YARA-CI

False positives

The false positives check sometimes produces results that are not actually false positives, and you want to explicitly ignore them. This is usually the case with very general rules that are expected to match innocuous files found in the NSRL collection used by YARA-CI. In order to ignore certain rules by name you can add the following to your .yara-ci.yml configuration file:

false_positives:
  ignore:
   - rule: "my_noisy_rule"

With the configuration above any match for my_noisy_rule will be excluded from the false positives report. You can also ignore all the rules contained in certain files, for example, with this configuration any file in the noisy_rules directory won’t be taken into account:

false_positives:
  ignore:
   - file: "noisy_rules/**"

Additionally you can also ignore all the rules that contain certain metadata value. As an example, with the configuration shown below any rule with a tag that matches the **noisy** expression will be ignored by the test:

false_positives:
  ignore:
   - meta_value: "**noisy**"

The file, rule and meta_value filters can be convined toghether in any way as shown in the following examples:

false_positives:
  ignore:
   - file: "experimental/**"
     rule: "my_noisy_rule"

In the example above any rule named my_noisy_rule contained in some file in the experimental directory will be ignored. If the rule appears in some other file that doesn’t match the pattern it will be reported.

false_positives:
  ignore:
   - file: "experimental/**"
     meta_value: "my_noisy_rule"

In the example above any rule with some metadata value set to my_noisy_rule contained in some file in the experimental directory will be ignored.

false_positives:
  ignore:
   - file: "experimental/**"
     rule: "**generic**"
     meta_value: "**compiler**"

In the example above any rule with generic in its name and with some metadata value that contains compiler and that is contained in some file in the experimental directory will be ignored.

Finally the false positives test can be entirely disabled by setting its disabled property to true:

false_positives:
  disabled: true