Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Craig Furman
committed
Aug 6, 2021
1 parent
f30b7f4
commit ac10cdd
Showing
19 changed files
with
1,154 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
import { FormattedResult, PolicyMetadata } from './types'; | ||
import { Policy } from '../../../../lib/policy/find-and-load-policy'; | ||
|
||
export function filterIgnoredIssues( | ||
policy: Policy | undefined, | ||
results: FormattedResult[], | ||
): FormattedResult[] { | ||
if (!policy) { | ||
return results; | ||
} | ||
return results | ||
.map((res) => policy.filter(toIaCVulnAdapter(res))) | ||
.map((vuln) => toFormattedResult(vuln)); | ||
} | ||
|
||
type IacVulnAdapter = { | ||
vulnerabilities: { | ||
id: string; | ||
from: string[]; | ||
}[]; | ||
originalResult: FormattedResult; | ||
}; | ||
|
||
// This is a total cop-out. The type I really want is AnnotatedIacIssue from | ||
// src/lib/snyk-test/iac-test-result.ts, but that appears to only be used in the | ||
// legacy flow and I gave up on adapting it to work in both flows. By the time | ||
// this code is called, cloudConfigPath is present on the result object. | ||
type AnnotatedResult = PolicyMetadata & { | ||
cloudConfigPath: string[]; | ||
}; | ||
|
||
function toIaCVulnAdapter(result: FormattedResult): IacVulnAdapter { | ||
return { | ||
vulnerabilities: result.result.cloudConfigResults.map( | ||
(cloudConfigResult) => { | ||
const annotatedResult = cloudConfigResult as AnnotatedResult; | ||
|
||
// Copy the cloudConfigPath array to avoid modifying the original with | ||
// splice. | ||
// Insert the targetFile into the path so that it is taken into account | ||
// when determining whether an ignore rule should be applied. | ||
// Insert garbage into the first element because the policy library | ||
// ignores it. | ||
const path = [...annotatedResult.cloudConfigPath]; | ||
path.splice(0, 0, 'GARBAGE', result.targetFile); | ||
|
||
return { | ||
id: cloudConfigResult.id, | ||
from: path, | ||
}; | ||
}, | ||
), | ||
originalResult: result, | ||
}; | ||
} | ||
|
||
function toFormattedResult(adapter: IacVulnAdapter): FormattedResult { | ||
const original = adapter.originalResult; | ||
const filteredCloudConfigResults = original.result.cloudConfigResults.filter( | ||
(res) => { | ||
return adapter.vulnerabilities.some((vuln) => { | ||
if (vuln.id !== res.id) { | ||
return false; | ||
} | ||
|
||
// Unfortunately we are forced to duplicate the logic in | ||
// toIaCVulnAdapter so that we're comparing path components properly, | ||
// including target file context. As that logic changes, so must this. | ||
const annotatedResult = res as AnnotatedResult; | ||
const significantPath = [...annotatedResult.cloudConfigPath]; | ||
significantPath.splice(0, 0, 'GARBAGE', original.targetFile); | ||
|
||
if (vuln.from.length !== significantPath.length) { | ||
return false; | ||
} | ||
for (let i = 0; i < vuln.from.length; i++) { | ||
if (vuln.from[i] !== significantPath[i]) { | ||
return false; | ||
} | ||
} | ||
return true; | ||
}); | ||
}, | ||
); | ||
original.result.cloudConfigResults = filteredCloudConfigResults; | ||
return original; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.