From 602f968ea2f8813e80f66944316b5a9e1c6537b0 Mon Sep 17 00:00:00 2001 From: Sarah Aladetan Date: Thu, 22 Sep 2022 21:36:26 +0000 Subject: [PATCH] create a filter for vulns that are on the allowlist --- __tests__/filter.test.ts | 45 +++++++++++++++++++++++++++++++++++++++- src/filter.ts | 29 ++++++++++++++++++++++++++ 2 files changed, 73 insertions(+), 1 deletion(-) diff --git a/__tests__/filter.test.ts b/__tests__/filter.test.ts index 999f96c71..eca2d273c 100644 --- a/__tests__/filter.test.ts +++ b/__tests__/filter.test.ts @@ -1,6 +1,10 @@ import {expect, test} from '@jest/globals' import {Change, Changes} from '../src/schemas' -import {filterChangesBySeverity, filterChangesByScopes} from '../src/filter' +import { + filterChangesBySeverity, + filterChangesByScopes, + filterOutAllowedAdvisories +} from '../src/filter' let npmChange: Change = { manifest: 'package.json', @@ -48,6 +52,19 @@ let rubyChange: Change = { ] } +let noVulnNpmChange: Change = { + manifest: 'package.json', + change_type: 'added', + ecosystem: 'npm', + name: 'helpful', + version: '1.0.0', + package_url: 'pkg:npm/helpful@1.0.0', + license: 'MIT', + source_repository_url: 'github.com/some-repo', + scope: 'runtime', + vulnerabilities: [] +} + test('it properly filters changes by severity', async () => { const changes = [npmChange, rubyChange] let result = filterChangesBySeverity('high', changes) @@ -72,3 +89,29 @@ test('it properly filters changes by scope', async () => { result = filterChangesByScopes(['runtime', 'development'], changes) expect(result).toEqual([npmChange, rubyChange]) }) + +test('it properly filters changes with allowed vulnerabilities', async () => { + const changes = [npmChange, rubyChange, noVulnNpmChange] + + let result = filterOutAllowedAdvisories(['notrealGHSAID'], changes) + expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange]) + + result = filterOutAllowedAdvisories(['first-random_string'], changes) + expect(result).toEqual([rubyChange, noVulnNpmChange]) + + result = filterOutAllowedAdvisories( + ['second-random_string', 'third-random_string'], + changes + ) + expect(result).toEqual([npmChange, noVulnNpmChange]) + + result = filterOutAllowedAdvisories( + ['first-random_string', 'second-random_string', 'third-random_string'], + changes + ) + expect(result).toEqual([noVulnNpmChange]) + + // if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change + result = filterOutAllowedAdvisories(['second-random_string'], changes) + expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange]) +}) diff --git a/src/filter.ts b/src/filter.ts index 7c481c7a0..35c574b36 100644 --- a/src/filter.ts +++ b/src/filter.ts @@ -46,3 +46,32 @@ export function filterChangesByScopes( return filteredChanges } + +export function filterOutAllowedAdvisories( + ghsas: string[], + changes: Changes +): Changes { + let filteredChanges = [] + for (const change of changes) { + if ( + change.vulnerabilities === undefined || + change.vulnerabilities.length === 0 + ) { + filteredChanges.push(change) + continue + } + + let allVulnsAllowed = true + for (const vulnerability of change.vulnerabilities) { + if (!ghsas.includes(vulnerability.advisory_ghsa_id)) { + allVulnsAllowed = false + } + } + + if (allVulnsAllowed === false) { + filteredChanges.push(change) + } + } + + return filteredChanges +}