cycode 2.1.1.dev1__tar.gz → 2.1.2.dev2__tar.gz

{cycode-2.1.1.dev1 → cycode-2.1.2.dev2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cycode
-Version: 2.1.1.dev1
+Version: 2.1.2.dev2
 Summary: Boost security in your dev lifecycle via SAST, SCA, Secrets & IaC scanning.
 Home-page: https://github.com/cycodehq/cycode-cli
 License: MIT
@@ -29,7 +29,6 @@ Requires-Dist: colorama (>=0.4.3,<0.5.0)
 Requires-Dist: gitpython (>=3.1.30,<3.2.0)
 Requires-Dist: marshmallow (>=3.15.0,<3.23.0)
 Requires-Dist: patch-ng (==1.18.1)
-Requires-Dist: pathspec (>=0.11.1,<0.13.0)
 Requires-Dist: pyjwt (>=2.8.0,<3.0)
 Requires-Dist: pyyaml (>=6.0,<7.0)
 Requires-Dist: requests (>=2.32.2,<3.0)

cycode-2.1.2.dev2/cycode/__init__.py

@@ -0,0 +1 @@
+__version__ = '2.1.2.dev2'  # DON'T TOUCH. Placeholder. Will be filled automatically on poetry build from Git Tag

{cycode-2.1.1.dev1 → cycode-2.1.2.dev2}/cycode/cli/commands/ignore/ignore_command.py

@@ -1,20 +1,16 @@
-import os
 import re
+from typing import Optional
 
 import click
 
 from cycode.cli import consts
 from cycode.cli.config import config, configuration_manager
 from cycode.cli.sentry import add_breadcrumb
-from cycode.cli.utils.path_utils import get_absolute_path
+from cycode.cli.utils.path_utils import get_absolute_path, is_path_exists
 from cycode.cli.utils.string_utils import hash_string_to_sha256
 from cycode.cyclient import logger
 
 
-def _is_path_to_ignore_exists(path: str) -> bool:
-    return os.path.exists(path)
-
-
 def _is_package_pattern_valid(package: str) -> bool:
     return re.search('^[^@]+@[^@]+$', package) is not None
 
@@ -47,10 +43,16 @@ def _is_package_pattern_valid(package: str) -> bool:
     required=False,
     help='Ignore scanning a specific package version while running an SCA scan. Expected pattern: name@version.',
 )
+@click.option(
+    '--by-cve',
+    type=click.STRING,
+    required=False,
+    help='Ignore scanning a specific CVE while running an SCA scan. Expected pattern: CVE-YYYY-NNN.',
+)
 @click.option(
     '--scan-type',
     '-t',
-    default='secret',
+    default=consts.SECRET_SCAN_TYPE,
     help='Specify the type of scan you wish to execute (the default is Secrets).',
     type=click.Choice(config['scans']['supported_scans']),
     required=False,
@@ -64,40 +66,68 @@ def _is_package_pattern_valid(package: str) -> bool:
     required=False,
     help='Add an ignore rule to the global CLI config.',
 )
-def ignore_command(
-    by_value: str, by_sha: str, by_path: str, by_rule: str, by_package: str, scan_type: str, is_global: bool
+def ignore_command(  # noqa: C901
+    by_value: Optional[str],
+    by_sha: Optional[str],
+    by_path: Optional[str],
+    by_rule: Optional[str],
+    by_package: Optional[str],
+    by_cve: Optional[str],
+    scan_type: str = consts.SECRET_SCAN_TYPE,
+    is_global: bool = False,
 ) -> None:
     """Ignores a specific value, path or rule ID."""
     add_breadcrumb('ignore')
 
-    if not by_value and not by_sha and not by_path and not by_rule and not by_package:
-        raise click.ClickException('ignore by type is missing')
+    all_by_values = [by_value, by_sha, by_path, by_rule, by_package, by_cve]
+    if all(by is None for by in all_by_values):
+        raise click.ClickException('Ignore by type is missing')
+    if len([by for by in all_by_values if by is not None]) != 1:
+        raise click.ClickException('You must specify only one ignore by type')
 
     if any(by is not None for by in [by_value, by_sha]) and scan_type != consts.SECRET_SCAN_TYPE:
-        raise click.ClickException('this exclude is supported only for secret scan type')
+        raise click.ClickException('This exclude is supported only for Secret scan type')
+    if (by_cve or by_package) and scan_type != consts.SCA_SCAN_TYPE:
+        raise click.ClickException('This exclude is supported only for SCA scan type')
+
+    # only one of the by values must be set
+    # at least one of the by values must be set
+    exclusion_type = exclusion_value = None
 
