adding support for custom severities

thoughtworks · Nov 15, 2020 · 675efe3 · 675efe3
1 parent 672c51c
commit 675efe3
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -396,6 +396,20 @@ This will report all Medium severity issues and higher (Potential risks that are
 2. By default, the threshold is set to low.
 3. Any custom search patterns you add, are considered to be of high severity.
 
+## Configuring custom severities
+
+You can customize the [security levels](detector/severity/severity_config.go) of the detectors provided by Talisman in the .talismanrc file:
+
+```yaml
+custom_severities:
+- detector: Base64Content
+  severity: medium
+- detector: HexContent
+  severity: low
+```
+
+By using custom severities and a severity threshold, Talisman can be configured to alert only on what is important based on your context. This can be useful to reduce the number of false positives.
+
 ## Talisman as a CLI utility
 
 If you execute `talisman` on the command line, you will be able to view all the parameter options you can pass

diff --git a/runner.go b/runner.go
@@ -7,6 +7,7 @@ import (
 	"talisman/checksumcalculator"
 	"talisman/detector"
 	"talisman/detector/helpers"
+	"talisman/detector/severity"
 	"talisman/gitrepo"
 	"talisman/prompt"
 	"talisman/report"
@@ -52,8 +53,9 @@ func (r *Runner) Scan(reportDirectory string, ignoreHistory bool) int {
 	fmt.Printf("\n\n")
 	utility.CreateArt("Running Scan..")
 	additions := scanner.GetAdditions(ignoreHistory)
-	ignores := &talismanrc.TalismanRC{}
-	detector.DefaultChain(ignores).Test(additions, ignores, r.results)
+	rcConfig := talismanrc.Get()
+	setCustomSeverities(rcConfig)
+	detector.DefaultChain(rcConfig).Test(additions, rcConfig, r.results)
 	reportsPath, err := report.GenerateReport(r.results, reportDirectory)
 	if err != nil {
 		log.Printf("error while generating report: %v", err)
@@ -82,10 +84,19 @@ func (r *Runner) RunChecksumCalculator(fileNamePatterns []string) int {
 }
 
 func (r *Runner) doRun() {
-	rcConfigIgnores := talismanrc.Get()
+	rcConfig := talismanrc.Get()
+	setCustomSeverities(rcConfig)
 	scopeMap := getScopeConfig()
-	additionsToScan := rcConfigIgnores.IgnoreAdditionsByScope(r.additions, scopeMap)
-	detector.DefaultChain(rcConfigIgnores).Test(additionsToScan, rcConfigIgnores, r.results)
+	additionsToScan := rcConfig.IgnoreAdditionsByScope(r.additions, scopeMap)
+	detector.DefaultChain(rcConfig).Test(additionsToScan, rcConfig, r.results)
+}
+
+func setCustomSeverities(tRC *talismanrc.TalismanRC) {
+	for _, cs := range tRC.CustomSeverities {
+		severity.SeverityConfiguration[cs.Detector] = severity.Severity{
+															Value: severity.SeverityStringToValue(cs.Severity),
+														}
+	}
 }
 
 func getScopeConfig() map[string][]string {

diff --git a/talismanrc/talismanrc.go b/talismanrc/talismanrc.go
@@ -26,6 +26,11 @@ var (
 	currentRCFileName  = DefaultRCFileName
 )
 
+type CustomSeverityConfig struct {
+	Detector        string `yaml:"detector"`
+	Severity        string `yaml:"severity"`
+}
+
 type FileIgnoreConfig struct {
 	FileName        string   `yaml:"filename"`
 	Checksum        string   `yaml:"checksum,omitempty"`
@@ -47,18 +52,20 @@ type TalismanRC struct {
 	FileIgnoreConfig []FileIgnoreConfig     `yaml:"fileignoreconfig,omitempty"`
 	ScopeConfig      []ScopeConfig          `yaml:"scopeconfig,omitempty"`
 	CustomPatterns   []PatternString        `yaml:"custom_patterns,omitempty"`
+	CustomSeverities []CustomSeverityConfig `yaml:"custom_severities,omitempty"`
 	AllowedPatterns  []string               `yaml:"allowed_patterns,omitempty"`
 	Experimental     ExperimentalConfig     `yaml:"experimental,omitempty"`
 	Threshold        severity.SeverityValue `default:"1" yaml:"threshold,omitempty"`
 }
 
 type TalismanRCFile struct {
-	FileIgnoreConfig []FileIgnoreConfig `yaml:"fileignoreconfig,omitempty"`
-	ScopeConfig      []ScopeConfig      `yaml:"scopeconfig,omitempty"`
-	CustomPatterns   []PatternString    `yaml:"custom_patterns,omitempty"`
-	AllowedPatterns  []string           `yaml:"allowed_patterns,omitempty"`
-	Experimental     ExperimentalConfig `yaml:"experimental,omitempty"`
-	Threshold        string             `default:"low" yaml:"threshold,omitempty"`
+	FileIgnoreConfig []FileIgnoreConfig     `yaml:"fileignoreconfig,omitempty"`
+	ScopeConfig      []ScopeConfig          `yaml:"scopeconfig,omitempty"`
+	CustomPatterns   []PatternString        `yaml:"custom_patterns,omitempty"`
+	CustomSeverities []CustomSeverityConfig `yaml:"custom_severities,omitempty"`
+	AllowedPatterns  []string               `yaml:"allowed_patterns,omitempty"`
+	Experimental     ExperimentalConfig     `yaml:"experimental,omitempty"`
+	Threshold        string                 `default:"low" yaml:"threshold,omitempty"`
 }
 
 func SetFs(_fs afero.Fs) {
@@ -103,6 +110,7 @@ func NewTalismanRC(fileContents []byte) *TalismanRC {
 		FileIgnoreConfig: talismanRCFile.FileIgnoreConfig,
 		ScopeConfig:      talismanRCFile.ScopeConfig,
 		CustomPatterns:   talismanRCFile.CustomPatterns,
+		CustomSeverities: talismanRCFile.CustomSeverities,
 		AllowedPatterns:  talismanRCFile.AllowedPatterns,
 		Experimental:     talismanRCFile.Experimental,
 		Threshold:        severity.SeverityStringToValue(talismanRCFile.Threshold),