Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add severity-filter feature #70

Merged
merged 2 commits into from
Jul 22, 2021
Merged

add severity-filter feature #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
172b83a
add severity-filter feature
ansidorov Jul 21, 2021
3005091
fixes
ansidorov Jul 22, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,9 @@ A `.njsscan` file in the root of the source code directory allows you to configu
- regex_injection_dos
- pug_jade_template

severity-filter:
- WARNING
- ERROR
```

## Suppress Findings
Expand Down
16 changes: 16 additions & 0 deletions njsscan/njsscan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ def __init__(self, paths, json, check_controls, config=False) -> None:
'ignore_extensions': conf['ignore_extensions'],
'ignore_paths': conf['ignore_paths'],
'ignore_rules': conf['ignore_rules'],
'severity_filter': conf['severity_filter'],
'show_progress': not json,
}
self.paths = paths
Expand All @@ -50,6 +51,8 @@ def format_output(self, results) -> dict:
self.format_sgrep(results['semantic_grep'])
self.format_matches(results['pattern_matcher'])
self.post_ignore_rules()
self.post_ignore_rules_by_severity('nodejs')
self.post_ignore_rules_by_severity('template')
self.post_ignore_files()

def missing_controls(self, result):
Expand Down Expand Up @@ -101,6 +104,19 @@ def post_ignore_rules(self):
if rule_id in self.result['templates']:
del self.result['templates'][rule_id]

def post_ignore_rules_by_severity(self, key):
"""Filter findings by rule severity."""
del_keys = set()
if key not in self.result:
return
for rule_id, details in self.result[key].items():
issue_severity = details.get('metadata').get('severity')
if issue_severity not in self.options['severity_filter']:
del_keys.add(rule_id)
for rid in del_keys:
if rid in self.result[key]:
del self.result[key][rid]

def suppress_pm_comments(self, obj, rule_id):
"""Suppress pattern matcher."""
file_path = obj['file_path']
Expand Down
6 changes: 6 additions & 0 deletions njsscan/settings.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,9 @@
'helmet_header_xss_filter',
'helmet_header_check_crossdomain',
}

SEVERITY_FILTER = (
'INFO',
'WARNING',
'ERROR',
)
4 changes: 4 additions & 0 deletions njsscan/utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ def get_config(base_path, config_file):
'ignore_extensions': config.IGNORE_EXTENSIONS,
'ignore_paths': config.IGNORE_PATHS,
'ignore_rules': set(),
'severity_filter': config.SEVERITY_FILTER,
}
if config_file:
cfile = Path(config_file)
Expand All @@ -36,6 +37,7 @@ def get_config(base_path, config_file):
usr_igonre_paths = root.get('ignore-paths')
usr_ignore_exts = root.get('ignore-extensions')
usr_ignore_rules = root.get('ignore-rules')
usr_severity_filter = root.get('severity-filter')
if usr_njs_ext:
options['nodejs_extensions'].update(usr_njs_ext)
if usr_tmpl_ext:
Expand All @@ -48,6 +50,8 @@ def get_config(base_path, config_file):
options['ignore_extensions'].update(usr_ignore_exts)
if usr_ignore_rules:
options['ignore_rules'].update(usr_ignore_rules)
if usr_severity_filter:
options['severity_filter'] = usr_severity_filter
return options


Expand Down