From 0c7b8f04f0be40197262dbe118eee048ae6117e0 Mon Sep 17 00:00:00 2001 From: Chidozie Ononiwu Date: Fri, 9 Jul 2021 20:11:19 -0700 Subject: [PATCH 1/2] Add FilterPoliCheckResult.ps1 --- eng/common/scripts/FilterPoliCheckResults.ps1 | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 eng/common/scripts/FilterPoliCheckResults.ps1 diff --git a/eng/common/scripts/FilterPoliCheckResults.ps1 b/eng/common/scripts/FilterPoliCheckResults.ps1 new file mode 100644 index 000000000000..b3e5977af73c --- /dev/null +++ b/eng/common/scripts/FilterPoliCheckResults.ps1 @@ -0,0 +1,90 @@ +[CmdletBinding()] +param( + [Parameter(Mandatory=$true)] + [String] $PoliCheckResultFilePath, + [String] $ServiceDirtectory +) + +. "${PSScriptRoot}\logging.ps1" + +$RepoRoot = Resolve-Path -Path "${PSScriptRoot}\..\..\..\" +$PathToAllowListFiles = Join-Path $RepoRoot $ServiceDirtectory +$PolicCheckAllowListFiles = Get-ChildItem -Path $PathToAllowListFiles -Recurse -File -Include "PoliCheckAllowList.yml" +$allowListData = @{} + +# Combine all AllowLists Found +foreach ($file in $PolicCheckAllowListFiles) +{ + $allowListDataInFile = ConvertFrom-Yaml (Get-Content $file.FullName -Raw) + $allowListData["PC1001"] += $allowListDataInFile["PC1001"] + $allowListData["PC1002"] += $allowListDataInFile["PC1002"] + $allowListData["PC1003"] += $allowListDataInFile["PC1003"] + $allowListData["PC1004"] += $allowListDataInFile["PC1004"] + $allowListData["PC1005"] += $allowListDataInFile["PC1005"] + $allowListData["PC1006"] += $allowListDataInFile["PC1006"] +} + +$poliCheckData = Get-Content $PoliCheckResultFilePath | ConvertFrom-Json +$poliCheckResultsCount = $poliCheckData.runs[0].results.Count +$newCount + +$updatedRuns = @() + +foreach ($run in $poliCheckData.runs) +{ + $updatedResults = @() + foreach ($result in $run.results) + { + $ruleId = $result.ruleId + $allowedEntries = $allowListData[$ruleId] + if ($allowedEntries) + { + $updatedLocations = @() + + foreach ($location in $result.locations) + { + $filePath = $location.physicalLocation.artifactLocation.uri + $text = $location.physicalLocation.region.snippet.text + $contextRegion = $location.physicalLocation.contextRegion.snippet.text + + $allowedEntry = $allowedEntries[0] | Where-Object { $_.FilePath -eq $filePath } + + if ($allowedEntry.Count -gt 0) + { + $foundAllowedInstance = $false + foreach ($instance in $allowedEntry.instances) + { + if (($instance.Text.Trim() -eq $text.Trim()) -and ($instance.ContextRegion.Trim() -eq $contextRegion.Trim())) + { + Write-Host "Found instance" -ForegroundColor Green + $foundAllowedInstance = $true + } + } + if ($foundAllowedInstance -eq $true) + { + continue + } + } + + $updatedLocations += $location + } + + $result.locations = $updatedLocations + } + + if ($result.locations.Count -gt 0) + { + $updatedResults += $result + } + } + $run.results = $updatedResults + $newCount = $run.results.Count + $updatedRuns += $run +} + +$poliCheckData.runs = $updatedRuns + +Set-Content -Path $PoliCheckResultFilePath -Value ($poliCheckData | ConvertTo-Json -Depth 100) + +LogDebug "Original Result Count: ${poliCheckResultsCount}" +LogDebug "New Result Count: ${newCount}" From 08c8c876b5e3186fadffbea34e2d4ea173cf6ae7 Mon Sep 17 00:00:00 2001 From: Chidozie Ononiwu Date: Tue, 13 Jul 2021 12:05:55 -0700 Subject: [PATCH 2/2] Add description to FilterPoliCheckResults.ps1 --- eng/common/scripts/FilterPoliCheckResults.ps1 | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/eng/common/scripts/FilterPoliCheckResults.ps1 b/eng/common/scripts/FilterPoliCheckResults.ps1 index b3e5977af73c..f74f72971021 100644 --- a/eng/common/scripts/FilterPoliCheckResults.ps1 +++ b/eng/common/scripts/FilterPoliCheckResults.ps1 @@ -1,3 +1,16 @@ +<# +.SYNOPSIS +Filters PoliCheck Result. +.DESCRIPTION +This script will read data speciefied in one or more PoliCheckAllowList.yml files, +It then reamoves all allwed entries from the PoliCheckResult +.PARAMETER PoliCheckResultFilePath +The Path to the PoliCheck Result. Usually named PoliCheck.sarif +.PARAMETER ServiceDirtectory +If the PoliCheck scan is scoped to a particular service provide the ServiceDirectory +.EXAMPLE +PS> ./FilterPoliCheckResults.ps1 -PoliCheckResultFilePath .\PoliCheck.sarif +#> [CmdletBinding()] param( [Parameter(Mandatory=$true)]