Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add whitelisting support #116

Merged
merged 1 commit into from
Jun 9, 2022
Merged

Add whitelisting support #116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,26 @@ A pre-commit hook is also available for use
- id: scan
```

#### Whitelisting

Whitelisting of vulnerabilities can be done! To whitelist vulnerabilities add the `--whitelist` argument and pass a json file like this:

```
> jake ddt --whitelist jake-whitelist.json

```

The file should look like this:

```json
{"ignore": [{"id": "f19ff95c-cec5-4263-8d3b-e3e64698881e", "reason": "Insert reason here"}]}
```

The only field that actually matters is id and that is the ID you receive from OSS Index for a vulnerability.
You can add fields such as reason so that you later can understand why you whitelisted a vulnerability.

Any id that is whitelisted will be squelched from the results, and not cause a failure.

### Check for vulnerabilities using Sonatype Nexus Lifecycle

Access Sonatype's proprietary vulnerability data using `jake`:
Expand Down
14 changes: 14 additions & 0 deletions jake/command/oss.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
#
import json
import os
from argparse import ArgumentParser
from decimal import Decimal
from pathlib import Path
from typing import cast, Iterable, List, Set

from cyclonedx.model import XsUri
Expand Down Expand Up @@ -95,6 +97,16 @@ def handle_args(self) -> int:
oss_index_results = oss.get_component_report(
packages=list(map(lambda c: c.purl, filter(lambda c: c.purl, parser.get_components())))
)

if self.arguments.oss_whitelist_json_file:
with open(self.arguments.oss_whitelist_json_file) as f:
json_data = json.load(f)
whitelisted_entries = json_data.get("ignore", [])
whitelisted_ids = {entry["id"] for entry in whitelisted_entries}
if whitelisted_ids:
for oic in oss_index_results:
oic.vulnerabilities = {v for v in oic.vulnerabilities if v.id not in whitelisted_ids}

progress.update(
task_query_ossi, completed=10,
description='🐍 [green]Successfully queried OSS Index for package and vulnerability info'
Expand Down Expand Up @@ -237,6 +249,8 @@ def setup_argument_parser(self, arg_parser: ArgumentParser) -> None:
choices={'1.4', '1.3', '1.2', '1.1', '1.0'},
default=f'{LATEST_SUPPORTED_SCHEMA_VERSION.to_version()})',
dest='oss_schema_version')
arg_parser.add_argument('--whitelist', help='Set path to whitelist json file', type=Path,
dest='oss_whitelist_json_file')

@staticmethod
def _build_bom(components: Iterable[Component]) -> Bom:
Expand Down