[Bug BLOCKER] Ignoring vuln_id with a json file doesn't work.

[Yivan]

Hello,

Thanks for providing to us this nice security package.

I use last phar version, and set the config file like this:
setFalsePositives: "./tests/php/progpilot-false-positive.json"

and the json files with reported false positive:

{
  "false_positives": [
    {
	  "vuln_id": "fcfa05bd72416786bcbf09289f64dad31d0afe89145421d42f2023f0198550ad",
	  "vuln_id": "14fad770072acbb70eebdf1aeba31c032d63c6806c2cc94de1c97266d2fea41a"
	}
  ]
}

I tryed with just one:

{
  "false_positives": [
    {
	  "vuln_id": "fcfa05bd72416786bcbf09289f64dad31d0afe89145421d42f2023f0198550ad"
	}
  ]
}

,and like this too:

{
  "false_positives": [
    {
	  "vuln_id": "fcfa05bd72416786bcbf09289f64dad31d0afe89145421d42f2023f0198550ad"
	},
    {
	  "vuln_id": "14fad770072acbb70eebdf1aeba31c032d63c6806c2cc94de1c97266d2fea41a"
	}
  ]
}

But problem are always displayed when i run the phar file : (
The json config is well parsed by progpilot because if the format is not good i got an error message, so the config and the json file is well loaded in progpilot.
Is it a bug or i missed something ? Actually I cannot use it because some false positive are reported and i would like to silent them.

When several vuln_id, which is the good format from my 2 examples ?

Thanks a lot!

[Yivan]

For information, i tried with a php file, but the yaml config seems to accept only json config, am i right ?
Another way, is it possible to define the vuln_id array directly in the yaml configuration, i tried but it send a message saying it muset be a file... it seems it is not possible too ?
Best regards.

[Yivan]

I found why...
@eric-therond @designsecurity I don't know if this is wanted, but the feature to set false positive is not availables for custom rules. So in this case the only way is to exclude the file or remove the rules, both being not the best.
I don't know if it is a bug or wanted, but if wanted documentation should said this. Actually it is not indicated: https://github.com/designsecurity/progpilot/blob/master/docs/FALSE_POSITIVES.md

I think false positive should work on custom rules too, and hope it could be fixed.

Only tainted rules get the false positive check:

• progpilot/package/src/progpilot/Analysis/SecurityAnalysis.php

  Line 299 in 0306890

  if ($nbtainted && is_null($context->inputs->getFalsePositiveById($hashIdVuln))) {

Here are the place to fix, for the other missing type (i imagine just adding an if condition):

• progpilot/package/src/progpilot/Representations/DFSVisitor.php

  Line 43 in d5fafdb

  if (($rule->getCurrentOrderNumber() % $mod)

• progpilot/package/src/progpilot/Analysis/CustomAnalysis.php

  Line 33 in 7e74e5f

  if ($result) {

• progpilot/package/src/progpilot/Analysis/CustomAnalysis.php

  Line 237 in 7e74e5f

  if (!$isValid) {

Thanks.

[eric-therond]

Thanks for the report and the investigations @Yivan
I have fixed this issue.
v0.7 of progpilot should be released soon.

[Yivan]

@eric-therond Thanks a lot for this fast fix.
Juste tested it, and I confirm all is ok!