Skip to content

Commit

Permalink
create a filter for vulns that are on the allowlist
Browse files Browse the repository at this point in the history
  • Loading branch information
sarahkemi committed Sep 22, 2022
1 parent bd61ea0 commit 602f968
Show file tree
Hide file tree
Showing 2 changed files with 73 additions and 1 deletion.
45 changes: 44 additions & 1 deletion __tests__/filter.test.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
import {expect, test} from '@jest/globals'
import {Change, Changes} from '../src/schemas'
import {filterChangesBySeverity, filterChangesByScopes} from '../src/filter'
import {
filterChangesBySeverity,
filterChangesByScopes,
filterOutAllowedAdvisories
} from '../src/filter'

let npmChange: Change = {
manifest: 'package.json',
Expand Down Expand Up @@ -48,6 +52,19 @@ let rubyChange: Change = {
]
}

let noVulnNpmChange: Change = {
manifest: 'package.json',
change_type: 'added',
ecosystem: 'npm',
name: 'helpful',
version: '1.0.0',
package_url: 'pkg:npm/helpful@1.0.0',
license: 'MIT',
source_repository_url: 'github.com/some-repo',
scope: 'runtime',
vulnerabilities: []
}

test('it properly filters changes by severity', async () => {
const changes = [npmChange, rubyChange]
let result = filterChangesBySeverity('high', changes)
Expand All @@ -72,3 +89,29 @@ test('it properly filters changes by scope', async () => {
result = filterChangesByScopes(['runtime', 'development'], changes)
expect(result).toEqual([npmChange, rubyChange])
})

test('it properly filters changes with allowed vulnerabilities', async () => {
const changes = [npmChange, rubyChange, noVulnNpmChange]

let result = filterOutAllowedAdvisories(['notrealGHSAID'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])

result = filterOutAllowedAdvisories(['first-random_string'], changes)
expect(result).toEqual([rubyChange, noVulnNpmChange])

result = filterOutAllowedAdvisories(
['second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([npmChange, noVulnNpmChange])

result = filterOutAllowedAdvisories(
['first-random_string', 'second-random_string', 'third-random_string'],
changes
)
expect(result).toEqual([noVulnNpmChange])

// if we have a change with multiple vulnerabilities but only one is allowed, we still should not filter out that change
result = filterOutAllowedAdvisories(['second-random_string'], changes)
expect(result).toEqual([npmChange, rubyChange, noVulnNpmChange])
})
29 changes: 29 additions & 0 deletions src/filter.ts
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,32 @@ export function filterChangesByScopes(

return filteredChanges
}

export function filterOutAllowedAdvisories(
ghsas: string[],
changes: Changes
): Changes {
let filteredChanges = []
for (const change of changes) {
if (
change.vulnerabilities === undefined ||
change.vulnerabilities.length === 0
) {
filteredChanges.push(change)
continue
}

let allVulnsAllowed = true
for (const vulnerability of change.vulnerabilities) {
if (!ghsas.includes(vulnerability.advisory_ghsa_id)) {
allVulnsAllowed = false
}
}

if (allVulnsAllowed === false) {
filteredChanges.push(change)
}
}

return filteredChanges
}

0 comments on commit 602f968

Please sign in to comment.