fix: match IaC ignore paths exactly

This requires bumping the policy library to incorporate
snyk/policy#58.

This fixes some IaC ignores edge-cases, as expressed in a new test.

package.json

@@ -130,7 +130,7 @@
     "snyk-nodejs-lockfile-parser": "1.35.0",
     "snyk-nuget-plugin": "1.22.0",
     "snyk-php-plugin": "1.9.2",
-    "snyk-policy": "1.19.0",
+    "snyk-policy": "1.22.0",
     "snyk-python-plugin": "1.19.11",
     "snyk-resolve": "1.1.0",
     "snyk-resolve-deps": "4.7.2",

packages/snyk-protect/test/fixtures/fix-pr/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:

packages/snyk-protect/test/fixtures/multiple-matching-paths/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:
@@ -22,4 +22,3 @@ patch:
         patched: '2021-02-17T13:43:51.857Z'
     - tap > nyc > istanbul-lib-instrument > babel-template > babel-traverse > babel-types > lodash:
         patched: '2021-02-17T13:43:51.857Z'
-

packages/snyk-protect/test/fixtures/no-matching-paths/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:
@@ -22,4 +22,3 @@ patch:
         patched: '2021-02-17T13:43:51.857Z'
     - tap > nyc > istanbul-lib-instrument > babel-template > babel-traverse > babel-types > lodash:
         patched: '2021-02-17T13:43:51.857Z'
-

packages/snyk-protect/test/fixtures/single-patchable-module/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:
@@ -22,4 +22,3 @@ patch:
         patched: '2021-02-17T13:43:51.857Z'
     - 'tap > nyc > istanbul-lib-instrument > babel-template > babel-traverse > babel-types > lodash':
         patched: '2021-02-17T13:43:51.857Z'
-

packages/snyk-protect/test/fixtures/target-module-exists-but-no-patches-for-version/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:
@@ -22,4 +22,3 @@ patch:
         patched: '2021-02-17T13:43:51.857Z'
     - tap > nyc > istanbul-lib-instrument > babel-template > babel-traverse > babel-types > lodash:
         patched: '2021-02-17T13:43:51.857Z'
-

src/cli/commands/test/iac-local-execution/policy.ts

@@ -8,7 +8,9 @@ export function filterIgnoredIssues(
   if (!policy) {
     return { filteredIssues: results, ignoreCount: 0 };
   }
-  const vulns = results.map((res) => policy.filter(toIaCVulnAdapter(res)));
+  const vulns = results.map((res) =>
+    policy.filter(toIaCVulnAdapter(res), undefined, 'exact'),
+  );
   const ignoreCount: number = vulns.reduce(
     (totalIgnored, vuln) => totalIgnored + vuln.filtered.ignore.length,
     0,
@@ -44,10 +46,8 @@ function toIaCVulnAdapter(result: FormattedResult): IacVulnAdapter {
         // splice.
         // Insert the targetFile into the path so that it is taken into account
         // when determining whether an ignore rule should be applied.
-        // Insert garbage into the first element because the policy library
-        // ignores it.
         const path = [...annotatedResult.cloudConfigPath];
-        path.splice(0, 0, 'GARBAGE', result.targetFile);
+        path.splice(0, 0, result.targetFile);
 
         return {
           id: cloudConfigResult.id,
@@ -73,7 +73,7 @@ function toFormattedResult(adapter: IacVulnAdapter): FormattedResult {
         // including target file context. As that logic changes, so must this.
         const annotatedResult = res as AnnotatedResult;
         const significantPath = [...annotatedResult.cloudConfigPath];
-        significantPath.splice(0, 0, 'GARBAGE', original.targetFile);
+        significantPath.splice(0, 0, original.targetFile);
 
         if (vuln.from.length !== significantPath.length) {
           return false;

src/lib/policy/find-and-load-policy.ts

@@ -51,5 +51,5 @@ export async function findAndLoadPolicy(
 }
 
 export interface Policy {
-  filter(vulns: any): any;
+  filter(vulns: any, root?: string, matchStrategy?: string): any;
 }

test/acceptance/workspaces/npm-package-policy/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
   'npm:marked:20170907':

test/acceptance/workspaces/npm-package-policy/custom-location/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
   'npm:marked:20170907':

test/acceptance/workspaces/npm-with-dep-missing-policy/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:

test/fixtures/protect-lodash-skip/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 

test/fixtures/protect-semver/.snyk

@@ -1,5 +1,5 @@
 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
-version: v1.19.0
+version: v1.22.0
 ignore: {}
 # patches apply the minimum changes required to fix a vulnerability
 patch:

test/jest/unit/iac-unit-tests/fixtures/policy-ignore-file-path-non-matching.yml

@@ -3,7 +3,7 @@ version: v1.19.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
   SNYK-CC-K8S-1:
-    - 'wrong.yaml':
+    - 'wrong.yaml > *':
         reason: None Given
         created: 2021-07-26T13:09:08.459Z
 patch: {}

test/jest/unit/iac-unit-tests/fixtures/policy-ignore-file-path-wrong-dir.yml

@@ -0,0 +1,9 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.19.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-CC-K8S-1:
+    - 'wrong/k8s.yaml > [DocId: 0] > input > spec > template > spec > containers[web] > securityContext > privileged':
+        reason: None Given
+        created: 2021-07-26T13:09:08.459Z
+patch: {}

test/jest/unit/iac-unit-tests/fixtures/policy-ignore-file-path.yml

@@ -3,7 +3,7 @@ version: v1.19.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
   SNYK-CC-K8S-1:
-    - 'k8s.yaml':
+    - 'k8s.yaml > *':
         reason: None Given
         created: 2021-07-26T13:09:08.459Z
 patch: {}

test/jest/unit/iac-unit-tests/policy.spec.ts

@@ -115,6 +115,14 @@ describe('filtering ignored issues', () => {
     expect(ignoreCount).toEqual(1);
   });
 
+  it('filters no issues when path is file path in the wrong directory', async () => {
+    const { fixture, filtered, ignoreCount } = await filterFixture(
+      'policy-ignore-file-path-wrong-dir.yml',
+    );
+    expect(filtered).toEqual(fixture);
+    expect(ignoreCount).toEqual(0);
+  });
+
   it('filters no issues when path is non-matching file path', async () => {
     const { fixture, filtered, ignoreCount } = await filterFixture(
       'policy-ignore-file-path-non-matching.yml',