-    if by_value is not None:
+    if by_value:
         exclusion_type = consts.EXCLUSIONS_BY_VALUE_SECTION_NAME
         exclusion_value = hash_string_to_sha256(by_value)
-    elif by_sha is not None:
+
+    if by_sha:
         exclusion_type = consts.EXCLUSIONS_BY_SHA_SECTION_NAME
         exclusion_value = by_sha
-    elif by_path is not None:
+
+    if by_path:
         absolute_path = get_absolute_path(by_path)
-        if not _is_path_to_ignore_exists(absolute_path):
-            raise click.ClickException('the provided path to ignore by is not exist')
+        if not is_path_exists(absolute_path):
+            raise click.ClickException('The provided path to ignore by does not exist')
+
         exclusion_type = consts.EXCLUSIONS_BY_PATH_SECTION_NAME
         exclusion_value = get_absolute_path(absolute_path)
-    elif by_package is not None:
-        if scan_type != consts.SCA_SCAN_TYPE:
-            raise click.ClickException('exclude by package is supported only for sca scan type')
+
+    if by_rule:
+        exclusion_type = consts.EXCLUSIONS_BY_RULE_SECTION_NAME
+        exclusion_value = by_rule
+
+    if by_package:
         if not _is_package_pattern_valid(by_package):
             raise click.ClickException('wrong package pattern. should be name@version.')
+
         exclusion_type = consts.EXCLUSIONS_BY_PACKAGE_SECTION_NAME
         exclusion_value = by_package
-    else:
-        exclusion_type = consts.EXCLUSIONS_BY_RULE_SECTION_NAME
-        exclusion_value = by_rule
+
+    if by_cve:
+        exclusion_type = consts.EXCLUSIONS_BY_CVE_SECTION_NAME
+        exclusion_value = by_cve
+
+    if not exclusion_type or not exclusion_value:
+        # should never happen
+        raise click.ClickException('Invalid ignore by type')
 
     configuration_scope = 'global' if is_global else 'local'
     logger.debug(

{cycode-2.1.1.dev1 → cycode-2.1.2.dev2}/cycode/cli/commands/scan/code_scanner.py

@@ -764,58 +764,68 @@ def _exclude_detections_by_exclusions_configuration(detections: List[Detection],
 
 
 def _should_exclude_detection(detection: Detection, exclusions: Dict) -> bool:
+    # FIXME(MarshalX): what the difference between by_value and by_sha?
     exclusions_by_value = exclusions.get(consts.EXCLUSIONS_BY_VALUE_SECTION_NAME, [])
     if _is_detection_sha_configured_in_exclusions(detection, exclusions_by_value):
         logger.debug(
-            'Going to ignore violations because they are on the values-to-ignore list, %s',
-            {'value_sha': detection.detection_details.get('sha512', '')},
+            'Ignoring violation because its value is on the ignore list, %s',
+            {'value_sha': detection.detection_details.get('sha512')},
         )
         return True
 
     exclusions_by_sha = exclusions.get(consts.EXCLUSIONS_BY_SHA_SECTION_NAME, [])
     if _is_detection_sha_configured_in_exclusions(detection, exclusions_by_sha):
         logger.debug(
-            'Going to ignore violations because they are on the SHA ignore list, %s',
-            {'sha': detection.detection_details.get('sha512', '')},
+            'Ignoring violation because its SHA value is on the ignore list, %s',
+            {'sha': detection.detection_details.get('sha512')},
         )
         return True
 
     exclusions_by_rule = exclusions.get(consts.EXCLUSIONS_BY_RULE_SECTION_NAME, [])
-    if exclusions_by_rule:
-        detection_rule = detection.detection_rule_id
-        if detection_rule in exclusions_by_rule:
-            logger.debug(
-                'Going to ignore violations because they are on the Rule ID ignore list, %s',
-                {'detection_rule': detection_rule},
-            )
-            return True
+    detection_rule_id = detection.detection_rule_id
+    if detection_rule_id in exclusions_by_rule:
+        logger.debug(
+            'Ignoring violation because its Detection Rule ID is on the ignore list, %s',
+            {'detection_rule_id': detection_rule_id},
+        )
+        return True
 
