Add application exclusions

Java, .NET Framework and .NET Core agents let you use an application exclusion to exclude certain applications, or parts of them, from security analysis.

To create application exclusions:

  1. Log in as an Administrator or RulesAdmin.

  2. Select Applications in the header and select the name of your application to open it. Select the Policy tab, then Exclusions.

    Note

    Exclusions only apply to the application for which they were created.

  3. Select Add Exclusion.

  4. In the window that appears, enter a Name for this exclusion (something you'll remember easily).

  5. Enter the Exclusion type. Input and URL-based exclusion definitions accept Perl Compatible Regular Expressions (PCRE). You can use these regex examples to guide you. There are three options:

    • Code: Enter the method signatures you want to be suppressed. For example, if you have a method called doLegacySecurity () inside a class called com.Acme.OldSecurity that is being reported for using insecure cryptographic algorithms, you can ignore it by entering:

      Com.Acme.OldSecurity.DoLegacySecurity

      Be sure to include the entire method signature without a trailing parameter definition or any other extra characters. Contrast matches this method signature against the stack trace for any vulnerabilities found. Contrast suppresses any method signatures containing a match.

    • Input: Enter an input type and an input name. Any findings using this input will be suppressed.

      • For ParameterHeader and Cookie: You must specify the name of the particular input for which you wish to suppress findings. You can use wildcard * to suppress all findings from the selected input type.

      • QueryString and Body: These will suppress findings from the entire QueryString and Body, respectively. The QueryString and Body may only be excluded in conjunction with the URL exclusion pattern defined below.

      For the input type, you must also choose how to apply URLs:

      • All URLs: Findings using the specified input type and name will be suppressed regardless of where they’ve come from.

        This table includes example input regular expressions:

        Type

        Desired effect

        Regular expression

        Example

        Cookie

        Exclude cookies names starting with a value

        ^App

        Excludes all cookie names starting with App

        Parameter

        Exclude parameter names ending with a value

        testing$

        Excludes all parameter names ending with testing

        Header

        Exclude explicitly named header

        ignore

        Excludes the header ignore only

      • These URLs: Specify a set of paths to which to apply the exclusion. This option allows regex.

        Tip

         Slash followed by wildcard is an acceptable substitute for listing all URLs./*

    • URL: Designate URLs that should be ignored by certain rules. List the URL paths to be excluded, one per line.

      Important

      Do not include protocol schemes (http:// or https://) or hostnames; only use path names.

      For .NET framework and .NET core, use the . and the * to build PCREs. For example:

      Desired effect

      Regular expression

      Example

      Exclude all subpaths

      /myapp/*

      Excludes all paths with the initial URL of /myapp/

      Exclude one subpath explicitly

      ^/myapp/thispath$

      Excludes only /myapp/thispath

      Exclude path ending

      .*ignore$

      Excludes all path ending in ignore

      Exclude paths containing

      .*value*

      Excludes all paths containing value

      Exclude paths containing digits

      /myapp/\d+

      Excludes all paths like /myapp/1234

      Exclude paths containing non-digits

      /myapp/\D+

      Excludes all paths like /myapp/word

      The Java agent will not recognize .* wildcards. Use * instead.

  6. Under Applicable rules, specify the scope of rules affected by the exclusion. All rules is the default, or you can click in the box to add other options:

    • All rules applies the exclusion to all vulnerabilities found in both Assess and Protect mode.

    • All Assess rules applies to all vulnerabilities found when Assess is enabled.

    • All Protect rules applies to all attack events when Protect is enabled.

    • Select one or more Protect or Assess rules to apply the exclusion to specific rules.

    Select individual Assess or Protect rules to further narrow the focus. Exclusions are only applied to vulnerabilities found by the selected rules.

  7. Select the box next to Suppress all events that match this exclusion if you want Contrast to suppress historical events that have already been reported.

  8. Select Save. The exclusion will be added to the list of exclusions. Any inputs that match the criteria you entered won't be processed with the rules you've applied. You can view this list either at Applications > Your application name > Policy > Exclusions or in the user menu > Policy management > Application exclusions. From the list, you can use the toggles to enable or disable the exclusion for Assess or Protect.

Tip

You can also create a new exclusion from an existing attack event. When viewing the list of attack events, Attacks > Attack events, select the triangle in the far right column, then select Add exclusion. Selecting this button pre-populates the exclusion fields based on the details of this specific event.

Once created, this exclusion is visible in the list of exclusions.

In this section: