Merge pull request #47 from angrymeir/suppresions-by-id

suppressing by id

Author: marwin1991

README.md

@@ -145,6 +145,7 @@ sast:
       value: "2555"
     - type: "find_sec_bugs_type"
       value: "SPRING_ENDPOINT"
+    - id: "db914ce5737b49650ae650fc3b0fe38a531eadd8ea780f48a013419c4adec7f0"
 ```
 
 And now you can modify execution commands as follows:

poetry.lock

@@ -16,6 +16,7 @@ python = "^3.10"
 junit-xml = "^1.9"
 PyYAML = "^6.0"
 pytest = "^7.2.0"
+setuptools = "^75.5.0"
 
 [tool.poetry.dev-dependencies]
 

pyproject.toml

@@ -2,15 +2,22 @@
 
 
 class Suppression:
-    def __init__(self, type, value):
+
+    def __init__(self,
+                 id: str | None = None,
+                 type: str | None = None,
+                 value: str | None = None):
+        self.id = id
         self.type = type
         self.value = value
 
     def __repr__(self):
-        return f"Suppression(type={self.type}, value={self.value})"
+        return f"Suppression(id={self.id}, type={self.type}, value={self.value})"
 
     def __eq__(self, other):
         if isinstance(other, Suppression):
+            if self.id is not None:
+                return self.id == other.id
             return self.type == other.type and self.value == other.value
 
         return False
@@ -36,9 +43,17 @@ def __is_identifier_suppressed(self, identifier):
         return False
 
     def __is_vulnerability_suppressed(self, vulnerability):
-        for identifier in vulnerability['identifiers']:
-            if self.__is_identifier_suppressed(identifier):
-                return True
+        for suppression in self.suppressions:
+            if suppression is None:
+                return False
+
+            if suppression.id is not None:
+                return suppression.id == vulnerability['id']
+
+            for identifier in vulnerability['identifiers']:
+                if suppression.type == identifier['type'] and suppression.value == identifier['value']:
+                    return True
+
         return False
 
     def suppress(self, vulnerabilities):
@@ -91,6 +106,15 @@ def __get_suppressions(sast_yml_dict):
 
 def __get_suppression(suppression_yml_dict):
     try:
-        return Suppression(suppression_yml_dict['type'], suppression_yml_dict['value'])
+        return Suppression(__get_suppression_field(suppression_yml_dict, 'id'),
+                           __get_suppression_field(suppression_yml_dict, 'type'),
+                           __get_suppression_field(suppression_yml_dict, 'value'))
+    except KeyError:
+        return None
+
+
+def __get_suppression_field(suppression_yml_dict, key):
+    try:
+        return suppression_yml_dict[key]
     except KeyError:
         return None

secscanner2junit/config.py

@@ -7,17 +7,17 @@
       "name": "Spring CSRF unrestricted RequestMapping",
       "message": "Spring CSRF unrestricted RequestMapping",
       "description": "Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks",
-      "cve": "86d80cd1d198812fc1ba6860a9e965e1:SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:23",
+      "cve": "86d80cd1d198812fc1ba6860a9e965e1:SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:23",
       "severity": "Medium",
       "confidence": "High",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
         "start_line": 23,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController",
+        "class": "pl.com.abc.example.springbootabcexample.PingController",
         "method": "ping"
       },
       "identifiers": [
@@ -40,18 +40,18 @@
       "category": "sast",
       "name": "Found Spring endpoint",
       "message": "Found Spring endpoint",
-      "description": "pl.com.softnet.example.springbootsoftnetexample.PingController is a Spring endpoint (Controller)",
-      "cve": "21254b1dfdebd6b8bbd05e4ed8a960c3:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:23",
+      "description": "pl.com.abc.example.springbootabcexample.PingController is a Spring endpoint (Controller)",
+      "cve": "21254b1dfdebd6b8bbd05e4ed8a960c3:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:23",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
         "start_line": 23,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController",
+        "class": "pl.com.abc.example.springbootabcexample.PingController",
         "method": "ping"
       },
       "identifiers": [
@@ -68,18 +68,18 @@
       "category": "sast",
       "name": "Found Spring endpoint",
       "message": "Found Spring endpoint",
-      "description": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController is a Spring endpoint (Controller)",
-      "cve": "62a35767e47f86da1958c888ab0ddb98:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java:16",
+      "description": "pl.com.abc.example.springbootabcexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "62a35767e47f86da1958c888ab0ddb98:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java:16",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java",
         "start_line": 16,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController",
+        "class": "pl.com.abc.example.springbootabcexample.FakeErrorController",
         "method": "getDomainError"
       },
       "identifiers": [
@@ -97,17 +97,17 @@
       "name": "HTTP headers untrusted",
       "message": "HTTP headers untrusted",