     exclusions_by_package = exclusions.get(consts.EXCLUSIONS_BY_PACKAGE_SECTION_NAME, [])
-    if exclusions_by_package:
-        package = _get_package_name(detection)
-        if package in exclusions_by_package:
-            logger.debug(
-                'Going to ignore violations because they are on the packages-to-ignore list, %s', {'package': package}
-            )
-            return True
+    package = _get_package_name(detection)
+    if package and package in exclusions_by_package:
+        logger.debug('Ignoring violation because its package@version is on the ignore list, %s', {'package': package})
+        return True
+
+    exclusions_by_cve = exclusions.get(consts.EXCLUSIONS_BY_CVE_SECTION_NAME, [])
+    cve = _get_cve_identifier(detection)
+    if cve and cve in exclusions_by_cve:
+        logger.debug('Ignoring violation because its CVE is on the ignore list, %s', {'cve': cve})
+        return True
 
     return False
 
 
 def _is_detection_sha_configured_in_exclusions(detection: Detection, exclusions: List[str]) -> bool:
-    detection_sha = detection.detection_details.get('sha512', '')
+    detection_sha = detection.detection_details.get('sha512')
     return detection_sha in exclusions
 
 
-def _get_package_name(detection: Detection) -> str:
-    package_name = detection.detection_details.get('vulnerable_component', '')
-    package_version = detection.detection_details.get('vulnerable_component_version', '')
+def _get_package_name(detection: Detection) -> Optional[str]:
+    package_name = detection.detection_details.get('vulnerable_component')
+    package_version = detection.detection_details.get('vulnerable_component_version')
+
+    if package_name is None:
+        package_name = detection.detection_details.get('package_name')
+        package_version = detection.detection_details.get('package_version')
+
+    if package_name and package_version:
+        return f'{package_name}@{package_version}'
+
+    return None
 
-    if package_name == '':
-        package_name = detection.detection_details.get('package_name', '')
-        package_version = detection.detection_details.get('package_version', '')
 
-    return f'{package_name}@{package_version}'
+def _get_cve_identifier(detection: Detection) -> Optional[str]:
+    return detection.detection_details.get('alert', {}).get('cve_identifier')
 
 
 def _get_document_by_file_name(

{cycode-2.1.1.dev1 → cycode-2.1.2.dev2}/cycode/cli/consts.py

@@ -131,6 +131,7 @@ EXCLUSIONS_BY_SHA_SECTION_NAME = 'shas'
 EXCLUSIONS_BY_PATH_SECTION_NAME = 'paths'
 EXCLUSIONS_BY_RULE_SECTION_NAME = 'rules'
 EXCLUSIONS_BY_PACKAGE_SECTION_NAME = 'packages'
+EXCLUSIONS_BY_CVE_SECTION_NAME = 'cves'
 
 # 5MB in bytes (in decimal)
 FILE_MAX_SIZE_LIMIT_IN_BYTES = 5000000

{cycode-2.1.1.dev1 → cycode-2.1.2.dev2}/cycode/cli/files_collector/path_documents.py

@@ -1,7 +1,5 @@
 import os
-from typing import TYPE_CHECKING, Iterable, List, Tuple
-
-import pathspec
+from typing import TYPE_CHECKING, List, Tuple
 
 from cycode.cli.files_collector.excluder import exclude_irrelevant_files
 from cycode.cli.files_collector.iac.tf_content_generator import (
@@ -10,6 +8,7 @@ from cycode.cli.files_collector.iac.tf_content_generator import (
     is_iac,
     is_tfplan_file,
 )
+from cycode.cli.files_collector.walk_ignore import walk_ignore
 from cycode.cli.models import Document
 from cycode.cli.utils.path_utils import get_absolute_path, get_file_content
 from cycode.cyclient import logger
@@ -18,17 +17,18 @@ if TYPE_CHECKING:
     from cycode.cli.utils.progress_bar import BaseProgressBar, ProgressBarSection
 
 
-def _get_all_existing_files_in_directory(path: str) -> List[str]:
+def _get_all_existing_files_in_directory(path: str, *, walk_with_ignore_patterns: bool = True) -> List[str]:
     files: List[str] = []
 
