Skip to main content

Add application exclusions

Java, .NET Framework, .NET Core, Node.js, Python, Go, and Ruby agents let you use an application exclusion to exclude certain applications, or parts of them, from security analysis.

Currently, PHP agents do not support application exclusions.

Before you begin

  • Access control requirement:

    • Users and groups: Organization RulesAdmin or Organization Admin role.

    • Role-based access control (preview feature): Role that includes the Edit application action.

  • Java and .NET agents support code exclusions.

  • Java, .NET, Node.js, Python, Ruby, and Go agents support input exclusions.

  • Java, .NET, Node,js, Python, and Ruby agents support URL exclusions.

  • Java and .NET Core agents support queue/topic (message queue) exclusions.

Steps

  1. Select Applications in the header and select the name of your application.

    Exclusions only apply to the application for which they were created.

  2. Select the Policy tab and then, select Exclusions.

  3. Select Add Exclusion.

    Tip

    You can also create an exclusion from an existing attack event. When viewing the list of attack events, Attacks > Attack events, select the triangle in the far right column, then select Add exclusion. Selecting this button pre-populates the exclusion fields based on the details of this specific event.

    Once created, this exclusion is visible in the list of exclusions.

  4. In Add Exclusions, enter a Name for this exclusion (something you'll remember easily).

  5. Select the Exclusion type.

    Input, URL and Queue/topic-based exclusion definitions accept a s subset of Perl Compatible Regular Expressions (PCRE) which includes these values:

    .* for 0 or more of any character
    .+ for 1 or more of any character
    .? for 0 or 1 of any character
    . for 1 of any character
    \. for an escaped literal of . for usage Examle: somefile\.jsp

    Use these regex examples to guide you.

    Select one of these options:

    • Code: Enter the method signatures you want to be suppressed. For example, if you have a method called doLegacySecurity() inside a class called com.Acme.OldSecurity that is being reported for using insecure cryptographic algorithms, you can ignore it by entering:

      Com.Acme.OldSecurity.DoLegacySecurity

      Be sure to include the entire method signature without a trailing parameter definition or any other extra characters. Contrast matches this method signature against the stack trace for any vulnerabilities found. Contrast suppresses any method signatures containing a match.

    • Input: Enter an input type and an input name. Any findings using this input will be suppressed.

      Input exclusions provides details and examples on using these exclusions.

      • For ParameterHeader and Cookie: You must specify the name of the particular input for which you wish to suppress findings. You can use wildcard * to suppress all findings from the selected input type.

      • QueryString and Body: These will suppress findings from the entire QueryString and Body, respectively. The QueryString and Body may only be excluded in conjunction with the URL exclusion pattern defined below.

      For the Input exclusion type, under Applied URLs, choose how to apply URLs:

      • All URLs: Findings using the specified input type and name will be suppressed regardless of their origin.

      • These URLs: Specify a set of paths to which to apply the exclusion. You can use regex and wildcard expressions.

      Important

      Do not include protocol schemes (http:// or https://) or hostnames; only use path names beginning with /.

      Slash followed by dot-wildcard /.* is an acceptable substitute for listing all URLs.

      Designate URLs that should be ignored by certain rules.

    • URL: Designate URLs that should be ignored by certain rules. List the URL paths to be excluded, one per line. You can use regex and wildcard expressions.

    • Queue/topic: Specify a message queue or topic that should be ignored by certain rules. A message queue has one consumer while a topic has multiple consumers.

      Currently, this option is supported by Java only.

      For the Queue/topic exclusion type, under Applied queues, choose how to apply the queues or topic names:

      • All queues/topics: Findings from all queues and topics are suppressed.

      • These queues: Specify a list of queue or topic names to be excluded. You can specify queue names or use regex. and wildcard expressions.

  6. Under Applicable rules, specify the scope of rules affected by the exclusion. All rules is the default, or you can click in the box to select multiple options:

    • All rules applies the exclusion to all vulnerabilities found in both Assess and Protect mode.

    • Under Assess, All Assess rules applies to all vulnerabilities found when Assess is enabled.

    • Under Protect, All Protect rules applies to all attack events when Protect is enabled.

    • Under the Assess section or the Protect section, selecting individual rules lets you further narrow the focus. Exclusions are only applied to vulnerabilities that the selected rules find.

      If you select Input as the exclusion type, you can only select rules that are not triggered by user input.

    • Under Assess and Protect, select individual rules found in both Assess and Protect mode.

  7. Select the box next to Suppress all events that match this exclusion if you want Contrast to suppress historical events that have already been reported.

  8. Select Add.

    The exclusion is added to the list of exclusions. Any inputs that match the criteria you entered won't be processed with the rules you've applied.

    You can view this list either at Applications > Your application name > Policy > Exclusions or in the user menu > Policy management > Application exclusions. From the list, you can use the toggles to enable or disable the exclusion for Assess or Protect.