Create custom Scan rule exclusions
Create custom Scan rule exclusions when you are confident that a specific rule is generating multiple false positives and you are frequently setting the status for these findings to Not a Problem.
Before you begin
Before you exclude rules, run a baseline scan to determine which rules are creating false positives
Excluding rules affects the findings for the scan project.
Location of Scan rules
The Contrast Scan rules section links to tables where you can find the rules for each language. Alternatively, during a scan, you can find the rules in target/engines/sast-engine4/rulesets under the source directory that you're scanning with the Scan local engine.
Important
The sast-engines4 folder and its subfolders are available temporarily when a scan is in progress.
For easy access, make a copy of the rulesets folder. This folder contains security rules files for each language (qaking_{lang}_security.xml) that the Scan local engine supports. To find the name of a rule in a file, search for <rule name " ".
Steps
Create a text file called
contrastsec.checks.configand place it at the root of the project you are going to scan.The format of the file is:
[rule-Engine-rule-ID] active=false
To exclude multiple rules, repeat the block of lines with an empty row between each block. For example, to exclude the Detect and handle input/output errors and Don’t use cast rules for CPP, the file looks like this:
[OPT.CPP.CERTC.FIO33] active=false [OPT.CPP.DontUseCast] active=false
Effects of Scan rule exclusions
When you disable rules using the contrastsec.checks.config file, the status for the findings corresponding to the excluded rule change to Remediated.
If you reenable the rule using the contrastsec.checks.config file or remove the file, the status for the findings corresponding to the newly enabled rule changes to Reopened.
Contrast Scan rules
These tables include the supported Contrast Scan rules: test