mirror of https://github.com/apache/cassandra
76 lines
3.1 KiB
Python
Executable File
76 lines
3.1 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""
|
|
Regenerates the toplevel .snyk file from the dependency-check-suppressions.xml found in this directory.
|
|
"""
|
|
|
|
import re
|
|
import os
|
|
|
|
|
|
script_dir = os.path.dirname(os.path.abspath(__file__))
|
|
with open(os.path.join(script_dir, "owasp/dependency-check-suppressions.xml"), "r", encoding="utf-8") as f:
|
|
xml_lines = [line.strip() for line in f.readlines()]
|
|
|
|
snyk_data = {"ignore": {}}
|
|
|
|
# Parse XML (keeping track of comments)
|
|
last_comment = None
|
|
i = 0
|
|
while i < len(xml_lines):
|
|
# Detect XML comments (these contain the suppression reason)
|
|
if xml_lines[i].startswith("<!--") and xml_lines[i].endswith("-->"):
|
|
last_comment = xml_lines[i][4:-3].strip()
|
|
|
|
# Collect CVE suppressions
|
|
if "<suppress>" in xml_lines[i]:
|
|
cve_ids = []
|
|
packages = ''
|
|
i += 1
|
|
while i < len(xml_lines):
|
|
if xml_lines[i].startswith("<!--") and xml_lines[i].endswith("-->"):
|
|
last_comment = xml_lines[i][4:-3].strip()
|
|
if "<cve>" in xml_lines[i] and "</cve>" in xml_lines[i]:
|
|
cve_ids.append(xml_lines[i].strip().replace("<cve>", "").replace("</cve>", "").strip())
|
|
if "<packageUrl" in xml_lines[i] and "</packageUrl>" in xml_lines[i]:
|
|
packages = re.sub(r'<packageUrl(?: regex="(?:true|false)")?>|</packageUrl>', '', xml_lines[i]).strip()
|
|
if "</suppress>" in xml_lines[i]:
|
|
break
|
|
i += 1
|
|
reason = f"{last_comment} -- {packages}" if last_comment else "Suppressed due to internal review, see project's .build/dependency-check-suppressions.xml"
|
|
|
|
# Add suppressions
|
|
for cve_id in cve_ids:
|
|
snyk_data["ignore"][cve_id] = [{"reason": reason}]
|
|
|
|
last_comment = None
|
|
else:
|
|
i += 1
|
|
|
|
with open(os.path.join(script_dir, "../.snyk"), "w") as snyk_file:
|
|
snyk_file.write("# Snyk (https://snyk.io) policy file, provides ignores for known false positives.\n")
|
|
snyk_file.write("# This file is autogenerated from .build/dependency-check-suppressions.xml\n")
|
|
snyk_file.write("version: v1.25.0\n")
|
|
snyk_file.write(f"ignore:\n")
|
|
for cve_id, ignores in sorted(snyk_data["ignore"].items()):
|
|
snyk_file.write(f" {cve_id}:\n")
|
|
for ignore in ignores:
|
|
snyk_file.write(f" - reason: {ignore['reason']}\n")
|
|
|