-    for root, _, filenames in os.walk(path):
+    walk_func = walk_ignore if walk_with_ignore_patterns else os.walk
+    for root, _, filenames in walk_func(path):
         for filename in filenames:
             files.append(os.path.join(root, filename))
 
     return files
 
 
-def _get_relevant_files_in_path(path: str, exclude_patterns: Iterable[str]) -> List[str]:
+def _get_relevant_files_in_path(path: str) -> List[str]:
     absolute_path = get_absolute_path(path)
 
     if not os.path.isfile(absolute_path) and not os.path.isdir(absolute_path):
@@ -37,14 +37,8 @@ def _get_relevant_files_in_path(path: str, exclude_patterns: Iterable[str]) -> L
     if os.path.isfile(absolute_path):
         return [absolute_path]
 
-    all_file_paths = set(_get_all_existing_files_in_directory(absolute_path))
-
-    path_spec = pathspec.PathSpec.from_lines(pathspec.patterns.GitWildMatchPattern, exclude_patterns)
-    excluded_file_paths = set(path_spec.match_files(all_file_paths))
-
-    relevant_file_paths = all_file_paths - excluded_file_paths
-
-    return [file_path for file_path in relevant_file_paths if os.path.isfile(file_path)]
+    file_paths = _get_all_existing_files_in_directory(absolute_path)
+    return [file_path for file_path in file_paths if os.path.isfile(file_path)]
 
 
 def _get_relevant_files(
@@ -52,9 +46,7 @@ def _get_relevant_files(
 ) -> List[str]:
     all_files_to_scan = []
     for path in paths:
-        all_files_to_scan.extend(
-            _get_relevant_files_in_path(path=path, exclude_patterns=['**/.git/**', '**/.cycode/**'])
-        )
+        all_files_to_scan.extend(_get_relevant_files_in_path(path))
 
     # we are double the progress bar section length because we are going to process the files twice
     # first time to get the file list with respect of excluded patterns (excluding takes seconds to execute)

cycode-2.1.2.dev2/cycode/cli/files_collector/walk_ignore.py

@@ -0,0 +1,42 @@
+import os
+from typing import Generator, Iterable, List, Tuple
+
+from cycode.cli.utils.ignore_utils import IgnoreFilterManager
+from cycode.cyclient import logger
+
+_SUPPORTED_IGNORE_PATTERN_FILES = {  # oneday we will bring .cycodeignore or something like that
+    '.gitignore',
+}
+_DEFAULT_GLOBAL_IGNORE_PATTERNS = [
+    '.git',
+    '.cycode',
+]
+
+
+def _walk_to_top(path: str) -> Iterable[str]:
+    while os.path.dirname(path) != path:
+        yield path
+        path = os.path.dirname(path)
+
+    if path:
+        yield path  # Include the top-level directory
+
+
+def _collect_top_level_ignore_files(path: str) -> List[str]:
+    ignore_files = []
+    for dir_path in _walk_to_top(path):
+        for ignore_file in _SUPPORTED_IGNORE_PATTERN_FILES:
+            ignore_file_path = os.path.join(dir_path, ignore_file)
+            if os.path.exists(ignore_file_path):
+                logger.debug('Apply top level ignore file: %s', ignore_file_path)
+                ignore_files.append(ignore_file_path)
+    return ignore_files
+
+
+def walk_ignore(path: str) -> Generator[Tuple[str, List[str], List[str]], None, None]:
+    ignore_filter_manager = IgnoreFilterManager.build(
+        path=path,
+        global_ignore_file_paths=_collect_top_level_ignore_files(path),
+        global_patterns=_DEFAULT_GLOBAL_IGNORE_PATTERNS,
+    )
+    yield from ignore_filter_manager.walk()

{cycode-2.1.1.dev1 → cycode-2.1.2.dev2}/cycode/cli/user_settings/configuration_manager.py

@@ -79,7 +79,8 @@ class ConfigurationManager:
         config_file_manager = self.get_config_file_manager(scope)
         config_file_manager.add_exclusion(scan_type, exclusion_type, value)
 
-    def _merge_exclusions(self, local_exclusions: Dict, global_exclusions: Dict) -> Dict:
+    @staticmethod
+    def _merge_exclusions(local_exclusions: Dict, global_exclusions: Dict) -> Dict:
         keys = set(list(local_exclusions.keys()) + list(global_exclusions.keys()))
         return {key: local_exclusions.get(key, []) + global_exclusions.get(key, []) for key in keys}