Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support disabling deletion of certain CVEs #100

Merged
merged 2 commits into from
Feb 23, 2022
Merged

Support disabling deletion of certain CVEs #100

merged 2 commits into from
Feb 23, 2022

Conversation

glynternet
Copy link
Contributor

--disable-cve-2021-45105-detection and --disable-cve-2021-44832-detection flags have been added to the delete command to allow for deleting only findings that map to certain CVEs. The solution has been done in this manner so that the flags remain the same across the crawl and delete subcommands, although it would probably be cleaner to implement a flag of the form --include-cve or --ignore-cve which could be an additive or subtractive CVE list. This change would not be hard to do and I'm happy to do that if we are willing to either make break or maintain some deprecated flag values.

Changes include:

  • Extracted out common CVE flags for use in crawl and delete and a CVEResolver type that can be configured to ignore CVE-2021-45105 and CVE-2021-44832.
  • Adds a VersionMatch to the Deleter which will block deletion of a finding unless the VersionMatch function resolves to true.
    • For the delete command, the VersionMatch function will cause findings to deleted when the valid findings versions have CVEs present, with the option to ignore the two CVEs mentioned above. If a finding has one of the CVEs configured to ignore and other CVEs are still contained within the finding, then the finding can still be deleted.
  • Much of the CVE and Log4jVersion code has been put into separate files to make the project tidier.
  • Some of the codepaths have had string versions replaced with parsing to Log4JVersion to make the codepaths more understandable when it comes to handling of unknown or invalid versions.
    • Specifically on the point above, with the Reporter.Report method, the original behaviour has been maintained, where strings containing "unknown version - unknown CVE status" and "invalid version - unknown CVE status" can still be populated in the cvesFound slice. I kept this here to maintain backwards compatibility but I am not opposed to making some simple changes here as I find this behaviour a little confusing tbh.

@changelog-app
Copy link

changelog-app bot commented Feb 6, 2022
edited by glynternet

Generate changelog in changelog/@unreleased

Type

  • Feature
  • Improvement
  • Fix
  • Break
  • Deprecation
  • Manual task
  • Migration

Description

Support disabling deletion of certain CVEs

--disable-cve-2021-45105-detection and --disable-cve-2021-44832-detection flags have been added to the delete command to allow for deleting only findings that map to certain CVEs. Some vulnerable files will contain multiple CVEs and so it is advised that the desired combination of --disable-cve-* flags be found by running with --dry-run=true (which is the default value) first.

Check the box to generate changelog(s)

  • Generate changelog entry

@bulldozer-bot bulldozer-bot bot merged commit 24f2aa0 into develop Feb 23, 2022
@bulldozer-bot bulldozer-bot bot deleted the gh/filter-cves branch February 23, 2022 10:58
glynternet added a commit that referenced this pull request Feb 23, 2022
@glynternet
Support disabling deletion of certain CVEs (#100)
7e64e31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hpryce hpryce hpryce approved these changes

@nmiyake nmiyake Awaiting requested review from nmiyake

Assignees
No one assigned
Labels
merge when ready
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@glynternet @hpryce @svc-changelog