feat(#31): Mark outdated acknowledged vulnerabilities in the issue re…

…port (#40) * feat(#31): Mark outdated acknowledged vulnerabilities in the issue report * refactor: uncopilot function and use maps
elementsinteractive · Dec 23, 2024 · 254a205 · 254a205
1 parent c802318
commit 254a205
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 2 deletions.
diff --git a/internal/patrol/patrol.go b/internal/patrol/patrol.go
@@ -182,6 +182,7 @@ func (s *sheriffService) scanProject(project gogitlab.Project) (report *scanner.
 	r.ProjectConfig = config
 
 	markVulnsAsAcknowledgedInReport(&r, config)
+	markOutdatedAcknowledgements(&r, config)
 	return &r, nil
 }
 
@@ -206,3 +207,18 @@ func markVulnsAsAcknowledgedInReport(report *scanner.Report, config config.Proje
 		}
 	}
 }
+
+// markOutdatedAcknowledgements marks configured acknowledged vulnerabilities as outdated in the report
+// A vulnerability is "outdated" if it is no longer present in the report.
+func markOutdatedAcknowledgements(report *scanner.Report, config config.ProjectConfig) {
+	var vulnCodes = make(map[string]bool, len(report.Vulnerabilities))
+	for _, vuln := range report.Vulnerabilities {
+		vulnCodes[vuln.Id] = true
+	}
+	for _, ack := range config.Acknowledged {
+		if !vulnCodes[ack.Code] {
+			log.Info().Str("ack", ack.Code).Msg("Acknowledged vulnerability is outdated")
+			report.OutdatedAcks = append(report.OutdatedAcks, ack.Code)
+		}
+	}
+}
diff --git a/internal/patrol/patrol_test.go b/internal/patrol/patrol_test.go
@@ -155,6 +155,37 @@ func TestMarkVulnsAsAcknowledgedInReport(t *testing.T) {
 	assert.Equal(t, scanner.Critical, report.Vulnerabilities[1].SeverityScoreKind)
 }
 
+func TestMarkOutdatedAcknowledgements(t *testing.T) {
+	report := scanner.Report{
+		Vulnerabilities: []scanner.Vulnerability{
+			{
+				Id:                "CVE-1",
+				SeverityScoreKind: scanner.Critical,
+			},
+
+			{
+				Id:                "CVE-2",
+				SeverityScoreKind: scanner.Critical,
+			},
+		},
+	}
+	config := config.ProjectConfig{
+		Acknowledged: []config.AcknowledgedVuln{
+			{
+				Code: "CVE-1", // still relevant
+			},
+
+			{
+				Code: "CVE-3", // not in report (outdated)
+			},
+		},
+	}
+
+	markOutdatedAcknowledgements(&report, config)
+
+	assert.Equal(t, []string{"CVE-3"}, report.OutdatedAcks)
+}
+
 type mockGitlabService struct {
 	mock.Mock
 }

diff --git a/internal/publish/to_gitlab.go b/internal/publish/to_gitlab.go
@@ -88,6 +88,23 @@ func formatGitlabIssue(r scanner.Report) (mdReport string) {
 		}
 	}
 
+	// Add outdated acknowledgements section
+	mdReport += formatOutdatedAcks(r.OutdatedAcks)
+
+	return
+}
+
+// formatOutdatedAcks formats the outdated acknowledgements as a markdown section
+func formatOutdatedAcks(outdatedAcks []string) (md string) {
+	if len(outdatedAcks) == 0 {
+		return
+	}
+
+	md = "\n\n-------\n\n### Outdated Acknowledgements\n"
+	md += "\n💡 These vulnerabilities were acknowledged in the project configuration but are no longer relevant.\n\n"
+	for _, ack := range outdatedAcks {
+		md += fmt.Sprintf("- `%v`\n", ack)
+	}
 	return
 }
 

diff --git a/internal/scanner/vulnscanner.go b/internal/scanner/vulnscanner.go
@@ -52,8 +52,9 @@ type Report struct {
 	ProjectConfig   config.ProjectConfig // Contains the project-level configuration that users of sheriff may have in their repository
 	IsVulnerable    bool
 	Vulnerabilities []Vulnerability
-	IssueUrl        string // URL of the GitLab issue. Conditionally set if --gitlab-issue is passed
-	Error           bool   // Conditionally set if an error occurred during the scan
+	IssueUrl        string   // URL of the GitLab issue. Conditionally set if --gitlab-issue is passed
+	Error           bool     // Conditionally set if an error occurred during the scan
+	OutdatedAcks    []string // Vulnerabilities in the project configuration that are no longer present in the report
 }
 
 // VulnScanner is an interface for any vulnerability scanner