Merge pull request #19 from hazcod/work/commandbot

hazcod · web-flow · commit 0aca67d83b26 · 2021-08-18T09:44:15.000+02:00
Feature: allow to skip certain CVEs
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,7 +4,7 @@ on: pull_request
 
 jobs:
   goreleaser:
-    name: go
+    name: build
     runs-on: ubuntu-latest
     steps:
     -
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -4,7 +4,7 @@ on: pull_request
 
 jobs:
   golangci:
-    name: go
+    name: lint
     runs-on: ubuntu-latest
     steps:
     -
diff --git a/.github/workflows/todo.yml b/.github/workflows/todo.yml
@@ -6,6 +6,7 @@ on:
 
 jobs:
   todo:
+    name: todo
     runs-on: ubuntu-latest
     steps:
     -
diff --git a/README.md b/README.md
@@ -47,6 +47,8 @@ falcon:
   skip_severities: ["low"]
   # minimum CVE base score to report
   min_cve_base_score: 0
+  # the CVEs you want to ignore
+  skip_cves: ["CVE-2019-15315"]
 
 # vmware workspace one
 ws1:
diff --git a/config/config.go b/config/config.go
@@ -29,6 +29,7 @@ type Config struct {
 		SkipNoMitigation bool `yaml:"skip_no_mitigation" env:"FALCON_SKIP_NO_MITIGATION"`
 		SkipSeverities []string `yaml:"skip_severities" env:"FALCON_SKIP_SEVERITIES"`
 		MinCVEBaseScore int `yaml:"min_cve_base_score" env:"FALCON_MIN_CVE_BASE_SCORE"`
+		SkipCVEs []string `yaml:"skip_cves" env:"FALCON_SKIP_CVES"`
 	} `yaml:"falcon"`
 
 	WS1 struct {
diff --git a/pkg/falcon/extractor.go b/pkg/falcon/extractor.go
@@ -175,11 +175,29 @@ func GetMessages(config *config.Config, ctx context.Context) (results map[string
 	for _, vuln := range getResult.GetPayload().Resources {
 
 		if len(vuln.Remediation.Ids) == 0 && config.Falcon.SkipNoMitigation {
-			logrus.WithField("app", *vuln.App.ProductNameVersion).Debug("skipping vulnerability without remediation")
+			logrus.WithField("app", *vuln.App.ProductNameVersion).
+				Debug("skipping vulnerability without remediation")
 
 			continue
 		}
 
+		if *vuln.Cve.ID != "" && len(config.Falcon.SkipCVEs) > 0 {
+			vulnIgnore := false
+
+			for _, cve := range config.Falcon.SkipCVEs {
+				if strings.EqualFold(cve, *vuln.Cve.ID) {
+					vulnIgnore = true
+					break
+				}
+			}
+
+			if vulnIgnore {
+				logrus.WithField("cve", *vuln.Cve.ID).WithField("host", *vuln.HostInfo.Hostname).
+					Warn("skipping CVE")
+				continue
+			}
+		}
+
 		uniqueDeviceID, err := getUniqueDeviceID(*vuln.HostInfo)
 		if err != nil {
 			logrus.WithError(err).Error("could not calculate unique device id")

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ on: pull_request`
`4`	`4`
`5`	`5`	`jobs:`
`6`	`6`	`goreleaser:`
`7`		`- name: go`
	`7`	`+ name: build`
`8`	`8`	`runs-on: ubuntu-latest`
`9`	`9`	`steps:`
`10`	`10`	`-`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ on: pull_request`
`4`	`4`
`5`	`5`	`jobs:`
`6`	`6`	`golangci:`
`7`		`- name: go`
	`7`	`+ name: lint`
`8`	`8`	`runs-on: ubuntu-latest`
`9`	`9`	`steps:`
`10`	`10`	`-`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ on:`
`6`	`6`
`7`	`7`	`jobs:`
`8`	`8`	`todo:`
	`9`	`+ name: todo`
`9`	`10`	`runs-on: ubuntu-latest`
`10`	`11`	`steps:`
`11`	`12`	`-`