feat(sca): support case where there are no cves suppressions (#5636)

* support case where there are no cve suppressions * add ut --------- Co-authored-by: adam varsano <[email protected]>
bridgecrewio · Oct 15, 2023 · 7ac3da4 · 7ac3da4
1 parent 1e50959
commit 7ac3da4
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 26 deletions.
diff --git a/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py b/checkov/common/bridgecrew/integration_features/features/suppressions_integration.py
@@ -166,7 +166,8 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
         elif type == 'Cves':
             if 'accountIds' not in suppression:
                 return False
-            if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']:
+            if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\
+                    and suppression['cves']:
                 repo_name = self.bc_integration.repo_id.replace('\\', '/').split('/')[-1]
                 suppression_path = suppression['cves'][0]['id'].replace('\\', '/')
                 file_abs_path = record.file_abs_path.replace('\\', '/')

diff --git a/tests/common/integration_features/test_suppressions_integration.py b/tests/common/integration_features/test_suppressions_integration.py
@@ -1,8 +1,8 @@
 import unittest
 
-from checkov.common.bridgecrew.integration_features.features.suppressions_integration import SuppressionsIntegration
 from checkov.common.bridgecrew.integration_features.features.policy_metadata_integration import \
     integration as metadata_integration
+from checkov.common.bridgecrew.integration_features.features.suppressions_integration import SuppressionsIntegration
 from checkov.common.bridgecrew.platform_integration import BcPlatformIntegration
 from checkov.common.models.enums import CheckResult
 from checkov.common.output.record import Record
@@ -450,13 +450,14 @@ def test_supress_by_cve_for_package_scan(self):
         suppressions_integration._init_repo_regex()
 
         suppression = {
-        'suppressionType': 'Cves',
-        'policyId': 'BC_VUL_2',
-        'comment': 'suppress cve ',
-        'accountIds': ['customer_some/repo'],
-        'cves': [{'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'},
-                 {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}],
-        'checkovPolicyId': 'BC_VUL_2'
+            'suppressionType': 'Cves',
+            'policyId': 'BC_VUL_2',
+            'comment': 'suppress cve ',
+            'accountIds': ['customer_some/repo'],
+            'cves': [
+                {'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'},
+                {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}],
+            'checkovPolicyId': 'BC_VUL_2'
         }
 
         record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
@@ -489,6 +490,28 @@ def test_supress_by_cve_for_package_scan(self):
         self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record4, suppression))
 
+    def test_suppress_by_cve_with_empty_cves(self):
+        instance = BcPlatformIntegration()
+        instance.repo_id = 'repo/path'
+        suppressions_integration = SuppressionsIntegration(instance)
+        suppressions_integration._init_repo_regex()
+
+        suppression = {
+            'suppressionType': 'Cves',
+            'policyId': 'BC_VUL_2',
+            'comment': 'suppress cve ',
+            'cves': [],
+            'checkovPolicyId': 'BC_VUL_2'
+        }
+
+        record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
+                         code_block=None, file_path='repo/path',
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='.', entity_tags=None,
+                         vulnerability_details={'id': 'CVE-2022-35920'})
+        self.assertFalse(suppressions_integration._check_suppression(record1, suppression))
+
     def test_supress_by_cve_for_package_scan_with_different_repo_id(self):
         instance = BcPlatformIntegration()
         instance.repo_id = 'some/repo'
@@ -497,13 +520,14 @@ def test_supress_by_cve_for_package_scan_with_different_repo_id(self):
         suppressions_integration._init_repo_regex()
 
         suppression = {
-        'suppressionType': 'Cves',
-        'policyId': 'BC_VUL_2',
-        'comment': 'suppress cve ',
-        'accountIds': ['customer_other/repo'],
-        'cves': [{'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'},
-                 {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}],
-        'checkovPolicyId': 'BC_VUL_2'
+            'suppressionType': 'Cves',
+            'policyId': 'BC_VUL_2',
+            'comment': 'suppress cve ',
+            'accountIds': ['customer_other/repo'],
+            'cves': [
+                {'uuid': '90397534-a1a0-41bb-a552-acdd861df618', 'id': '/requirements.txt', 'cve': 'CVE-2022-35920'},
+                {'uuid': '90397534-a1a0-41bb-a552-acdd861df699', 'id': '/requirements.txt', 'cve': 'CVE-2021-23727'}],
+            'checkovPolicyId': 'BC_VUL_2'
         }
 
