Skip to content

Commit

Permalink
ignore options checked before scan, fail on invalid ignore states, ig…
Browse files Browse the repository at this point in the history
…nore states comma-separated

Signed-off-by: James Hebden <jhebden@gitlab.com>
  • Loading branch information
jhebden-gl committed Oct 11, 2023
1 parent fca4778 commit d20c4dc
Show file tree
Hide file tree
Showing 4 changed files with 65 additions and 20 deletions.
34 changes: 17 additions & 17 deletions cmd/grype/cli/commands/root.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,23 @@ func runGrype(app clio.Application, opts *options.Grype, userInput string) (errs
var s *sbom.SBOM
var pkgContext pkg.Context

if opts.OnlyFixed {
opts.Ignore = append(opts.Ignore, ignoreNonFixedMatches...)
}

if opts.OnlyNotFixed {
opts.Ignore = append(opts.Ignore, ignoreFixedMatches...)
}

for _, ignoreState := range stringutil.SplitCommaSeparatedString(opts.IgnoreStates) {
switch grypeDb.FixState(ignoreState) {
case grypeDb.UnknownFixState, grypeDb.FixedState, grypeDb.NotFixedState, grypeDb.WontFixState:
opts.Ignore = append(opts.Ignore, match.IgnoreRule{FixState: ignoreState})
default:
return fmt.Errorf("unknown fix state %s was supplied for --ignore-states", ignoreState)
}
}

err = parallel(
func() error {
checkForAppUpdate(app.ID(), opts)
Expand Down Expand Up @@ -147,23 +164,6 @@ func runGrype(app clio.Application, opts *options.Grype, userInput string) (errs
defer dbCloser.Close()
}

if opts.OnlyFixed {
opts.Ignore = append(opts.Ignore, ignoreNonFixedMatches...)
}

if opts.OnlyNotFixed {
opts.Ignore = append(opts.Ignore, ignoreFixedMatches...)
}

for _, ignoreState := range opts.IgnoreStates {
switch grypeDb.FixState(ignoreState) {
case grypeDb.UnknownFixState, grypeDb.FixedState, grypeDb.NotFixedState, grypeDb.WontFixState:
opts.Ignore = append(opts.Ignore, match.IgnoreRule{FixState: ignoreState})
default:
log.Warnf("ignoring unknown fix state %s for --ignore-states", ignoreState)
}
}

if err = applyVexRules(opts); err != nil {
return fmt.Errorf("applying vex rules: %w", err)
}
Expand Down
6 changes: 3 additions & 3 deletions cmd/grype/cli/options/grype.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ type Grype struct {
CheckForAppUpdate bool `yaml:"check-for-app-update" json:"check-for-app-update" mapstructure:"check-for-app-update"` // whether to check for an application update on start up or not
OnlyFixed bool `yaml:"only-fixed" json:"only-fixed" mapstructure:"only-fixed"` // only fail if detected vulns have a fix
OnlyNotFixed bool `yaml:"only-notfixed" json:"only-notfixed" mapstructure:"only-notfixed"` // only fail if detected vulns don't have a fix
IgnoreStates []string `yaml:"ignore-states" json:"ignore-wontfix" mapstructure:"ignore-wontfix"` // ignore detections for vulnerabilities matching these fix states
IgnoreStates string `yaml:"ignore-states" json:"ignore-wontfix" mapstructure:"ignore-wontfix"` // ignore detections for vulnerabilities matching these comma-separated fix states
Platform string `yaml:"platform" json:"platform" mapstructure:"platform"` // --platform, override the target platform for a container image
Search search `yaml:"search" json:"search" mapstructure:"search"`
Ignore []match.IgnoreRule `yaml:"ignore" json:"ignore" mapstructure:"ignore"`
Expand Down Expand Up @@ -104,9 +104,9 @@ func (o *Grype) AddFlags(flags clio.FlagSet) {
"ignore matches for vulnerabilities that are fixed",
)

flags.StringArrayVarP(&o.IgnoreStates,
flags.StringVarP(&o.IgnoreStates,
"ignore-states", "",
fmt.Sprintf("ignore matches for vulnerabilities with specified fix states, options=%v", vulnerability.AllFixStates()),
fmt.Sprintf("ignore matches for vulnerabilities with specified comma separated fix states, options=%v", vulnerability.AllFixStates()),
)

flags.BoolVarP(&o.ByCVE,
Expand Down
11 changes: 11 additions & 0 deletions internal/stringutil/string_helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,14 @@ func HasAnyOfPrefixes(input string, prefixes ...string) bool {

return false
}

// SplitCommaSeparatedString returns a slice of strings separated from the input string by commas
func SplitCommaSeparatedString(input string) []string {
output := make([]string, 0)
for _, inputItem := range strings.Split(input, ",") {
if len(inputItem) > 0 {
output = append(output, inputItem)
}
}
return output
}
34 changes: 34 additions & 0 deletions internal/stringutil/string_helpers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,3 +120,37 @@ func TestHasAnyOfPrefixes(t *testing.T) {
})
}
}

func TestSplitCommaSeparatedString(t *testing.T) {
tests := []struct {
input string
expected []string
}{
{
input: "testing",
expected: []string{"testing"},
},
{
input: "",
expected: []string{},
},
{
input: "testing1,testing2",
expected: []string{"testing1", "testing2"},
},
{
input: "testing1,,testing2,testing3",
expected: []string{"testing1", "testing2", "testing3"},
},
{
input: "testing1,testing2,,",
expected: []string{"testing1", "testing2"},
},
}

for _, test := range tests {
t.Run(test.input, func(t *testing.T) {
assert.Equal(t, test.expected, SplitCommaSeparatedString(test.input))
})
}
}

0 comments on commit d20c4dc

Please sign in to comment.