feat(misconf): Add support for skip-dirs and skip-files in post s…

…cans
aquasecurity · Sep 13, 2024 · 6eb4b76 · 6eb4b76
1 parent 5375cd2
commit 6eb4b76
Show file tree

Hide file tree

Showing 3 changed files with 184 additions and 2 deletions.
diff --git a/pkg/flag/options.go b/pkg/flag/options.go
@@ -470,6 +470,8 @@ func (o *Options) FilterOpts() result.FilterOptions {
 		IgnoreLicenses:     o.IgnoredLicenses,
 		CacheDir:           o.CacheDir,
 		VEXSources:         o.VEXSources,
+		SkipDirs:           o.SkipDirs,
+		SkipFiles:          o.SkipFiles,
 	}
 }
 

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
@@ -7,7 +7,10 @@ import (
 	"path/filepath"
 	"slices"
 	"sort"
+	"strings"
 
+	"github.com/aquasecurity/trivy/pkg/fanal/walker"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
@@ -31,6 +34,8 @@ type FilterOptions struct {
 	IgnoreLicenses     []string
 	CacheDir           string
 	VEXSources         []vex.Source
+	SkipDirs           []string
+	SkipFiles          []string
 }
 
 // Filter filters out the report
@@ -65,7 +70,7 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	})
 
 	filterVulnerabilities(result, severities, opt.IgnoreStatuses, ignoreConf)
-	filterMisconfigurations(result, severities, opt.IncludeNonFailures, ignoreConf)
+	filterMisconfigurations(result, severities, opt.IncludeNonFailures, opt.SkipFiles, opt.SkipDirs, ignoreConf)
 	filterSecrets(result, severities, ignoreConf)
 	filterLicenses(result, severities, opt.IgnoreLicenses, ignoreConf)
 
@@ -117,12 +122,60 @@ func filterVulnerabilities(result *types.Result, severities []string, ignoreStat
 	}
 }
 
-func filterMisconfigurations(result *types.Result, severities []string, includeNonFailures bool,
+func checkGlobMatch(misconf types.DetectedMisconfiguration, result *types.Result, filename string, skips []string) bool {
+	if walker.SkipPath(filepath.ToSlash(filepath.Clean(filename)), walker.CleanSkipPaths(skips)) {
+		log.Debug("skipping path based on glob match", log.String("file", filename))
+		result.MisconfSummary.Exceptions++
+		result.ModifiedFindings = append(result.ModifiedFindings,
+			types.NewModifiedFinding(misconf, types.FindingStatusIgnored, fmt.Sprintf("skipped due to glob match: %s", skips), "trivy cli args"))
+		return true
+	}
+	return false
+}
+
+func checkSubstrMatch(misconf types.DetectedMisconfiguration, result *types.Result, filename string, skips []string) bool {
+	for _, skipDir := range skips {
+		if strings.Contains(filepath.ToSlash(filepath.Clean(filename)), skipDir) {
+			log.Debug("skipping path based on substring match", log.String("file", filename))
+			result.MisconfSummary.Exceptions++
+			result.ModifiedFindings = append(result.ModifiedFindings,
+				types.NewModifiedFinding(misconf, types.FindingStatusIgnored, fmt.Sprintf("skipped due to substring match: %s", skips), "trivy cli args"))
+			return true
+		}
+	}
+	return false
+}
+
+func checkPathMatch(misconf types.DetectedMisconfiguration, result *types.Result, skips []string) bool {
+	for _, o := range misconf.CauseMetadata.Occurrences {
+		if checkGlobMatch(misconf, result, o.Filename, skips) {
+			return true
+		}
+
+		if checkSubstrMatch(misconf, result, o.Filename, skips) {
+			return true
+		}
+	}
+	return false
+}
+
+func filterMisconfigurations(result *types.Result, severities []string, includeNonFailures bool, skipFiles, skipDirs []string,
 	ignoreConfig IgnoreConfig) {
 	var filtered []types.DetectedMisconfiguration
 	result.MisconfSummary = new(types.MisconfSummary)
 
 	for _, misconf := range result.Misconfigurations {
+
+		// Filter by skip dirs
+		if checkPathMatch(misconf, result, skipDirs) {
+			continue
+		}
+
+		// Filter by skip files
+		if checkPathMatch(misconf, result, skipFiles) {
+			continue
+		}
+
 		// Filter by severity
 		if !slices.Contains(severities, misconf.Severity) {
 			continue
@@ -142,6 +195,7 @@ func filterMisconfigurations(result *types.Result, severities []string, includeN
 		if misconf.Status != types.MisconfStatusFailure && !includeNonFailures {
 			continue
 		}
+
 		filtered = append(filtered, misconf)
 	}
 