         record1 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
@@ -733,11 +757,11 @@ def test_supress_licenses_by_type(self):
         suppressions_integration = SuppressionsIntegration(instance)
 
         suppression = {'suppressionType': 'LicenseType',
-                      'policyId': 'BC_LIC_1',
-                      'comment': 'test licenses suppressions by type ',
-                      'licenseTypes': ['GPL-1.0', 'JSON'],
-                      'checkovPolicyId': 'BC_LIC_1'
-                      }
+                       'policyId': 'BC_LIC_1',
+                       'comment': 'test licenses suppressions by type ',
+                       'licenseTypes': ['GPL-1.0', 'JSON'],
+                       'checkovPolicyId': 'BC_LIC_1'
+                       }
         record1 = Record(check_id='BC_LIC_1', check_name=None, check_result=None,
                          code_block=None, file_path=None,
                          file_line_range=None,
@@ -767,7 +791,6 @@ def test_supress_licenses_by_type(self):
         self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record4, suppression))
 
-
     def test_account_suppression(self):
         instance = BcPlatformIntegration()
         instance.repo_id = 'org/repo'
@@ -1023,23 +1046,23 @@ def test_apply_suppressions_to_report(self):
         self.assertEqual(len(report.passed_checks), 1)
         self.assertEqual(report.passed_checks[0].check_id, 'CKV_AWS_2')
         self.assertEqual(len(report.skipped_checks), 2)
-    
+
     def test_get_policy_level_suppressions(self):
         instance = BcPlatformIntegration()
 
         suppressions_integration = SuppressionsIntegration(instance)
         suppressions_integration.suppressions = {
             'CKV_AWS_252': [{'suppressionType': 'Policy', 'id': '404088ed-4251-41ac-8dc1-45264af0c461',
                              'policyId': 'BC_AWS_GENERAL_175', 'creationDate': '2022-11-09T16:27:36.413Z',
-                             'comment': 'Test2', 'checkovPolicyId': 'CKV_AWS_252'}], 
+                             'comment': 'Test2', 'checkovPolicyId': 'CKV_AWS_252'}],
             'CKV_AWS_36': [
                 {'suppressionType': 'Policy', 'id': 'b68013bc-2908-4c9a-969d-f1640d4aca11',
                  'policyId': 'BC_AWS_LOGGING_2',
                  'creationDate': '2022-11-09T16:11:58.435Z', 'comment': 'Testing', 'checkovPolicyId': 'CKV_AWS_36'}],
             'CKV_K8S_27': [
                 {'suppressionType': 'Policy', 'id': '271c1a79-2333-4a12-bf7d-55ec78468b94', 'policyId': 'BC_K8S_26',
                  'creationDate': '2022-12-08T08:00:04.561Z', 'comment': 'test checkov suppressions',
-                 'checkovPolicyId': 'CKV_K8S_27'}], 
+                 'checkovPolicyId': 'CKV_K8S_27'}],
             'acme_AWS_1668010000289': [
                 {'suppressionType': 'Resources', 'id': '5565e523-58da-4bc7-970e-c3fceef93ac1',
                  'policyId': 'acme_AWS_1668010000289', 'creationDate': '2022-11-09T16:28:50.887Z',
@@ -1057,7 +1080,8 @@ def test_get_policy_level_suppressions(self):
                                                       'resourceId': '/src/BC_AWS_LOGGING_7.tf:aws_cloudtrail.cloudtrail8'}],
                  'checkovPolicyId': 'acme_AWS_1668010000289'}]}
 
-        expected_suppressions = ['404088ed-4251-41ac-8dc1-45264af0c461', 'b68013bc-2908-4c9a-969d-f1640d4aca11', '271c1a79-2333-4a12-bf7d-55ec78468b94']
+        expected_suppressions = ['404088ed-4251-41ac-8dc1-45264af0c461', 'b68013bc-2908-4c9a-969d-f1640d4aca11',
+                                 '271c1a79-2333-4a12-bf7d-55ec78468b94']
         policy_level_suppressions = suppressions_integration.get_policy_level_suppressions()
         self.assertEqual(expected_suppressions, list(policy_level_suppressions.keys()))