resolved: SAAS-3945 Generate ignore id file, and send to trivy + add … (

#63) * resolved: SAAS-3945 Generate ignore id file, and send to trivy + add suppression's to result - including indication * resolved: SAAS-3945 CR fix * resolved: SAAS-3945 CR fix * resolved: SAAS-3945 CR fix * resolved: SAAS-3945 proto number fix
aquasecurity · Feb 17, 2022 · e222d10 · e222d10
1 parent 45e87d6
commit e222d10
Show file tree

Hide file tree

Showing 8 changed files with 299 additions and 186 deletions.
diff --git a/cmd/aqua/main.go b/cmd/aqua/main.go
@@ -1,9 +1,11 @@
 package main
 
 import (
+	"bufio"
 	"fmt"
 	"os"
 	"sort"
+	"time"
 
 	"strings"
 
@@ -119,12 +121,26 @@ func runScan(c *cli.Context) error {
 		return err
 	}
 
+	downloadedPolicies, err := client.GetPoliciesForRepository()
+	if err != nil {
+		log.Logger.Errorf("Could not download the repository policies. %#v", err)
+		return err
+	}
+	policies, checkSupIDMap := processor.DistinguishPolicies(downloadedPolicies)
+	if len(checkSupIDMap) > 0 {
+		fileName := fmt.Sprintf("ignoreIds_%s", time.Now().Format("20060102150405"))
+		err = createIgnoreFile(c, checkSupIDMap, fileName)
+		defer os.Remove(fileName)
+		if err != nil {
+			return err
+		}
+	}
 	results, err := scanner.Scan(c, scanPath)
 	if err != nil {
 		return err
 	}
 
-	processedResults := processor.ProcessResults(client, results)
+	processedResults := processor.ProcessResults(results, policies, checkSupIDMap)
 	if err != nil {
 		return err
 	}
@@ -138,6 +154,34 @@ func runScan(c *cli.Context) error {
 	return checkPolicyResults(processedResults)
 }
 
+func createIgnoreFile(c *cli.Context, checkSupIDMap map[string]string, fileName string) error {
+	log.Logger.Debugf("%d IDs are suppressed", len(checkSupIDMap))
+	file, err := os.OpenFile(fileName, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return err
+	}
+	writer := bufio.NewWriter(file)
+	for avdId := range checkSupIDMap {
+		_, err = writer.WriteString(avdId + "\n")
+		if err != nil {
+			return err
+		}
+	}
+	err = writer.Flush()
+	if err != nil {
+		return err
+	}
+	err = file.Close()
+	if err != nil {
+		return err
+	}
+
+	if err := c.Set("ignorefile", fileName); err != nil {
+		return err
+	}
+	return nil
+}
+
 func checkPolicyResults(results []*buildsecurity.Result) error {
 	uniqCount := 0
 

diff --git a/pkg/processor/result_processor.go b/pkg/processor/result_processor.go
@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/aquasecurity/trivy-plugin-aqua/pkg/buildClient"
 	"github.com/aquasecurity/trivy-plugin-aqua/pkg/log"
 	"github.com/aquasecurity/trivy-plugin-aqua/pkg/proto/buildsecurity"
 	"github.com/aquasecurity/trivy-plugin-aqua/pkg/scanner"
@@ -14,45 +13,47 @@ import (
 
 // ProcessResults downloads the latest policies for the repository the process the results
 // while evaluating them against the policies
-func ProcessResults(client buildClient.Client, reports report.Results) (results []*buildsecurity.Result) {
-	downloadedPolicies, err := client.GetPoliciesForRepository()
-	if err != nil {
-		log.Logger.Errorf("Could not download the repository policies. %#v", err)
-	}
-	policies, suppressedIds := distinguishPolicies(downloadedPolicies)
-	log.Logger.Debugf("%d IDs are suppressed", len(suppressedIds))
+func ProcessResults(reports report.Results,
+	policies []*buildsecurity.Policy,
+	checkSupIDMap map[string]string) (
+	results []*buildsecurity.Result) {
 
 	for _, rep := range reports {
 		switch rep.Class {
 		case report.ClassLangPkg:
 			reportResults := addVulnerabilitiesResults(rep)
 			results = append(results, reportResults...)
 		case report.ClassConfig:
-			reportResults := addMisconfigurationResults(rep, policies, suppressedIds)
+			reportResults := addMisconfigurationResults(rep, policies, checkSupIDMap)
 			results = append(results, reportResults...)
 		}
 	}
 
 	return results
 }
 
-func distinguishPolicies(
+func DistinguishPolicies(
 	downloadedPolicies []*buildsecurity.Policy) (
-	policies []*buildsecurity.Policy,
-	suppressedIds []string) {
+	[]*buildsecurity.Policy,
+	map[string]string) {
+
+	var policies []*buildsecurity.Policy
+	checkSupIDMap := make(map[string]string, len(downloadedPolicies))
 	for _, policy := range downloadedPolicies {
 		switch policy.PolicyType {
 		case buildsecurity.PolicyTypeEnum_POLICY_TYPE_SUPPRESSION:
 			for _, control := range policy.GetControls() {
-				suppressedIds = append(suppressedIds, control.AVDIDs...)
+				for _, avd := range control.AVDIDs {
+					checkSupIDMap[avd] = policy.PolicyID
+				}
 			}
 		case buildsecurity.PolicyTypeEnum_POLICY_TYPE_POLICY:
 			policies = append(policies, policy)
 		default:
 			policies = append(policies, policy)
 		}
 	}
-	return policies, suppressedIds
+	return policies, checkSupIDMap
 }
 