diff --git a/pkg/result/filter_test.go b/pkg/result/filter_test.go
@@ -129,6 +129,23 @@ func TestFilter(t *testing.T) {
 			Message:  "something bad",
 			Severity: dbTypes.SeverityHigh.String(),
 			Status:   types.MisconfStatusFailure,
+			CauseMetadata: ftypes.CauseMetadata{
+				Resource:  "foo-resource-1",
+				Provider:  "bar-provider-1",
+				Service:   "baz-service-1",
+				StartLine: 123,
+				EndLine:   456,
+				Occurrences: []ftypes.Occurrence{
+					{
+						Resource: "foo-resource-occurance-1",
+						Filename: "bar-filename-occurance-1",
+						Location: ftypes.Location{
+							StartLine: 666,
+							EndLine:   888,
+						},
+					},
+				},
+			},
 		}
 		misconf2 = types.DetectedMisconfiguration{
 			Type:     "Kubernetes Security Check",
@@ -147,6 +164,23 @@ func TestFilter(t *testing.T) {
 			Message:  "something bad",
 			Severity: dbTypes.SeverityLow.String(),
 			Status:   types.MisconfStatusFailure,
+			CauseMetadata: ftypes.CauseMetadata{
+				Resource:  "foo-resource-3",
+				Provider:  "bar-provider-3",
+				Service:   "baz-service-3",
+				StartLine: 123,
+				EndLine:   456,
+				Occurrences: []ftypes.Occurrence{
+					{
+						Resource: "foo-resource-occurance-3",
+						Filename: "../modules/bar-filename-occurance-3",
+						Location: ftypes.Location{
+							StartLine: 666,
+							EndLine:   888,
+						},
+					},
+				},
+			},
 		}
 		secret1 = types.DetectedSecret{
 			RuleID:    "generic-wanted-rule",
@@ -194,6 +228,8 @@ func TestFilter(t *testing.T) {
 		ignoreFile     string
 		policyFile     string
 		vexPath        string
+		skipFiles      []string
+		skipDirs       []string
 	}
 	tests := []struct {
 		name string
@@ -1002,6 +1038,94 @@ func TestFilter(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "skip dirs arg for misconfigurations",
+			args: args{
+				report: types.Report{
+					Results: types.Results{
+						{
+							Misconfigurations: []types.DetectedMisconfiguration{
+								misconf1,
+								misconf2,
+								misconf3, //ignored by skip dirs arg
+							},
+						},
+					},
+				},
+				severities: []dbTypes.Severity{
+					dbTypes.SeverityLow,
+					dbTypes.SeverityHigh,
+				},
+				skipDirs: []string{"../modules"},
+			},
+			want: types.Report{
+				Results: types.Results{
+					{
+						MisconfSummary: &types.MisconfSummary{
+							Successes:  1,
+							Failures:   1,
+							Exceptions: 1,
+						},
+						Misconfigurations: []types.DetectedMisconfiguration{
+							misconf1,
+						},
+						ModifiedFindings: []types.ModifiedFinding{
+							{
+								Type:      types.FindingTypeMisconfiguration,
+								Status:    types.FindingStatusIgnored,
+								Statement: "skipped due to substring match: [../modules]",
+								Source:    "trivy cli args",
+								Finding:   misconf3,
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "skip files arg for misconfigurations",
+			args: args{
+				report: types.Report{
+					Results: types.Results{
+						{
+							Misconfigurations: []types.DetectedMisconfiguration{
+								misconf1,
+								misconf2,
+								misconf3, //ignored by skip files arg
+							},
+						},
+					},
+				},
+				severities: []dbTypes.Severity{
+					dbTypes.SeverityLow,
+					dbTypes.SeverityHigh,
+				},
+				skipFiles: []string{"../**/bar-filename-occurance-3"},
+			},
+			want: types.Report{
+				Results: types.Results{
+					{
+						MisconfSummary: &types.MisconfSummary{
+							Successes:  1,
+							Failures:   1,
+							Exceptions: 1,
+						},
+						Misconfigurations: []types.DetectedMisconfiguration{
+							misconf1,
+						},
+						ModifiedFindings: []types.ModifiedFinding{
+							{
+								Type:      types.FindingTypeMisconfiguration,
+								Status:    types.FindingStatusIgnored,
+								Statement: "skipped due to glob match: [../**/bar-filename-occurance-3]",
+								Source:    "trivy cli args",
+								Finding:   misconf3,
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -1022,6 +1146,8 @@ func TestFilter(t *testing.T) {
 				IgnoreStatuses: tt.args.ignoreStatuses,
 				IgnoreFile:     tt.args.ignoreFile,
 				PolicyFile:     tt.args.policyFile,
+				SkipDirs:       tt.args.skipDirs,
+				SkipFiles:      tt.args.skipFiles,
 			})
 			require.NoError(t, err)
 			assert.Equal(t, tt.want, tt.args.report)