Hiding false positives, revoked credentials, etc.
Sometimes, Security for Bitbucket will find vulnerabilities which are false positives, credentials which have already been revoked, etc. If this happens, you can review the finding. This marks the finding, as well as any other findings which exactly match it, as reviewed in the current and future scans.
Security for Bitbucket has two ways to do this:
Bitbucket users with repository-write permissions can review findings from the Security Analysis. Findings reviewed this way are scoped to the repository the finding is in.
Bitbucket administrators and anyone granted explicit access can review findings globally, on the Soteri Security Settings page.
In any dashboard, Reviewed findings are not counted towards the total vulnerability count when determining whether a repository is secure.
Marking findings as reviewed only applies to committed content. When introducing a new false positive, it is preferable to allowlist each false positive with an inline pragma in the commit which introduces it.
Reviewing in the scope of a Repository
Users with repository write permissions can review findings for a particular repository.
Reviewing a finding from the Security Analysis
Open the finding that you want to review, and click on the Mark reviewed button to open the confirmation window:
Marking a finding as reviewed saves the exact string captured by the rule (in this case, FACEBOOK).setClientId("950513172001321
). That exact string will be marked as reviewed for all existing and future scans.
Once reviewed, the finding can be shown again with the “Show reviewed” toggle, where it can be unmarked.
Note that reviewed findings are scoped to a repository – identical findings across multiple repositories must be reviewed separately, or globally by an administrator (see below).
Exporting Reviewed Findings
Reviewed findings can be exported to a csv
file by selecting the appropriate option in the Export dropdown in the upper-right of the Global, Project-level, and Repository-level dashboards.
Here is an example at the Project level:
Reviewed findings are exported in the following format:
You may also export reviewed findings via a call to the REST API.
Reviewing findings globally
Bitbucket administrators, or anyone granted explicit access (see Granting App Access to Additional Users and Groups) can review findings across all repositories in your Bitbucket instance using a CSV upload workflow.
Globally review findings show up as “Globally Reviewed” on the Security Analysis pages, and cannot be reviewed in the repository scope.
Adding globally reviewed findings
Navigate to the settings page. Then, click on the “Add Reviewed” button under “Globally Review Findings”:
Clicking on this button will open a modal which allows you to download a template for adding globally reviewed findings, and select an existing file to upload.
Uploaded files should be CSVs with a single column titled “Match text”. Every row will be interpreted as a case-sensitive globally reviewed finding to add.
You can copy over “Match text” column in an export to create the upload file.
An audit log event is generated when globally reviewed findings are added. See Viewing Audited Events for more information.
Deleting globally reviewed findings
Navigate to the settings page. Then, click on the “Remove Reviewed” button under “Globally Review Findings”:
Clicking on this button will open a modal which allows you to download a template for removing globally reviewed findings, and select an existing file to upload.
Uploaded files should be CSVs with a single column titled “Match text”. Every row will be interpreted as a case-sensitive globally reviewed finding to remove.
You can un-review by copying the “Match text” from an export of globally reviewed findings.
An audit log event is generated when globally reviewed findings are removed. See Viewing Audited Events for more information.
Exporting globally reviewed findings
Navigate to the settings page. Then, click on the “Export” button under “Globally Review Findings”:
Exports are in CSV format and include:
The exact text of the globally reviewed finding
Who reviewed it
When it was reviewed
Globally reviewed findings can also be exported via REST API.