       "description": "Request header can easily be altered by the client",
-      "cve": "6b0c63f9593aecd2ad80afdc4a85656d:SERVLET_HEADER:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:50",
+      "cve": "6b0c63f9593aecd2ad80afdc4a85656d:SERVLET_HEADER:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:50",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
         "start_line": 50,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController$IpAddressUtils",
+        "class": "pl.com.abc.example.springbootabcexample.PingController$IpAddressUtils",
         "method": "getIpAddressFromRequest"
       },
       "identifiers": [
@@ -124,18 +124,18 @@
       "category": "sast",
       "name": "Found Spring endpoint",
       "message": "Found Spring endpoint",
-      "description": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController is a Spring endpoint (Controller)",
-      "cve": "8e968b3dea7c8b68b43c07ab9b37c120:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java:11",
+      "description": "pl.com.abc.example.springbootabcexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "8e968b3dea7c8b68b43c07ab9b37c120:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java:11",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java",
         "start_line": 11,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController",
+        "class": "pl.com.abc.example.springbootabcexample.FakeErrorController",
         "method": "getSomeFakeError"
       },
       "identifiers": [

tests/resources/test_sast/test_basic/gl-sast-report.json

@@ -7,17 +7,17 @@
       "name": "Spring CSRF unrestricted RequestMapping",
       "message": "Spring CSRF unrestricted RequestMapping",
       "description": "Unrestricted Spring's RequestMapping makes the method vulnerable to CSRF attacks",
-      "cve": "86d80cd1d198812fc1ba6860a9e965e1:SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:23",
+      "cve": "86d80cd1d198812fc1ba6860a9e965e1:SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:23",
       "severity": "Medium",
       "confidence": "High",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
         "start_line": 23,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController",
+        "class": "pl.com.abc.example.springbootabcexample.PingController",
         "method": "ping"
       },
       "identifiers": [
@@ -40,18 +40,18 @@
       "category": "sast",
       "name": "Found Spring endpoint",
       "message": "Found Spring endpoint",
-      "description": "pl.com.softnet.example.springbootsoftnetexample.PingController is a Spring endpoint (Controller)",
-      "cve": "21254b1dfdebd6b8bbd05e4ed8a960c3:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:23",
+      "description": "pl.com.abc.example.springbootabcexample.PingController is a Spring endpoint (Controller)",
+      "cve": "21254b1dfdebd6b8bbd05e4ed8a960c3:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:23",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
         "start_line": 23,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController",
+        "class": "pl.com.abc.example.springbootabcexample.PingController",
         "method": "ping"
       },
       "identifiers": [
@@ -68,18 +68,18 @@
       "category": "sast",
       "name": "Found Spring endpoint",
       "message": "Found Spring endpoint",
-      "description": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController is a Spring endpoint (Controller)",
-      "cve": "62a35767e47f86da1958c888ab0ddb98:SPRING_ENDPOINT:src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java:16",
+      "description": "pl.com.abc.example.springbootabcexample.FakeErrorController is a Spring endpoint (Controller)",
+      "cve": "62a35767e47f86da1958c888ab0ddb98:SPRING_ENDPOINT:src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java:16",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/FakeErrorController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/FakeErrorController.java",
         "start_line": 16,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.FakeErrorController",
+        "class": "pl.com.abc.example.springbootabcexample.FakeErrorController",
         "method": "getDomainError"
       },
       "identifiers": [
@@ -97,17 +97,17 @@
       "name": "HTTP headers untrusted",
       "message": "HTTP headers untrusted",
       "description": "Request header can easily be altered by the client",
-      "cve": "6b0c63f9593aecd2ad80afdc4a85656d:SERVLET_HEADER:src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java:50",
+      "cve": "6b0c63f9593aecd2ad80afdc4a85656d:SERVLET_HEADER:src/main/java/pl/com/abc/example/springbootabcexample/PingController.java:50",
       "severity": "Low",
       "confidence": "Low",
       "scanner": {
         "id": "find_sec_bugs",
         "name": "Find Security Bugs"
       },
       "location": {
-        "file": "src/main/java/pl/com/softnet/example/springbootsoftnetexample/PingController.java",
+        "file": "src/main/java/pl/com/abc/example/springbootabcexample/PingController.java",
         "start_line": 50,
-        "class": "pl.com.softnet.example.springbootsoftnetexample.PingController$IpAddressUtils",
+        "class": "pl.com.abc.example.springbootabcexample.PingController$IpAddressUtils",
         "method": "getIpAddressFromRequest"
       },
       "identifiers": [