Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(sca): skip old CVE suppressions (without 'accountIds') #3503

Merged
merged 3 commits into from
Sep 14, 2022
Merged

fix(sca): skip old CVE suppressions (without 'accountIds') #3503

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e56fdd6
skip old suppressions (without 'accountIds') + tests
NoaAzoulay Sep 13, 2022
9a35325
skip old suppressions (without 'accountIds') + tests
NoaAzoulay Sep 13, 2022
fe93631
/
NoaAzoulay Sep 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions checkov/common/bridgecrew/integration_features/features/suppressions_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,17 +148,19 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
return True

elif type == 'CvesAccounts':
if 'accountIds' not in suppression:
return False
if self.bc_integration.repo_id in suppression['accountIds']:
if record.vulnerability_details and record.vulnerability_details['id'] in suppression['cves']:
return True
return False

elif type == 'Cves':
if 'accountIds' not in suppression:
return False
if self.bc_integration.repo_id in suppression['accountIds'] and record.file_abs_path == suppression['cves'][0]['id'][1:]:
for cve in suppression['cves']:
if record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']:
return True
return False
return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep :)

for cve in suppression['cves'])

elif type == 'LicenseType':
return any(record.vulnerability_details and record.vulnerability_details['license'] == license_type
Expand Down
64 changes: 64 additions & 0 deletions tests/common/integration_features/test_suppressions_integration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -628,6 +628,70 @@ def test_supress_by_cve_for_image_scan_with_different_repo_id(self):
self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
self.assertFalse(suppressions_integration._check_suppression(record4, suppression))

def test_supress_by_cve_for_image_scan_without_accountIds(self):
instance = BcPlatformIntegration()
instance.repo_id = '/dockerfile/Dockerfile'
suppressions_integration = SuppressionsIntegration(instance)
suppressions_integration._init_repo_regex()

suppression = {
'suppressionType': 'Cves',
'policyId': 'BC_VUL_1',
'comment': 'suppress cve ',
'cves': [{'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/dockerfile/Dockerfile',
'cve': 'CVE-2022-35920'},
{'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/dockerfile/Dockerfile',
'cve': 'CVE-2021-23727'}],
'checkovPolicyId': 'BC_VUL_1'
}

record1 = Record(check_id='BC_VUL_1', check_name=None, check_result=None,
code_block=None, file_path='/dockerfile/Dockerfile',
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None,
vulnerability_details={'id': 'CVE-2022-35920'})
record2 = Record(check_id='BC_VUL_1', check_name=None, check_result=None,
code_block=None, file_path='/dockerfile/Dockerfile',
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None,
vulnerability_details={'id': 'CVE-2021-23727'})
self.assertFalse(suppressions_integration._check_suppression(record1, suppression))
self.assertFalse(suppressions_integration._check_suppression(record2, suppression))

def test_supress_by_cve_for_package_scan_without_accountIds(self):
instance = BcPlatformIntegration()
instance.repo_id = 'repo/path'
suppressions_integration = SuppressionsIntegration(instance)
suppressions_integration._init_repo_regex()

suppression = {
'suppressionType': 'Cves',
'policyId': 'BC_VUL_2',
'comment': 'suppress cve ',
'cves': [{'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': 'repo/path',
'cve': 'CVE-2022-35920'},
{'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': 'repo/path',
'cve': 'CVE-2021-23727'}],
'checkovPolicyId': 'BC_VUL_2'
}

record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
code_block=None, file_path='repo/path',
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None,
vulnerability_details={'id': 'CVE-2022-35920'})
record2 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
code_block=None, file_path='repo/path',
file_line_range=None,
resource=None, evaluations=None,
check_class=None, file_abs_path='.', entity_tags=None,
vulnerability_details={'id': 'CVE-2021-23727'})
self.assertFalse(suppressions_integration._check_suppression(record1, suppression))
self.assertFalse(suppressions_integration._check_suppression(record2, suppression))

def test_suppress_licenses_by_policy(self):
instance = BcPlatformIntegration()
suppressions_integration = SuppressionsIntegration(instance)
Expand Down