Ignoring Vulnerabilities in Snyk

When you run a Snyk test, you may encounter vulnerabilities that you wish to ignore for various reasons. This guide will walk you through the process of ignoring a specific vulnerability using the Snyk CLI and a policy file.

Step 1: Run the Snyk Test

First, execute the following command to test your code:

% snyk code test

You might see output similar to this:

Testing /mydir ...

 ✗ [High] Cross-Site Request Forgery (CSRF)
     Path: src/com/xxx/ConfigSecurity.java, line 22
     Info: CSRF protection is disabled. This allows attackers to execute requests on a user's behalf.

✔ Test completed

Step 2: Identify the Vulnerability ID

To find the specific ID of the vulnerability, run:

% snyk code test --json

This command will return a JSON response containing details about the vulnerabilities, including their IDs. Look for the section that includes the ID:

{
  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
  "runs": [
    {
      "tool": {
        "driver": {
          "rules": [
            {
              "id": "java/DisablesCSRFProtection",
              "name": "DisablesCSRFProtection",
              ...

Step 3: Create a Snyk Policy File

Next, you can create a policy file to ignore the identified vulnerability. Use the following command:

% snyk ignore --id=java/DisablesCSRFProtection

This will generate a .snyk policy file in your project directory. The contents of the file will look something like this:

# Snyk policy file to ignore known vulnerabilities.
version: v1.25.0
ignore:
  java/DisablesCSRFProtection:
    - '*':
        reason: None Given
        expires: 2022-07-24T11:41:53.787Z
        created: 2022-06-24T11:41:53.791Z
patch: {}

Step 4: Verify the Ignored Vulnerability

After creating the policy file, run the Snyk test again in the same directory:

% snyk code test

If the configuration was successful, the previously reported vulnerability should no longer appear in the test results. However, if it still shows up, ensure that the policy file is correctly placed in the project directory and that the ID matches the one you intended to ignore.

Conclusion

Ignoring vulnerabilities in Snyk can be a useful way to manage issues that are not relevant to your current context. Always ensure to document your reasons for ignoring vulnerabilities and review them periodically to maintain security best practices.