From 46347656b3dbf70bbe3326d25561f3f4339f8ac5 Mon Sep 17 00:00:00 2001 From: Ilya Siamionau Date: Wed, 11 Dec 2024 15:36:55 +0100 Subject: [PATCH 1/2] CM-42882 - Fix SCA table printing (severity weights) --- cycode/cli/commands/scan/code_scanner.py | 18 +++++++++++------- cycode/cli/commands/scan/scan_command.py | 4 ++-- cycode/cli/models.py | 12 ++++++++---- .../cli/printers/tables/sca_table_printer.py | 7 +++++-- 4 files changed, 26 insertions(+), 15 deletions(-) diff --git a/cycode/cli/commands/scan/code_scanner.py b/cycode/cli/commands/scan/code_scanner.py index 47d017b0..5b204b71 100644 --- a/cycode/cli/commands/scan/code_scanner.py +++ b/cycode/cli/commands/scan/code_scanner.py @@ -455,7 +455,7 @@ def create_local_scan_result( documents_to_scan: List[Document], command_scan_type: str, scan_type: str, - severity_threshold: str, + severity_threshold: Optional[str], ) -> LocalScanResult: document_detections = get_document_detections(scan_result, documents_to_scan) relevant_document_detections_list = exclude_irrelevant_document_detections( @@ -627,7 +627,10 @@ def get_document_detections( def exclude_irrelevant_document_detections( - document_detections_list: List[DocumentDetections], scan_type: str, command_scan_type: str, severity_threshold: str + document_detections_list: List[DocumentDetections], + scan_type: str, + command_scan_type: str, + severity_threshold: Optional[str], ) -> List[DocumentDetections]: relevant_document_detections_list = [] for document_detections in document_detections_list: @@ -709,17 +712,18 @@ def try_get_git_remote_url(path: str) -> Optional[str]: def exclude_irrelevant_detections( - detections: List[Detection], scan_type: str, command_scan_type: str, severity_threshold: str + detections: List[Detection], scan_type: str, command_scan_type: str, severity_threshold: Optional[str] ) -> List[Detection]: relevant_detections = _exclude_detections_by_exclusions_configuration(detections, scan_type) relevant_detections = _exclude_detections_by_scan_type(relevant_detections, scan_type, command_scan_type) - return _exclude_detections_by_severity(relevant_detections, severity_threshold) + if severity_threshold: + return _exclude_detections_by_severity(relevant_detections, severity_threshold) + + return relevant_detections -def _exclude_detections_by_severity(detections: List[Detection], severity_threshold: str) -> List[Detection]: - if severity_threshold is None: - return detections +def _exclude_detections_by_severity(detections: List[Detection], severity_threshold: str) -> List[Detection]: relevant_detections = [] for detection in detections: severity = detection.detection_details.get('advisory_severity') diff --git a/cycode/cli/commands/scan/scan_command.py b/cycode/cli/commands/scan/scan_command.py index a428a87a..113e78fa 100644 --- a/cycode/cli/commands/scan/scan_command.py +++ b/cycode/cli/commands/scan/scan_command.py @@ -1,5 +1,5 @@ import sys -from typing import List +from typing import List, Optional import click @@ -117,7 +117,7 @@ def scan_command( client_id: str, show_secret: bool, soft_fail: bool, - severity_threshold: str, + severity_threshold: Optional[str], sca_scan: List[str], monitor: bool, report: bool, diff --git a/cycode/cli/models.py b/cycode/cli/models.py index 7020ade3..25b2347f 100644 --- a/cycode/cli/models.py +++ b/cycode/cli/models.py @@ -33,6 +33,9 @@ def __repr__(self) -> str: return 'document:{0}, detections:{1}'.format(self.document, self.detections) +SEVERITY_UNKNOWN_WEIGHT = -2 + + class Severity(Enum): INFO = -1 LOW = 0 @@ -42,7 +45,7 @@ class Severity(Enum): CRITICAL = 3 @staticmethod - def try_get_value(name: str) -> any: + def try_get_value(name: str) -> Optional[int]: name = name.upper() if name not in Severity.