From fec772ab97ea3baed62e3edf64ecb3e8cbdc2fc7 Mon Sep 17 00:00:00 2001 From: Rotem Avni Date: Mon, 13 Jan 2025 18:03:03 +0200 Subject: [PATCH] support suppressions with the root file in repo --- .../features/suppressions_integration.py | 35 +++++++++++-------- .../test_suppressions_integration.py | 8 +++++ 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py index a74c6198179..796a115c32d 100644 --- a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py +++ b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py @@ -169,6 +169,25 @@ def _check_suppressions(self, record: Record, suppressions: Optional[list[dict[s return suppression return None + def _check_cve_suppression(self, record: Record, suppression: dict[str, Any]) -> bool: + if 'accountIds' not in suppression: + return False + if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in \ + suppression['accountIds'] \ + and suppression['cves']: + repo_name = align_path(self.bc_integration.repo_id).split('/')[-1] + suppression_path = self._get_cve_suppression_path(suppression) + repo_file_path = align_path(record.repo_file_path) + file_abs_path = align_path(record.file_abs_path) + if file_abs_path == suppression_path[1:] or \ + file_abs_path == suppression_path or \ + file_abs_path.endswith("".join([repo_name, suppression_path])) or \ + removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/') \ + or record.file_path == suppression_path: + return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve'] + for cve in suppression['cves']) + return False + def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> bool: """ Returns True if and only if the specified suppression applies to the specified record. @@ -217,21 +236,7 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo return False elif type == 'Cves': - if 'accountIds' not in suppression: - return False - if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\ - and suppression['cves']: - repo_name = align_path(self.bc_integration.repo_id).split('/')[-1] - suppression_path = self._get_cve_suppression_path(suppression) - repo_file_path = align_path(record.repo_file_path) - file_abs_path = align_path(record.file_abs_path) - if file_abs_path == suppression_path[1:] or \ - file_abs_path == suppression_path or \ - file_abs_path.endswith("".join([repo_name, suppression_path])) or \ - removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/'): - return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve'] - for cve in suppression['cves']) - return False + return self._check_cve_suppression(record, suppression) elif type == 'LicenseType': return any(record.vulnerability_details and record.vulnerability_details['license'] == license_type diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py index 056480dbfd3..3ce97427f5d 100644 --- a/tests/common/integration_features/test_suppressions_integration.py +++ b/tests/common/integration_features/test_suppressions_integration.py @@ -515,11 +515,19 @@ def test_supress_by_cve_for_package_scan(self): resource=None, evaluations=None, check_class=None, file_abs_path='notrequirements.txt', entity_tags=None, vulnerability_details={'id': 'CVE-2022-45452'}) + record5 = Record(check_id='BC_VUL_2', check_name=None, check_result=None, + code_block=None, file_path=None, + file_line_range=None, + resource=None, evaluations=None, + check_class=None, file_abs_path='home/requirements.txt', entity_tags=None, + vulnerability_details={'id': 'CVE-2021-23727'}) + record5.file_path = '/requirements.txt' self.assertTrue(suppressions_integration._check_suppression(record1, suppression)) self.assertTrue(suppressions_integration._check_suppression(record2, suppression)) self.assertFalse(suppressions_integration._check_suppression(record3, suppression)) self.assertFalse(suppressions_integration._check_suppression(record4, suppression)) + self.assertTrue(suppressions_integration._check_suppression(record5, suppression)) def test_suppress_by_cve_with_empty_cves(self): instance = BcPlatformIntegration()