Suppressing Issues¶
Not all issues reported by Mayhem may be relevant or of interest to an API maintainer. Mayhem offers a mechanism to suppress issues discovered during API testing jobs.
The .mapi configuration file¶
A .mapi configuration file specifies rules for issue suppression:
#
# Example .mapi configuration file
#
version: "1.0"
# An array of rules for suppressing issues.
#
# If an issue matches any rule, it will be suppressed
# from reporting.
#
# Any issue will only match a rule if ALL statements for
# a rule match the issue.
suppressed:
- reason: "Suppress Internal API issues"
path: /internal/.*
- reason: "Ignore flask debug exceptions"
summary: flask\.debughelpers\.*
An issue suppress rule is composed of regular expressions which match on different issue fields:
suppressed:
- reason: "(required string) Description of why issues matches this rule are suppressed"
method: "(optional regex) GET|PUT|POST|DELETE|PATCH... etc. Matches HTTP Method"
path: "(optional regex) /foo|/tools/.* Matches the HTTP request path"
rule_id: "(optional regex) internal-server-error|auth-bypass|server-crash... Matches mapi rule id"
summary: "(optional regex) matches additional issue summary - such as stacktrace message"
response: "(optional regex) Matches against the entire response, headers and payload. *"
Response matching¶
If a suppression rule has a response regular expression, that regular
expression will be applied against the entire response from the server.
This is the raw response seen over the TCP connection which starts with
the headers and then proceeds to the payload, if a payload is sent.
You can see something close to the raw output from your server by
accessing it with curl -v.
e.g. curl -v https://google.com:
[...]
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< date: Thu, 24 Mar 1970 21:04:22 GMT
< expires: Sat, 23 Apr 1970 21:04:22 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443";
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
To match against a header in the response you would add a response field like:
server: gws
To match against part of the body, you would add a response field like:
The document has moved
Where to put .mapi file?¶
ð¡ We recommended checking the
.mapifile into source control so that you may track changes to suppressed rules with your SCM tool.
The mapi CLI will resolve the .mapi file with the following order of
precedence:
- Set with the
--config <path-to-file>when callingmapi run - Set with the
MAPI_CONFIG_FILEenvironment variable - Located in the working directory where
mapi runis called - Located in the project root (adjacent to the
.gitfolder, if one exists)
How do I see suppressed issues?¶
mapi will still upload suppressed issues during a run, but they will be
hidden by default. In order to see suppressed issues from the CLI, for instance,
you will need to supply an extra flag --include-suppressed:
ⶠmapi issue list <job-id>> --include-suppressed
ID RULE_ID SUMMARY METHOD PATH SUPPRESSED SUPPRESSED_REASON
35717 internal-server-error GET pet/findByTags true Ignore all GETs
35716 internal-server-error GET pet/{petId} true Ignore all GETs
35715 internal-server-error POST user false
35714 internal-server-error POST pet false