Exceptions

Exceptions

The Exceptions page displays the list of exceptions that have been created at the application, service and team level. Whenever a vulnerability or alert needs to be ignored, as it is not required to be addressed or it doesn't impact the workflow or simply it need not be considered, then that vulnerability or alert can be marked as an exception.

The users should have admin access at team level to add exceptions.

To View Exceptions

  • Navigate to Audit -> Exceptions. The exceptions page is displayed as shown below:

The top panel displays the Active Exceptions and Exceptions Audit tabs.

  • Active Exceptions - This tab displays the exceptions that are active and currently in use.

  • Exceptions Audit - This tab displays the expired exceptions, that are available for viewing only.

On clicking the Active Exceptions tab, the following details related to the active exceptions are displayed.

  • Name - Displays the name of the vulnerability that is marked as an exception.

  • Type - Displays the type of the vulnerability.

  • Application - Displays the name of the application that has the specified vulnerability.

  • Service - Displays the name of the service that has the specified vulnerability.

  • Approved By - Displays the name of the person by whom the exception was approved.

  • Description - Displays the reason added by the user to mark the vulnerability as an exception.

  • Valid Till - Displays the date and time until when the exceptions will be active.

  • Action - Click the three dots displayed in the Action column > Revoke, to revoke the created exception.

On clicking the Exceptions Audit tab, the following details related to the non active exceptions are displayed.

  • Name - Displays the name of the vulnerability that is marked as an exception.

  • Type - Displays the type of the vulnerability.

  • Application - Displays the name of the application that has the specified vulnerability. .

  • Service - Displays the name of the service that has the specified vulnerability.

  • Approved By - Displays the name of the person by whom the exception was approved.

  • Description - Displays the reason added by the user to mark the vulnerability as an exception.

  • Valid Till - Displays the date and time until when the exceptions will be active.

Upload CVE Suppression List

When the user is migrating from another system with an existing suppressed exceptions list, users can bulk upload their suppression list using this option.

You can upload a file in code format containing the list of vulnerabilities to be added as exceptions. Include the CVE IDs to be marked as exceptions in the code before uploading the file.

Uploading the suppression list is team specific. The exception is applied for all the applications and services for the selected team. It cannot be applied to an application or service specifically.

To Add a Suppression List

  1. In the Exceptions page, click Upload Suppression List.

  1. A dialog box is displayed.

  2. Click Choose File and select the file to be uploaded.

  3. Click Save.

An example code format is shown below:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "version": 1,
  "vulnerabilities": [
    {
      "id": "CVE-2023-46589",
      "analysis": {
        "state": "not_affected",
        "justification": "code_not_reachable",
        "response": ["will_not_fix", "update"],
        "detail": "The vulnerable function is not called"
      },
      "affects": [
        {
          "ref": "pkg:npm/minimatch@0.3.0?file_path=app%2Fnode_modules%2Fmocha%2Fnode_modules%2Fminimatch%2Fpackage.json"
        }
      ]
    }
  ]
}

If the suppression list is added for all the teams then for each team an entry is displayed in the Exceptions page as shown below:

To Add a Vulnerability as an Exception

To mark a vulnerability, navigate to the Vulnerabilities tab. In the vulnerabilities details panel, click on the vulnerability that you want to mark as an exception.

  • A popup is displayed with the details of the vulnerabilities as shown below:

  • Expand the Show Impacted Components section. The application and services that are impacted by this vulnerability and their details are displayed.

  • Click the three dots and select Provide Exception.

  • The Provide Exception dialog box is displayed as shown below:

  • Enter your reason for marking this as an exception in the Please provide your comments to approve exception box.

  • Select the time range up to what date and time you want the exception to be active in the Exception Valid Upto drop down. The time range can be One Day, 7 Days, One Month, 6 Months or you can customize the date range by electing the Custom range option.

  • You can select if the exception needs to be applied for the entire application or only the particular service from the Exception Applicable to drop down.

    • Select Impacted Application if the exception needs to be applied for all the services in the application.

    • Select Impacted Service if the exception needs to be applied to the particular service in an application.

  • Click Approve.

The Vulnerability gets added as an exception.

To Add an Alert as an Exception

To mark an Alert as an exception, navigate to the Security Issues tab. In the alert details panel, click on the alert that you want to mark as an exception.

  • A popup is displayed with the details of the alert as shown below:

  • Expand the Show Impacted Components section. The application and service that are impacted by this alert and the details are displayed.

  • Click the three dots and select Provide Exception.

  • The Provide Exception dialog box is displayed as shown below:

  • Enter your reason for marking this as an exception in the Please provide your comments to approve exception box.

  • Select the time range up to what date and time you want the exception to be active in the Exception Valid Upto drop down. The time range can be One Day, 7 Days, One Month, 6 Months or you can customize the date range by electing the Custom range option.

  • You can select if the exception needs to be applied for the entire application or only the particular service from the Exception Applicable to drop down.

    • Select Impacted Application if the exception needs to be applied for the entire application.

    • Select Impacted Service if the exception needs to be applied to the particular service only.

  • Click Approve.

The Alert gets added as an exception.

After adding exceptions at Service/Application/Team level, exceptions will be considered from the next deployment of the services at respective levels.

Last updated