detectExecuteScan : Bug fix : Dont consider ignored components (#3867)

* fix project version limiting issue * add tests for detectExecute * fix bug with vuln count * adjust unit tests * update documentation for detect versions
2025-01-30 05:59:39 +02:00 · 2022-07-11 10:50:31 +02:00 · 2022-07-11 10:50:31 +02:00 · e6115a54b2
commit e6115a54b2
parent c4868f566f
5 changed files with 27 additions and 3 deletions
--- a/cmd/detectExecuteScan.go
+++ b/cmd/detectExecuteScan.go
@ -443,6 +443,9 @@ func createVulnerabilityReport(config detectExecuteScanOptions, vulns *bd.Vulner
 }

 func isActiveVulnerability(v bd.Vulnerability) bool {
+	if v.Ignored {
+		return false
+	}
 	switch v.VulnerabilityWithRemediation.RemediationStatus {
 	case "NEW":
 		return true
@ -456,6 +459,9 @@ func isActiveVulnerability(v bd.Vulnerability) bool {
 }

 func isMajorVulnerability(v bd.Vulnerability) bool {
+	if v.Ignored {
+		return false
+	}
 	switch v.VulnerabilityWithRemediation.Severity {
 	case "CRITICAL":
 		return true
--- a/cmd/detectExecuteScan_generated.go
+++ b/cmd/detectExecuteScan_generated.go
@ -270,7 +270,7 @@ func addDetectExecuteScanFlags(cmd *cobra.Command, stepConfig *detectExecuteScan
 	cmd.Flags().StringSliceVar(&stepConfig.MavenExcludedScopes, "mavenExcludedScopes", []string{}, "The maven scopes that need to be excluded from the scan. For example, setting the value 'test' will exclude all components which are defined with a test scope in maven")
 	cmd.Flags().StringSliceVar(&stepConfig.DetectTools, "detectTools", []string{}, "The type of BlackDuck scanners to include while running the BlackDuck scan. By default All scanners are included. For the complete list of possible values, Please refer [Synopsys detect documentation](https://synopsys.atlassian.net/wiki/spaces/INTDOCS/pages/631407160/Configuring+Detect+General+Properties#Detect-tools-included)")
 	cmd.Flags().BoolVar(&stepConfig.ScanOnChanges, "scanOnChanges", false, "This flag determines if the scan is submitted to the server. If set to true, then the scan request is submitted to the server only when changes are detected in the Open Source Bill of Materials If the flag is set to false, then the scan request is submitted to server regardless of any changes. For more details please refer to the [documentation](https://github.com/blackducksoftware/detect_rescan/blob/master/README.md)")
-	cmd.Flags().StringSliceVar(&stepConfig.CustomEnvironmentVariables, "customEnvironmentVariables", []string{}, "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)")
+	cmd.Flags().StringSliceVar(&stepConfig.CustomEnvironmentVariables, "customEnvironmentVariables", []string{}, "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0) This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using different versions of detect, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus) Additionally, please note, depending on the Project certain versions of detect will be required. For example: For Swift version 5.5 and lower, Detect 7.13.0 is the minimum required version. For Swift version 5.6 and higher, Detect 7.14.0 is required ")
 	cmd.Flags().StringVar(&stepConfig.GithubToken, "githubToken", os.Getenv("PIPER_githubToken"), "GitHub personal access token as per https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line")
 	cmd.Flags().BoolVar(&stepConfig.CreateResultIssue, "createResultIssue", false, "Activate creation of a result issue in GitHub.")
 	cmd.Flags().StringVar(&stepConfig.GithubAPIURL, "githubApiUrl", `https://api.github.com`, "Set the GitHub API URL.")
--- a/cmd/detectExecuteScan_test.go
+++ b/cmd/detectExecuteScan_test.go
@ -639,9 +639,22 @@ func TestIsMajorVulnerability(t *testing.T) {
 		v := bd.Vulnerability{
 			Name:                         "",
 			VulnerabilityWithRemediation: vr,
+			Ignored:                      false,
 		}
 		assert.True(t, isMajorVulnerability(v))
 	})
+	t.Run("Case Ignored Components", func(t *testing.T) {
+		vr := bd.VulnerabilityWithRemediation{
+			OverallScore: 7.5,
+			Severity:     "HIGH",
+		}
+		v := bd.Vulnerability{
+			Name:                         "",
+			VulnerabilityWithRemediation: vr,
+			Ignored:                      true,
+		}
+		assert.False(t, isMajorVulnerability(v))
+	})
 	t.Run("Case False", func(t *testing.T) {
 		vr := bd.VulnerabilityWithRemediation{
 			OverallScore: 7.5,
@ -650,6 +663,7 @@ func TestIsMajorVulnerability(t *testing.T) {
 		v := bd.Vulnerability{
 			Name:                         "",
 			VulnerabilityWithRemediation: vr,
+			Ignored:                      false,
 		}
 		assert.False(t, isMajorVulnerability(v))
 	})
--- a/pkg/blackduck/blackduck.go
+++ b/pkg/blackduck/blackduck.go
@ -79,6 +79,7 @@ type Vulnerabilities struct {
 type Vulnerability struct {
 	Name                         string `json:"componentName,omitempty"`
 	Version                      string `json:"componentVersionName,omitempty"`
+	Ignored                      bool   `json:"ignored,omitempty"`
 	VulnerabilityWithRemediation `json:"vulnerabilityWithRemediation,omitempty"`
 }

--- a/resources/metadata/detectExecuteScan.yaml
+++ b/resources/metadata/detectExecuteScan.yaml
@ -297,8 +297,11 @@ spec:
        description:
          "A list of environment variables which can be set to prepare the environment to run a BlackDuck scan. This includes a list of environment variables defined by
          Synopsys. The full list can be found [here](https://synopsys.atlassian.net/wiki/spaces/IA/pages/1562214619/Shell+Script+Reference+6.9.0)
-          This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using detect6, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value
-          defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)"
+          This list affects the detect script downloaded while running the scan. By default detect7.sh will be used. To continue using different versions of detect, please use DETECT_LATEST_RELEASE_VERSION and set it to a valid value
+          defined [here](https://community.synopsys.com/s/document-item?bundleId=integrations-detect&topicId=releasenotes.html&_LANG=enus)
+          Additionally, please note, depending on the Project certain versions of detect will be required.
+          For example: For Swift version 5.5 and lower, Detect 7.13.0 is the minimum required version.
+          For Swift version 5.6 and higher, Detect 7.14.0 is required "
        type: "[]string"
        scope:
          - PARAMETERS