From 7ac72761298ab440a8b7d643fe35e09498ea157d Mon Sep 17 00:00:00 2001 From: Frank Seidel Date: Mon, 27 Feb 2023 16:42:42 +0100 Subject: [PATCH] use existing path matching logic when filtering allowed patterns on file configs (#414) - requires to change ChecksumCompare too, so it considers all ignore configs (and not only the first matching one) --- detector/helpers/checksum_compare.go | 6 ++- detector/helpers/checksum_compare_test.go | 54 +++++++++++++++++++++++ talismanrc/talismanrc.go | 5 +-- talismanrc/talismanrc_test.go | 16 ++++++- 4 files changed, 74 insertions(+), 7 deletions(-) diff --git a/detector/helpers/checksum_compare.go b/detector/helpers/checksum_compare.go index 0a886300..5ab32cdb 100644 --- a/detector/helpers/checksum_compare.go +++ b/detector/helpers/checksum_compare.go @@ -23,8 +23,10 @@ func (cc *ChecksumCompare) IsScanNotRequired(addition gitrepo.Addition) bool { for _, ignore := range cc.talismanRC.IgnoreConfigs { if addition.Matches(ignore.GetFileName()) { currentCollectiveChecksum = cc.calculator.CalculateCollectiveChecksumForPattern(ignore.GetFileName()) - return ignore.ChecksumMatches(currentCollectiveChecksum) + if ignore.ChecksumMatches(currentCollectiveChecksum) { + return true + } } } - return false; + return false } diff --git a/detector/helpers/checksum_compare_test.go b/detector/helpers/checksum_compare_test.go index 879b0fa5..aae18dfe 100644 --- a/detector/helpers/checksum_compare_test.go +++ b/detector/helpers/checksum_compare_test.go @@ -58,4 +58,58 @@ func TestChecksumCompare_IsScanNotRequired(t *testing.T) { assert.True(t, required) }) + t.Run("should find any matching talismanrc config", func(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + mockSHA256Hasher := mockutility.NewMockSHA256Hasher(ctrl) + checksumCalculator := mockchecksumcalculator.NewMockChecksumCalculator(ctrl) + ignoreConfig := talismanrc.TalismanRC{ + IgnoreConfigs: []talismanrc.IgnoreConfig{ + &talismanrc.FileIgnoreConfig{ + FileName: "some.txt", + Checksum: "sha1", + }, + &talismanrc.FileIgnoreConfig{ + FileName: "some.txt", + Checksum: "recent-sha1", + }, + }, + } + cc := NewChecksumCompare(checksumCalculator, mockSHA256Hasher, &ignoreConfig) + addition := gitrepo.Addition{Name: "some.txt"} + mockSHA256Hasher.EXPECT().CollectiveSHA256Hash([]string{string(addition.Path)}).Return("somesha") + checksumCalculator.EXPECT().CalculateCollectiveChecksumForPattern("some.txt").Return("recent-sha1").Times(2) + + required := cc.IsScanNotRequired(addition) + + assert.True(t, required) + }) + + t.Run("should find checksum talismanrc config only", func(t *testing.T) { + ctrl := gomock.NewController(t) + defer ctrl.Finish() + mockSHA256Hasher := mockutility.NewMockSHA256Hasher(ctrl) + checksumCalculator := mockchecksumcalculator.NewMockChecksumCalculator(ctrl) + ignoreConfig := talismanrc.TalismanRC{ + IgnoreConfigs: []talismanrc.IgnoreConfig{ + &talismanrc.FileIgnoreConfig{ + FileName: "*.txt", + AllowedPatterns: []string{"key"}, + }, + &talismanrc.FileIgnoreConfig{ + FileName: "some.txt", + Checksum: "sha1", + }, + }, + } + cc := NewChecksumCompare(checksumCalculator, mockSHA256Hasher, &ignoreConfig) + addition := gitrepo.Addition{Name: "some.txt"} + mockSHA256Hasher.EXPECT().CollectiveSHA256Hash([]string{string(addition.Path)}).Return("somesha") + checksumCalculator.EXPECT().CalculateCollectiveChecksumForPattern("*.txt").Return("sha1") + checksumCalculator.EXPECT().CalculateCollectiveChecksumForPattern("some.txt").Return("sha1") + + required := cc.IsScanNotRequired(addition) + + assert.True(t, required) + }) } diff --git a/talismanrc/talismanrc.go b/talismanrc/talismanrc.go index 90bdd588..4e34be3d 100644 --- a/talismanrc/talismanrc.go +++ b/talismanrc/talismanrc.go @@ -165,8 +165,7 @@ func (tRC *TalismanRC) Deny(addition gitrepo.Addition, detectorName string) bool } //Strip git addition -func(tRC *TalismanRC) FilterAllowedPatternsFromAddition(addition gitrepo.Addition) string { - additionPathAsString := string(addition.Path) +func (tRC *TalismanRC) FilterAllowedPatternsFromAddition(addition gitrepo.Addition) string { // Processing global allowed patterns for _, pattern := range tRC.AllowedPatterns { addition.Data = pattern.ReplaceAll(addition.Data, []byte("")) @@ -174,7 +173,7 @@ func(tRC *TalismanRC) FilterAllowedPatternsFromAddition(addition gitrepo.Additio // Processing allowed patterns based on file path for _, ignoreConfig := range tRC.IgnoreConfigs { - if ignoreConfig.GetFileName() == additionPathAsString { + if addition.Matches(ignoreConfig.GetFileName()) { for _, pattern := range ignoreConfig.GetAllowedPatterns() { addition.Data = pattern.ReplaceAll(addition.Data, []byte("")) } diff --git a/talismanrc/talismanrc_test.go b/talismanrc/talismanrc_test.go index 1da13561..73120506 100644 --- a/talismanrc/talismanrc_test.go +++ b/talismanrc/talismanrc_test.go @@ -73,6 +73,20 @@ func TestShouldFilterAllowedPatternsFromAdditionBasedOnFileConfig(t *testing.T) assert.Equal(t, fileContentFiltered2, fileContent) } +func TestShouldFilterAllowedPatternsFromAdditionBasedOnFileConfigWithWildcards(t *testing.T) { + const hexContent string = "68656C6C6F20776F726C6421" + const fileContent string = "Prefix content" + hexContent + gitRepoAddition1 := testAdditionWithData("foo/file1.yml", []byte(fileContent)) + gitRepoAddition2 := testAdditionWithData("foo/file2.yml", []byte(fileContent)) + talismanrc := createTalismanRCWithFileIgnores("foo/*.yml", "somedetector", []string{hexContent}) + + fileContentFiltered1 := talismanrc.FilterAllowedPatternsFromAddition(gitRepoAddition1) + fileContentFiltered2 := talismanrc.FilterAllowedPatternsFromAddition(gitRepoAddition2) + + assert.Equal(t, fileContentFiltered1, "Prefix content") + assert.Equal(t, fileContentFiltered2, "Prefix content") +} + func TestShouldConvertThresholdToValue(t *testing.T) { talismanRCContents := []byte("threshold: high") assert.Equal(t, newPersistedRC(talismanRCContents).Threshold, severity.High) @@ -299,8 +313,6 @@ func TestFor(t *testing.T) { assert.True(t, rc.IgnoreConfigs[2].ChecksumMatches("file3_checksum")) }) - - } func TestForScan(t *testing.T) {