__members__: return None @@ -50,10 +53,11 @@ def try_get_value(name: str) -> any: return Severity[name].value @staticmethod - def get_member_weight(name: str) -> any: + def get_member_weight(name: str) -> int: weight = Severity.try_get_value(name) - if weight is None: # if License Compliance - return -2 + if weight is None: # unknown severity + return SEVERITY_UNKNOWN_WEIGHT + return weight diff --git a/cycode/cli/printers/tables/sca_table_printer.py b/cycode/cli/printers/tables/sca_table_printer.py index d51359a3..5a6ec726 100644 --- a/cycode/cli/printers/tables/sca_table_printer.py +++ b/cycode/cli/printers/tables/sca_table_printer.py @@ -4,7 +4,7 @@ import click from cycode.cli.consts import LICENSE_COMPLIANCE_POLICY_ID, PACKAGE_VULNERABILITY_POLICY_ID -from cycode.cli.models import Detection, Severity +from cycode.cli.models import SEVERITY_UNKNOWN_WEIGHT, Detection, Severity from cycode.cli.printers.tables.table import Table from cycode.cli.printers.tables.table_models import ColumnInfoBuilder, ColumnWidths from cycode.cli.printers.tables.table_printer_base import TablePrinterBase @@ -73,7 +73,10 @@ def __group_by(detections: List[Detection], details_field_name: str) -> Dict[str @staticmethod def __severity_sort_key(detection: Detection) -> int: severity = detection.detection_details.get('advisory_severity') - return Severity.get_member_weight(severity) + if severity: + return Severity.get_member_weight(severity) + + return SEVERITY_UNKNOWN_WEIGHT def _sort_detections_by_severity(self, detections: List[Detection]) -> List[Detection]: return sorted(detections, key=self.__severity_sort_key, reverse=True) From 42455425719ef72b710db03f51ddbef74703bbc7 Mon Sep 17 00:00:00 2001 From: Ilya Siamionau Date: Thu, 12 Dec 2024 11:47:43 +0100 Subject: [PATCH 2/2] simplify fix --- cycode/cli/commands/scan/code_scanner.py | 12 ++++-------- cycode/cli/commands/scan/scan_command.py | 6 +++--- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/cycode/cli/commands/scan/code_scanner.py b/cycode/cli/commands/scan/code_scanner.py index 5b204b71..59e99900 100644 --- a/cycode/cli/commands/scan/code_scanner.py +++ b/cycode/cli/commands/scan/code_scanner.py @@ -455,7 +455,7 @@ def create_local_scan_result( documents_to_scan: List[Document], command_scan_type: str, scan_type: str, - severity_threshold: Optional[str], + severity_threshold: str, ) -> LocalScanResult: document_detections = get_document_detections(scan_result, documents_to_scan) relevant_document_detections_list = exclude_irrelevant_document_detections( @@ -630,7 +630,7 @@ def exclude_irrelevant_document_detections( document_detections_list: List[DocumentDetections], scan_type: str, command_scan_type: str, - severity_threshold: Optional[str], + severity_threshold: str, ) -> List[DocumentDetections]: relevant_document_detections_list = [] for document_detections in document_detections_list: @@ -712,15 +712,11 @@ def try_get_git_remote_url(path: str) -> Optional[str]: def exclude_irrelevant_detections( - detections: List[Detection], scan_type: str, command_scan_type: str, severity_threshold: Optional[str] + detections: List[Detection], scan_type: str, command_scan_type: str, severity_threshold: str ) -> List[Detection]: relevant_detections = _exclude_detections_by_exclusions_configuration(detections, scan_type) relevant_detections = _exclude_detections_by_scan_type(relevant_detections, scan_type, command_scan_type) - - if severity_threshold: - return _exclude_detections_by_severity(relevant_detections, severity_threshold) - - return relevant_detections + return _exclude_detections_by_severity(relevant_detections, severity_threshold) def _exclude_detections_by_severity(detections: List[Detection], severity_threshold: str) -> List[Detection]: diff --git a/cycode/cli/commands/scan/scan_command.py b/cycode/cli/commands/scan/scan_command.py index 113e78fa..5282dfb7 100644 --- a/cycode/cli/commands/scan/scan_command.py +++ b/cycode/cli/commands/scan/scan_command.py @@ -1,5 +1,5 @@ import sys -from typing import List, Optional +from typing import List import click @@ -65,7 +65,7 @@ ) @click.option( '--severity-threshold', - default=None, + default=Severity.INFO.name, help='Show violations only for the specified level or higher.', type=click.Choice([e.name for e in Severity]), required=False, @@ -117,7 +117,7 @@ def scan_command( client_id: str, show_secret: bool, soft_fail: bool, - severity_threshold: Optional[str], + severity_threshold: str, sca_scan: List[str], monitor: bool, report: bool,