Sometimes, Security for Bitbucket will identify findings which are false positives, credentials which have already been revoked, etc. If this happens, you can review the finding. This marks the finding, as well as any other findings which exactly match it, as reviewed in the current and future scans.
Security for Bitbucket has two ways to do this:
Bitbucket users with repository-write permissions can review findings from the Security Analysis. Findings reviewed this way are scoped to the repository the finding is in.
Bitbucket administrators and anyone granted explicit access can review findings globally, on the Soteri Security Settings page.
In any dashboard, Reviewed findings are not counted towards the total vulnerability count when determining whether a repository is secure.
Marking findings as reviewed only applies to committed content. When introducing a new false positive, it is preferable to allowlist each false positive with an inline pragma in the commit which introduces it.
Reviewing in the scope of a Repository
Users with repository write permissions can review findings for a particular repository.
Reviewing a finding from the Security Analysis page
Open the finding that you want to review, and click on the Mark reviewed button to open the confirmation window:
Marking a finding as reviewed saves the exact string captured by the rule (in this case,
FACEBOOK).setClientId("950513172001321). That exact string will be marked as reviewed for all existing and future scans.
Once reviewed, the finding can be shown again with the “Show reviewed” toggle, where it can be unmarked.
Note that reviewed items are scoped to a repository – identical findings across multiple repositories must be reviewed separately, or globally by an administrator (see below).
Exporting Reviewed False Positives
All items previously marked reviewed can be exported to a
csv file by selecting the appropriate option in the Export dropdown in the upper-right of the Global, Project-level, and Repository-level dashboards.
Here is an example at the Project level:
Reviewed false positives are exported in the following format:
You may also export reviewed false positives via a call to the REST API.
Reviewing findings globally
Bitbucket administrators, or anyone granted explicit access (see Granting App Access to Additional Users and Groups) can add reviewed false positives which apply across all repositories in your Bitbucket instance using a CSV upload workflow.
Findings which match any of the global false positives show up as “Globally Reviewed” on the Security Analysis pages, and cannot be reviewed in the repository scope.
Adding new global false positives
Navigate to the settings page. Then, click on the “Add Reviewed” button under “Globally Review Findings”:
Clicking on this button will open a modal which allows you to download a template for adding global false positives, and select an existing file to upload.
Uploaded files should be CSVs with a single column titled “Match text”. Every row will be interpreted as a case-sensitive globally reviewed text to add.
An audit log event is generated when globally reviewed false positives are added. See Viewing Audited Events for more information.
Deleting globally reviewed false positives
Navigate to the settings page. Then, click on the “Remove Reviewed” button under “Globally Review Findings”:
Clicking on this button will open a modal which allows you to download a template for removing globally reviewed false positives, and select an existing file to upload.
Uploaded files should be CSVs with a single column titled “Match text”. Every row will be interpreted as a case-sensitive globally reviewed text to remove.
You can un-review by copying the “Match text” from an export of globally reviewed findings.
An audit log event is generated when globally reviewed false positives are removed. See Viewing Audited Events for more information.
Exporting globally reviewed false positives
Navigate to the settings page. Then, click on the “Export” button under “Globally Review Findings”:
Exports are in CSV format and include:
The exact text that is considered reviewed
Who reviewed it
When it was reviewed
Globally reviewed false positives can also be exported via REST API.