feat: allow findings to be ignored #25
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It's either make it more sane or turn it off.
jamestelfer
force-pushed
the
add-ignore-file
branch
from
a140503 to
ec074e5
Compare
jamestelfer
force-pushed
the
add-ignore-file
branch
from
ec074e5 to
4b32234
Compare
Load each then de-deplicate, allowing later definitions to override earlier ones.
Ignore configuration is read from a series of possible locations, and the downloaded findings are summarized based on the supplied configuration.
jamestelfer
force-pushed
the
add-ignore-file
branch
from
4b32234 to
2f85239
Compare
jamestelfer
force-pushed
the
add-ignore-file
branch
3 times, most recently
from
963a2bd to
9f846ec
Compare
Simple version: annotates summary findings and marks findings in table when ignored.
Using the AWS structs directly was becoming cumbersome. This allows for a simpler template: adding ignore lists in the existing structure was becoming too complicated.
This potentially leads to more discoverability that it is possible to add `until` and `reason` fields.
jamestelfer
force-pushed
the
add-ignore-file
branch
from
9f846ec to
ca9bdbe
Compare
Remove on read so expired items don't affect cascades.
An inline div surrounded by whitespace was interpreted as a Markdown paragraph when uploaded to Buildkite.
jamestelfer
force-pushed
the
add-ignore-file
branch
from
ca9bdbe to
1b11ee5
Compare
Linux conventions are to configure commands using `/etc/` for general configuration rather than user home directories. This lessens the chance of accidental modification by an agent.
therealvio
reviewed
Nov 27, 2023
ctgardner
reviewed
Nov 27, 2023
src/finding/summary.go
Outdated
Comment on lines
67
to
70
| counts := SeverityCount{} | ||
| if c, exists := s.Counts[severity]; exists { | ||
| counts = c | ||
| } |
There was a problem hiding this comment.
nit: usually, this logic is inverted
Suggested change
| counts := SeverityCount{} | |
| if c, exists := s.Counts[severity]; exists { | |
| counts = c | |
| } | |
| c := SeverityCount{} | |
| if counts, exists := s.Counts[severity]; !exists { | |
| counts = c | |
| } |
There was a problem hiding this comment.
The variables defined as a part of the assignment in the if clause (if counts, exists := ) are only in scope in the body of the if, so inverting as suggested won't compile.
The error is counts declared and not used.
There was a problem hiding this comment.
I've changed this to:
counts := s.Counts[severity]Since the default value is returned if the key is not in the map, which is what I'm after.
Co-authored-by: Callum Gardner <10970827+ctgardner@users.noreply.github.com>
This is now possible due to API changes up the call chain.
jamestelfer
force-pushed
the
add-ignore-file
branch
from
22f56a9 to
120cc52
Compare
The map lookup will return the empty value by default if the key does not exist.
These were split into separate declarations to assist initial testing, but this doesn't help readability.
|
☝️ I've really appreciated all the thoughtful review comments, they've definitely improved the implementation, and I've learned through it too 🙏 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR seeks to introduce an "ignore" file for the plugin, allowing findings for vulnerabilities to be ignored (but not removed).
Note
While this is a commit-by-commit PR, I've left some earlier commits that included a more complicated YAML document schema where ignore items supported simple string entries as well as structured ones. I removed this after feedback from @tomwwright, and kept the commits to document the decision somewhat, but also to keep this implementation archived as a possible future reference.
An ignore file is a YAML file that has the following structure:
This structure allows for findings to be ignored for a period of time, giving a team time to respond while allowing builds to continue.
Ignore configuration can be specified in a number of places, from least to most important:
/etc/ecr-scan-results-buildkite-plugin/ignore.y[a]mlbuildkite/ecr-scan-results-ignore.y[a]ml.buildkite/ecr-scan-results-ignore.y[a]ml.ecr-scan-results-ignore.y[a]mlConfiguration in the
/etc/ecr-scan-results-buildkite-pluginallows for organizations to ship agents with plugin configuration that centrally manages findings that can be ignored. If a listing for a finding with the same CVE name appears in multiple files, the most local wins: central configuration can be overridden by the repository.When a finding is ignored, it is removed from consideration for threshold checks, but it's not discarded. The annotation created by the plugin annotates the results with further information instead.
The summary counts at the top show the number of ignored findings:
Ignored findings are separated from the main list and shown at the bottom:
If a reason for ignoring a finding is provided, it's made available by expanding the Until date:
Fixes #24