The .meterian file

To set an exclusion from within the codebase create a file named '.meterian'.

The .meterian file is bound to have the structure specified below:

{ 
    "exclusions": {    
        "licensing": {
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rspec"
                },
                "version": "*",
                "description": "Internal library by Acme inc. so a license is implied"
            }]
        },
    
        "security": {
            "advices": [{
                "uuid": "ffb4763c-7af7-4499-804e-11165888e1f3",                             
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "cves": [{
                "cve": "CVE-2018-1783",                                                     
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rack"                                                          
                },
                "version": "*",                                                             
                "description": "Check if exclusion on library works!"                       
            }]
        },
    
        "stability": {
            "libraries": [{
                "library": {
                    "language": "java",
                    "name": "acme*"
                },
                "version": "*",
                "description": "Acme on java is notorioiusly stable"
            }]
        }
    }
}

Security exclusions

There are three different type of security exclusions:

  • Advices: This exclusion is very similar to the one users can set from the report page as it only affects the single vulnerability. This type of exclusion can be set only if the vulnerability UUID is known to the user.

  • CVE: This exclusion affects all the vulnerabilities with the specified CVE ID

  • Libraries: This exclusion affects all the vulnerabilities related to a specific version of a library

Accepted Values

Security

{
    "exclusions":{
        "security": {
            "advices": [{
                "uuid": "ffb4763c-7af7-4499-804e-11165888e1f3",                             
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "cves": [],
            "libraries": []
        }
    }
}
    
  • uuid: "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" - (it has to have this format and it must be known by the user - unique vulnerability identificator provided by Meterian).

{
    "exclusions":{
        "security": {
            "advices": [],
            "cves": [{
                "cve": "CVE-2018-1783",                                                     
                "reason": "mitigated",
                "description": "We are not using this"                                      
            }],
            "libraries": []
        }
    }
}
    
  • cve: "CVE-XXXX-XXXXX" - (it has to have this format and it must be a valid CVE id - unique vulnerability identificator and it is provided by Mitre and NVD).

{
    "exclusions":{
        "security": {
            "advices": [],
            "cves": [],
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rack"                                                          
                },
                "version": "*",                                                             
                "description": "Check if exclusion on library works!"                       
            }]
        }
    }
}
  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: the exact name of the library to exclude.

  • version: the exact version of the library to exclude | * will exclude all the versions.

Common fields

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded.

  • reason: report | unapplicable | mitigated - (a different value or the omission of this field will replaced by the default value 'unapplicable').

Stability

{
    "exclusions":{
        "stability": {
            "libraries": [{
                "library": {
                    "language": "java",
                    "name": "acme*"
                },
                "version": "*",
                "description": "Acme on java is notorioiusly stable"
            }]
        }
    }
}
  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: name of the library - (a glob pattern can also be used in field to exclude more than one library).

  • version: version of the library to exclude | * will exclude all the versions - (a glob pattern can also be used in field to exclude more than one version).

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded

Licensing

{
    "exclusions":{
        "licensing": {
            "libraries": [{
                "library": {
                    "language": "ruby",                                                     
                    "name": "rspec"
                },
                "version": "*",
                "description": "Internal library by Acme inc. so a license is implied"
            }]
        }
    }
}
  • library - language: java | dotnet | python | nodejs | ruby | javascript | php | swift | golang - (name of the language the library code is written in).

  • library - name: name of the library - (a glob pattern can also be used in field to exclude more than one library).

  • version: version of the library to exclude | * will exclude all the versions - (a glob pattern can also be used in field to exclude more than one version).

  • description: It has to be a text, we suggest a meaningful description of the reason why the vulnerability is being excluded

For every single type of exclusion some of the fields are mandatory, and the wrong usage could lead to an invalidation of the exclusion.

Last updated