Set up target baselines
It is good practice to specify a baseline for every target. The baseline represents the root variant, such as the main branch or the latest tag. In some cases, you might want to use the name of the latest official release as the baseline. Baselines make it easy to identify issues in the baseline vs. issues in a downstream variant derived from that baseline.
To view all targets in your account, and specify baselines for your targets, go to Security Tests (left menu) and then Test Targets.
Specify a default baseline using regular expressions
In some cases, you might want to specify the name of the latest release for your target baseline. Suppose your organization publishes releases with names such as:
3,3.17,3.17.3,3.18, ...1.14.6-linux-amd64,1.14.11-linux-amd64,1.15.4-linux-amd64, ...2023-02-29,2023-03-05,2023-03-12,2023-03-19, ...
With this cadence, the default baseline updates whenever you create a new release branch and scan it. In this case, you can use a regular expression (regex) to capture the latest release name and use it for the baseline.
Advantages of using regular expressions to define baselines
Defining your baselines using regular expressions provides significant benefits over using hard-coded strings such as main or latest.
Dynamic baselines more accurately reflect the current "root" element in the context of a real-world software development life cycle. A typical sprint cycle might run like this:
- Publish the current release — for example,
1.2.3— and merge this branch intomain. - Create a "next-release" branch — for example,
1.2.4— frommain. - Create branches from
1.2.4for different features, hotfixes, and so on. - When the release is ready to publish, merge the various branches into
1.2.4. - Publish the release, merge
1.2.4intomain, create a new release branch such as1.2.5, and repeat the cycle.
Given this cadence,
1.2.4more accurately reflects the baseline for the current sprint thanmain. Given a matching regex, the first scan after creating the branch establishes1.2.4as the current baseline. This remains the current baseline until1.2.4gets merged intomainand1.2.5gets created and scanned.- Publish the current release — for example,
Dynamic baselines make it easier to track the introduction and remediation of specific vulnerabilities. The lifecyle of a specific vulnerability might run like this:
A new release branch
1.2.3is created. You scan this branch, which matches your regex, and it becomes the current baseline.The scan detects a new vulnerability, vXYZ, with a severity of MEDIUM.
A few sprints later, the vulnerability is remediated in a branch that gets merged into
1.2.7.1.2.7is scanned before getting merged intomain, and vXYZ is no longer in the scan results.
Figure 2: Tracking a vulnerability across baselines
Important notes
You must use a consistent naming scheme for your scanned targets. This is necessary to ensure that your regular expression captures your baselines consistently and predictably.
Carefully consider which targets you want to use for your baselines. In general, the baseline should be the root element for all your current variants.
When you specify a regular expression, the baseline is the most recently scanned target that matches the expression.
Use re2 format for your expressions.
Defining regular expressions is outside the scope of this documentation. Harness recommends that you test any regular expressions thoroughly to ensure that the expression matches any variant name that might be used for the scan target.
Regex examples
The following table shows a few simple examples of expressions for specific use cases.
| Variant names | Regular expression | Description |
|---|---|---|
| release-20230420 release-20230427 release-20230504 release-20230511 | release\-\d+ |
|
| code-v1.1 code-v1.2 code-v1.3 code-v2.1 code-v2.2 code-v20.31 | code\-v\d+\.\d* |
|
| 1.14.6-linux-amd64 1.14.11-linux-amd64 1.15.4-linux-amd64 | \d*\.\d*\.\d*\-linux-amd64 |
|
| 3 3.17 3.17.3 3.18 3.18.12 30.142.1 30 | [\d.]+ |
|
| 2023-02-11 2023-02-17 2023-02-23 | \d\d\d\d-\d\d\-\d\d |
|