 func addVulnerabilitiesResults(rep report.Result) (results []*buildsecurity.Result) {
@@ -70,8 +71,12 @@ func addVulnerabilitiesResults(rep report.Result) (results []*buildsecurity.Resu
 		r.InstalledVersion = vuln.InstalledVersion
 		r.FixedVersion = vuln.FixedVersion
 		r.DataSource = vuln.DataSource.Name
-		r.PublishedDate = vuln.PublishedDate.Unix()
-		r.LastModified = vuln.LastModifiedDate.Unix()
+		if vuln.PublishedDate != nil {
+			r.PublishedDate = vuln.PublishedDate.Unix()
+		}
+		if vuln.LastModifiedDate != nil {
+			r.LastModified = vuln.LastModifiedDate.Unix()
+		}
 
 		for vendor, cvssVal := range vuln.Vulnerability.CVSS {
 			r.VendorScoring = append(r.VendorScoring, &buildsecurity.VendorScoring{
@@ -100,7 +105,7 @@ func contains(slice []string, value string) bool {
 
 func addMisconfigurationResults(rep report.Result,
 	downloadedPolicies []*buildsecurity.Policy,
-	suppressedIds []string) (results []*buildsecurity.Result) {
+	checkSupIDMap map[string]string) (results []*buildsecurity.Result) {
 	for _, miscon := range rep.Misconfigurations {
 
 		var r buildsecurity.Result
@@ -109,12 +114,15 @@ func addMisconfigurationResults(rep report.Result,
 			resource = miscon.IacMetadata.Resource
 		}
 
-		suppressedId := contains(suppressedIds, miscon.ID)
-		if suppressedId {
-			log.Logger.Debugf("Skipping suppressed id: %s", miscon.ID)
-		}
-		if miscon.Status == types.StatusFailure && !suppressedId {
-			r.PolicyResults = checkAgainstPolicies(miscon, downloadedPolicies, rep.Target)
+		policyId, suppressedId := checkSupIDMap[miscon.ID]
+
+		if miscon.Status == types.StatusFailure {
+			if suppressedId {
+				log.Logger.Debugf("Skipping suppressed id: %s, due to Suppression ID: %s", miscon.ID, policyId)
+				r.SuppressionID = policyId
+			} else {
+				r.PolicyResults = checkAgainstPolicies(miscon, downloadedPolicies, rep.Target)
+			}
 			r.AVDID = miscon.ID
 			r.Title = miscon.Title
 			r.Message = miscon.Message

diff --git a/pkg/processor/result_processor_test.go b/pkg/processor/result_processor_test.go
@@ -54,13 +54,14 @@ func Test_distinguishPolicies(t *testing.T) {
 		name              string
 		args              args
 		wantPolicies      []*buildsecurity.Policy
-		wantSuppressedIds []string
+		wantSuppressedIds map[string]string
 	}{
 		{
 			name: "happy path - separate policies and suppressed ids",
 			args: args{downloadedPolicies: []*buildsecurity.Policy{
 				{
 					PolicyType: buildsecurity.PolicyTypeEnum_POLICY_TYPE_SUPPRESSION,
+					PolicyID:   "id1",
 					Controls: []*buildsecurity.PolicyControl{
 						{
 							AVDIDs: []string{"123"},
@@ -69,6 +70,7 @@ func Test_distinguishPolicies(t *testing.T) {
 				},
 				{
 					PolicyType: buildsecurity.PolicyTypeEnum_POLICY_TYPE_SUPPRESSION,
+					PolicyID:   "id2",
 					Controls: []*buildsecurity.PolicyControl{
 						{
 							AVDIDs: []string{"456"},
@@ -94,14 +96,14 @@ func Test_distinguishPolicies(t *testing.T) {
 					},
 				},
 			},
-			wantSuppressedIds: []string{"123", "456"},
+			wantSuppressedIds: map[string]string{"123": "id1", "456": "id2"},
 		},
 	}
 	for _, tt := range tests {
 		tt := tt
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			gotPolicies, gotSuppressedIds := distinguishPolicies(tt.args.downloadedPolicies)
+			gotPolicies, gotSuppressedIds := DistinguishPolicies(tt.args.downloadedPolicies)
 			if !reflect.DeepEqual(gotPolicies, tt.wantPolicies) {
 				t.Errorf("distinguishPolicies() gotPolicies = %v, want %v", gotPolicies, tt.wantPolicies)
 			}

diff --git a/pkg/proto/buildsecurity.proto b/pkg/proto/buildsecurity.proto
@@ -96,8 +96,9 @@ message Result {
   string FixedVersion = 14;
   string DataSource = 15;
   repeated VendorScoring VendorScoring = 16;
-  int64 PublishedDate = 17;
-  int64 LastModified = 18;
+  string suppressionID = 17;
+  int64 PublishedDate = 18;
+  int64 LastModified = 19;
 }
 
 enum SeverityEnum {