feat: optional "exact" ignore behaviour

[craigfurman]

• [ ] Ready for review
• [ ] Follows CONTRIBUTING rules
• [ ] Reviewed by Snyk internal team

What does this PR do?

Add a flag to the ignore method signature to opt-in to "simple" path-matching behaviour.

The following vulnerability path: ['foo', 'bar', 'baz'] will be matched by the following ignore rules under this behaviour:

• 'foo > bar > baz'
• 'foo > *'
• '*'

Under the default matching behaviour, there are some quirks that appear specific to package manager use cases:

• The first element of vulnerabilities paths is sliced off
• If the path (minus the first element) "contains" the rule as a substring, it will match. For example: the rule file.json will match the path ["dir/file.json"].
• Attempts to parse paths as packages, URLs, or git objects.

The Snyk infrastructure-as-code use-case breaks under these default behaviours, but we still want to use the policy library in order to not reimplement loading and parsing of the policy file.

Where should the reviewer start?

How should this be manually tested?

Any background context you want to provide?

Snyk IaC are adding support for .snyk ignore policies, but in order to adapt this feature to our domain we are proposing to use different semantics for the ignore rules. This doc contains the detail, but here is a summary:

Users can ignore all instances of an IaC issue:

version: v1.19.0
ignore:
  SNYK-CC-K8S-1:
    - '*':
        reason: None Given
        expires: 2021-08-26T08:40:35.249Z
        created: 2021-07-27T08:40:35.251Z

Ignores can be scoped to individual files:

version: v1.19.0
ignore:
  SNYK-CC-K8S-1:
    - 'staging/deployment.yaml > *':
        reason: None Given
        expires: 2021-08-26T08:40:35.249Z
        created: 2021-07-27T08:40:35.251Z

And finally, ignores can be scoped to individual instances in the IaC file's "resource path":

version: v1.19.0
ignore:
  SNYK-CC-K8S-1:
    - staging/deployment.yaml > [DocId:1] > spec > template > spec > containers[web] > securityContext > privileged':
        reason: None Given
        expires: 2021-08-26T08:40:35.249Z
        created: 2021-07-27T08:40:35.251Z

When integrating this policy library with the IaC flows in the Snyk CLI, I noticed some edge cases emerge. Most of them can be summarised as "inexact matching" occurring. For example, the path rule deployment.yaml would match any vulnerability in a file named deployment.yaml, even if it was in a subdirectory.

https://github.com/snyk/snyk/pull/2134 demonstrates our almost-complete CLI ignores feature. The last commit on that PR, https://github.com/snyk/snyk/pull/2134/commits/e851f9aa6139bf81de608189d8f93c1b4c1321bd, adds a failing test demonstrating the sort of edge-case I'm talking about, which is fixed when I npm-link in this PR branch.

What are the relevant tickets?

https://snyksec.atlassian.net/browse/CC-990

Screenshots

Additional questions

[CLAassistant]

All committers have signed the CLA.

[craigfurman]

Oops did I just override a random assignment bot @joeholdcroft? Please unassign governance if so, sorry.

[snyksec]

:tada: This PR is included in version 1.22.0 :tada:

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot :package::rocket: