The Code Suppressions Report

Overview

The Code Suppressions Report, accessible via your Mend Platform’s main navigation, provides a clear overview of suppressed findings in your project. It shows which user suppressed each finding, when, and why, helping you manage security risks effectively.

Getting it done

There are two ways to generate a Code Suppressions Report in the Mend Platform user interface:

1. Via the Reports page.

   

2. Via a chosen Application/Project.

   

Note: To investigate code findings, address false positives, and communicate results, please visit our Triage Your Code Security Findings document.

Generate the Code Suppressions Report via the Reports Page

1. Click the Reports button located in the top bar of the Mend Platform user interface:

   

2. Click the Create button ( ) at the top-right edge of the Reports page.

   

3. Select Code Suppressions from the drop-down list of the Create Report wizard:

   

4. Scope - Define the report’s scope by specifying the Application. You can also narrow the scope by selecting a Project within the Application.

   

5. Configuration - Specify the Report Name. The Format is CSV.

6. Click Create.

   

Generate the Code Findings Report via a chosen Application/Project

1. Navigate to the desired Application or Project and click on it.

   

2. Click Code on the left pane:

   

3. Click the Create Report button ( ) at the top-right edge of the Code Findings page.

   

4. Select Code Suppressions from the drop-down list of the Create Report wizard:

   

5. Scope: The scope option is locked based on the Application or Project selection you made when accessing the Code Findings page.

   

6. Configuration - Specify the Report Name. The Format is CSV.

7. Click Create.

   

Understanding the Code Suppressions Report

The Code Suppressions Report provides comprehensive details on suppressed findings in your project.
Example of the report in a table format.

| Finding Suppressed Date | CWE / Vulnerability Type | Severity | Sink Location | Sink Name | Finding Detection Date | Suppressed by User Name | Suppressed Note | Reason | Project |
|-------------------------|--------------------------|----------|---------------|-----------|------------------------|-------------------------|-----------------|--------|---------|
| 2024-09-17              | CWE-79                   | Medium   | src/main.java | login     | 2024-09-15             | John Doe                | False positive  | Review | MyApp   |
| 2024-09-17              | CWE-338                  | Low      | src/auth.java | authCheck | 2024-09-14             | Jane Smith              | Accepted risk   | Accept | MyApp   |

Example breakdown:

• Finding Suppressed Date: The date when the security finding was suppressed.

• CWE / Vulnerability Type: Identifies the type of security vulnerability or weakness, referencing the Common Weakness Enumeration (CWE) classification.

• Severity: The level of risk associated with the vulnerability.

• Sink Location: The location within the code where the vulnerability could lead to exploitation.

• Sink Name: The name or identifier of the sink function or module where the vulnerability occurs.

• Finding Detection Date: The date and time when the vulnerability was first detected.

• Suppressed by User Name: The name of the user who suppressed the finding.

• Suppressed Note: The comment submitted by the user who suppressed the finding.

• Reason: Explains why the finding was suppressed.

• Project: The project's name or repository where the vulnerability was detected and suppressed.