Skip to content

Commit

Permalink
fix(general): Support CVE suppressions with the root file in repo (#6948
Browse files Browse the repository at this point in the history
)

support suppressions with the root file in repo
  • Loading branch information
rotemavni authored Jan 14, 2025
1 parent 638682e commit 4e75793
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,25 @@ def _check_suppressions(self, record: Record, suppressions: Optional[list[dict[s
return suppression
return None

def _check_cve_suppression(self, record: Record, suppression: dict[str, Any]) -> bool:
if 'accountIds' not in suppression:
return False
if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in \
suppression['accountIds'] \
and suppression['cves']:
repo_name = align_path(self.bc_integration.repo_id).split('/')[-1]
suppression_path = self._get_cve_suppression_path(suppression)
repo_file_path = align_path(record.repo_file_path)
file_abs_path = align_path(record.file_abs_path)
if file_abs_path == suppression_path[1:] or \
file_abs_path == suppression_path or \
file_abs_path.endswith("".join([repo_name, suppression_path])) or \
removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/') \
or record.file_path == suppression_path:
return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
for cve in suppression['cves'])
return False

def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> bool:
"""
Returns True if and only if the specified suppression applies to the specified record.
Expand Down Expand Up @@ -217,21 +236,7 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
return False

elif type == 'Cves':
if 'accountIds' not in suppression:
return False
if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\
and suppression['cves']:
repo_name = align_path(self.bc_integration.repo_id).split('/')[-1]
suppression_path = self._get_cve_suppression_path(suppression)
repo_file_path = align_path(record.repo_file_path)
file_abs_path = align_path(record.file_abs_path)
if file_abs_path == suppression_path[1:] or \
file_abs_path == suppression_path or \
file_abs_path.endswith("".join([repo_name, suppression_path])) or \
removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/'):
return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
for cve in suppression['cves'])
return False
return self._check_cve_suppression(record, suppression)

elif type == 'LicenseType':
return any(record.vulnerability_details and record.vulnerability_details['license'] == license_type
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -515,11 +515,19 @@ def test_supress_by_cve_for_package_scan(self):
resource=None, evaluations=None,
check_class=None, file_abs_path='notrequirements.txt', entity_tags=None,
vulnerability_details={'id': 'CVE-2022-45452'})
record5 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
code_block=None, file_path=None,
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='home/requirements.txt', entity_tags=None,
vulnerability_details={'id': 'CVE-2021-23727'})
record5.file_path = '/requirements.txt'

self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
self.assertTrue(suppressions_integration._check_suppression(record2, suppression))
self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
self.assertFalse(suppressions_integration._check_suppression(record4, suppression))
self.assertTrue(suppressions_integration._check_suppression(record5, suppression))

def test_suppress_by_cve_with_empty_cves(self):
instance = BcPlatformIntegration()
Expand Down

0 comments on commit 4e75793

Please sign in to comment.