cve: "CVE-XXXX-XXXXX" - (it has to have this format and it must be a valid CVE id - unique vulnerability identificator and it is provided by Mitre and NVD).

​

{
    "exclusions":{
        "security": {
            "advices": [],
            "cves": [],
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rack"                                                          
                },
                "version": "*",                                                             
                "description": "Check if exclusion on library works!"                       
            }]
        }
    }
}

  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: the exact name of the library to exclude.

  • version: the exact version of the library to exclude | * will exclude all the versions.

Common fields

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded.

  • reason: report | unapplicable | mitigated - (a different value or the omission of this field will replaced by the default value 'unapplicable').

​

​

Stability

{
    "exclusions":{
        "stability": {
            "libraries": [{
                "library": {
                    "language": "java",
                    "name": "acme*"
                },
                "version": "*",
                "description": "Acme on java is notorioiusly stable"
            }]
        }
    }
}

  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: name of the library - (a glob pattern can also be used in field to exclude more than one library).

  • version: version of the library to exclude | * will exclude all the versions - (a glob pattern can also be used in field to exclude more than one version).

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded

Licensing

{
    "exclusions":{
        "licensing": {
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rspec"
                },
                "version": "*",
                "description": "Internal library by Acme inc. so a license is implied"
            }]
        }
    }
}

  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: name of the library - (a glob pattern can also be used in field to exclude more than one library).

  • version: version of the library to exclude | * will exclude all the versions - (a glob pattern can also be used in field to exclude more than one version).

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded

For every single type of exclusion some of the fields are mandatory, and the wrong usage could lead to an invalidation of the exclusion.

Previous
From the dashboard
Next
Generate the .meterian file
Last updated 11 months ago
Contents
Security exclusions
Accepted Values