fix(sca): enabling suppression in the cli-output for IR-files and doc…

…kerfiles (#6148) * init source_id and supress for dockerfiles and IR files * flake --------- Co-authored-by: ipeleg <ipeleg@paloaltonetworks.com>
bridgecrewio · Apr 8, 2024 · 2b51e01 · 2b51e01
1 parent 8a4d73c
commit 2b51e01
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 5 deletions.
diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py
@@ -14,6 +14,7 @@
 from checkov.common.models.enums import CheckResult
 from checkov.common.output.record import SCA_PACKAGE_SCAN_CHECK_NAME
 from checkov.common.util.file_utils import convert_to_unix_path
+from checkov.common.util.str_utils import removeprefix, align_path
 
 if TYPE_CHECKING:
     from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration
@@ -170,12 +171,14 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
                 return False
             if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\
                     and suppression['cves']:
-                repo_name = self.bc_integration.repo_id.replace('\\', '/').split('/')[-1]
-                suppression_path = suppression['cves'][0]['id'].replace('\\', '/')
-                file_abs_path = record.file_abs_path.replace('\\', '/')
+                repo_name = align_path(self.bc_integration.repo_id).split('/')[-1]
+                suppression_path = self._get_cve_suppression_path(suppression)
+                repo_file_path = align_path(record.repo_file_path)
+                file_abs_path = align_path(record.file_abs_path)
                 if file_abs_path == suppression_path[1:] or \
                         file_abs_path == suppression_path or \
-                        file_abs_path.endswith("".join([repo_name, suppression_path])):
+                        file_abs_path.endswith("".join([repo_name, suppression_path])) or \
+                        removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/'):
                     return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
                                for cve in suppression['cves'])
             return False
@@ -186,6 +189,14 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
 
         return False
 
+    def _get_cve_suppression_path(self, suppression: dict[str, Any]) -> str:
+        suppression_path: str = align_path(suppression['cves'][0]['id'])
+        # for handling cases of IR/docker (e.g: '/Dockerfile:/DockerFile.FROM)
+        suppression_path_parts = suppression_path.split(':')
+        if len(suppression_path_parts) == 2 and suppression_path_parts[1].startswith(suppression_path_parts[0]):
+            return suppression_path_parts[0]
+        return suppression_path
+
     def _suppression_valid_for_run(self, suppression: dict[str, Any]) -> bool:
         """
         Returns whether this suppression is valid. A suppression is NOT valid if:

diff --git a/checkov/common/bridgecrew/platform_integration.py b/checkov/common/bridgecrew/platform_integration.py
@@ -386,6 +386,17 @@ def setup_bridgecrew_credentials(
 
         self.platform_integration_configured = True
 
+    def _get_source_id_from_repo_path(self, repo_path: str) -> str | None:
+        repo_path_parts = repo_path.split("/")
+        if not repo_path_parts and repo_path_parts[0] != 'checkov':
+            logging.error(f'failed to get source_id from repo_path. repo_path format is unknown: ${repo_path}')
+            return None
+        try:
+            return '/'.join(repo_path_parts[2:4])
+        except IndexError:
+            logging.error(f'failed to get source_id from repo_path. repo_path format is unknown: ${repo_path}')
+            return None
+
     def set_s3_integration(self) -> None:
         try:
             self.skip_fixes = True  # no need to run fixes on CI integration
@@ -394,7 +405,7 @@ def set_s3_integration(self) -> None:
                 return
 
             self.bucket, self.repo_path = repo_full_path.split("/", 1)
-
+            self.source_id = self._get_source_id_from_repo_path(self.repo_path)
             self.timestamp = self.repo_path.split("/")[-2]
             self.credentials = cast("dict[str, str]", response["creds"])
 

diff --git a/checkov/common/util/str_utils.py b/checkov/common/util/str_utils.py
@@ -11,6 +11,12 @@ def removeprefix(input_str: str, prefix: str) -> str:
     return input_str
 
 
+# in case of comparing paths from the BE and from the client, we have to make sure the structures are the same
+# e.g: in windows the seperator for the path is '\' while in linux/max it is '/'
+def align_path(path: str) -> str:
+    return path.replace('\\', '/')
+
+
 def convert_to_seconds(input_str: str) -> int:
     if re.search(seconds_per_unit_regex, input_str) is None:
         raise Exception(f"format error for input str, usage: {seconds_per_unit_regex}")