Closed craigfurman closed 3 years ago
Oops did I just override a random assignment bot @joeholdcroft? Please unassign governance if so, sorry.
:tada: This PR is included in version 1.22.0 :tada:
The release is available on:
Your semantic-release bot :package::rocket:
What does this PR do?
Add a flag to the
ignore
method signature to opt-in to "simple" path-matching behaviour.The following vulnerability path:
['foo', 'bar', 'baz']
will be matched by the following ignore rules under this behaviour:Under the default matching behaviour, there are some quirks that appear specific to package manager use cases:
file.json
will match the path["dir/file.json"]
.The Snyk infrastructure-as-code use-case breaks under these default behaviours, but we still want to use the policy library in order to not reimplement loading and parsing of the policy file.
Where should the reviewer start?
How should this be manually tested?
Any background context you want to provide?
Snyk IaC are adding support for
.snyk
ignore policies, but in order to adapt this feature to our domain we are proposing to use different semantics for the ignore rules. This doc contains the detail, but here is a summary:Users can ignore all instances of an IaC issue:
Ignores can be scoped to individual files:
And finally, ignores can be scoped to individual instances in the IaC file's "resource path":
When integrating this policy library with the IaC flows in the Snyk CLI, I noticed some edge cases emerge. Most of them can be summarised as "inexact matching" occurring. For example, the path rule
deployment.yaml
would match any vulnerability in a file nameddeployment.yaml
, even if it was in a subdirectory.https://github.com/snyk/snyk/pull/2134 demonstrates our almost-complete CLI ignores feature. The last commit on that PR, https://github.com/snyk/snyk/pull/2134/commits/e851f9aa6139bf81de608189d8f93c1b4c1321bd, adds a failing test demonstrating the sort of edge-case I'm talking about, which is fixed when I npm-link in this PR branch.
What are the relevant tickets?
https://snyksec.atlassian.net/browse/CC-990
Screenshots
Additional questions