implement filtering by packages through the config (#944)

I'd like feedback on the config yaml schema, the filter message and it's
behaviour if the version is empty (it filters any version of that
package).

This is in response to #814

Author: josieang

fixtures/testdatainner/osv-scanner.toml

@@ -1,9 +1,25 @@
 [[IgnoredVulns]]
 id = "GO-2022-0968"
-# ignore_until = 2022-11-09
+# ignoreUntil = 2022-11-09
 # reason = "" # Optional reason
 
 [[IgnoredVulns]]
 id = "GO-2022-1059"
-# ignore_until = 2022-11-09 # Optional exception expiry date
+# ignoreUntil = 2022-11-09 # Optional exception expiry date
 # reason = "" # Optional reason
+
+[[PackageOverrides]]
+name = "lib"
+version = "1.0.0"
+ecosystem = "Go"
+ignore = true
+# effectiveUntil = 2022-11-09 # Optional exception expiry date
+reason = "abc"
+ 
+[[PackageOverrides]]
+name = "my-pkg"
+version = "1.0.0"
+ecosystem = "Go"
+ignore = true
+reason = "abc"
+license.override = ["MIT", "0BSD"]

pkg/config/config.go

@@ -23,9 +23,10 @@ type ConfigManager struct {
 }
 
 type Config struct {
-	IgnoredVulns      []IgnoreEntry `toml:"IgnoredVulns"`
-	LoadPath          string        `toml:"LoadPath"`
-	GoVersionOverride string        `toml:"GoVersionOverride"`
+	IgnoredVulns      []IgnoreEntry          `toml:"IgnoredVulns"`
+	PackageOverrides  []PackageOverrideEntry `toml:"PackageOverrides"`
+	LoadPath          string                 `toml:"LoadPath"`
+	GoVersionOverride string                 `toml:"GoVersionOverride"`
 }
 
 type IgnoreEntry struct {
@@ -34,19 +35,67 @@ type IgnoreEntry struct {
 	Reason      string    `toml:"reason"`
 }
 
+type PackageOverrideEntry struct {
+	Name string `toml:"name"`
+	// If the version is empty, the entry applies to all versions.
+	Version        string    `toml:"version"`
+	Ecosystem      string    `toml:"ecosystem"`
+	Ignore         bool      `toml:"ignore"`
+	License        License   `toml:"license"`
+	EffectiveUntil time.Time `toml:"effectiveUntil"`
+	Reason         string    `toml:"reason"`
+}
+
+type License struct {
+	Override []string `toml:"override"`
+}
+
 func (c *Config) ShouldIgnore(vulnID string) (bool, IgnoreEntry) {
-	index := slices.IndexFunc(c.IgnoredVulns, func(elem IgnoreEntry) bool { return elem.ID == vulnID })
+	index := slices.IndexFunc(c.IgnoredVulns, func(e IgnoreEntry) bool { return e.ID == vulnID })
 	if index == -1 {
 		return false, IgnoreEntry{}
 	}
 	ignoredLine := c.IgnoredVulns[index]
-	if ignoredLine.IgnoreUntil.IsZero() {
+
+	return shouldIgnoreTimestamp(ignoredLine.IgnoreUntil), ignoredLine
+}
+
+func (c *Config) filterPackageVersionEntries(name string, version string, ecosystem string, condition func(PackageOverrideEntry) bool) (bool, PackageOverrideEntry) {
+	index := slices.IndexFunc(c.PackageOverrides, func(e PackageOverrideEntry) bool {
+		if ecosystem != e.Ecosystem || name != e.Name {
+			return false
+		}
+
+		return (version == e.Version || e.Version == "") && condition(e)
+	})
+	if index == -1 {
+		return false, PackageOverrideEntry{}
+	}
+	ignoredLine := c.PackageOverrides[index]
+
+	return shouldIgnoreTimestamp(ignoredLine.EffectiveUntil), ignoredLine
+}
+
+func (c *Config) ShouldIgnorePackageVersion(name, version, ecosystem string) (bool, PackageOverrideEntry) {
+	return c.filterPackageVersionEntries(name, version, ecosystem, func(e PackageOverrideEntry) bool {
+		return e.Ignore
+	})
+}
+
+func (c *Config) ShouldOverridePackageVersionLicense(name, version, ecosystem string) (bool, PackageOverrideEntry) {
+	return c.filterPackageVersionEntries(name, version, ecosystem, func(e PackageOverrideEntry) bool {
+		return len(e.License.Override) > 0
+	})
+}
+
+func shouldIgnoreTimestamp(ignoreUntil time.Time) bool {
+	if ignoreUntil.IsZero() {
 		// If IgnoreUntil is not set, should ignore.
-		return true, ignoredLine
+		return true
 	}
 	// Should ignore if IgnoreUntil is still after current time
 	// Takes timezone offsets into account if it is specified. otherwise it's using local time
-	return ignoredLine.IgnoreUntil.After(time.Now()), ignoredLine
+	return ignoreUntil.After(time.Now())
 }
 
 // Sets the override config by reading the config file at configPath.

pkg/config/config_internal_test.go

@@ -27,6 +27,25 @@ func TestTryLoadConfig(t *testing.T) {
 				ID: "GO-2022-1059",
 			},
 		},
+		PackageOverrides: []PackageOverrideEntry{
+			{
+				Name:      "lib",
+				Version:   "1.0.0",
+				Ecosystem: "Go",
+				Ignore:    true,
+				Reason:    "abc",
+			},
+			{
+				Name:      "my-pkg",
+				Version:   "1.0.0",
+				Ecosystem: "Go",
+				Reason:    "abc",
+				Ignore:    true,
+				License: License{
+					Override: []string{"MIT", "0BSD"},
+				},
+			},
+		},
 	}
 	testPaths := []testStruct{
 		{
@@ -69,6 +88,9 @@ func TestTryLoadConfig(t *testing.T) {
 		if !cmp.Equal(config.IgnoredVulns, testData.config.IgnoredVulns) {
 			t.Errorf("Configs not equal: %+v != %+v", config, testData.config)
 		}
+		if !cmp.Equal(config.PackageOverrides, testData.config.PackageOverrides) {
+			t.Errorf("Configs not equal: %+v != %+v", config, testData.config)
+		}
 		if testData.configHasErr {
 			if configErr == nil {
 				t.Error("Config error not returned")
@@ -191,3 +213,238 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 		})
 	}
 }
+
+func TestConfig_ShouldIgnorePackageVersion(t *testing.T) {
+	t.Parallel()
+
+	type args struct {
+		name      string
+		version   string
+		ecosystem string
+	}
+	tests := []struct {
+		name      string
+		config    Config
+		args      args
+		wantOk    bool
+		wantEntry PackageOverrideEntry
+	}{
+		{
+			name: "Version-level entry exists",
+			config: Config{
+				PackageOverrides: []PackageOverrideEntry{
+					{
+						Name:           "lib1",
+						Version:        "1.0.0",
+						Ecosystem:      "Go",
+						Ignore:         true,
+						EffectiveUntil: time.Time{},
+						Reason:         "abc",
+					},
+				},
+			},
+			args: args{
+				name:      "lib1",
+				version:   "1.0.0",
+				ecosystem: "Go",
+			},
+			wantOk: true,
+			wantEntry: PackageOverrideEntry{
+				Name:           "lib1",
+				Version:        "1.0.0",
+				Ecosystem:      "Go",
+				Ignore:         true,
+				EffectiveUntil: time.Time{},
+				Reason:         "abc",
+			},
+		},
+		{
+			name: "Package-level entry exists",
+			config: Config{
+				PackageOverrides: []PackageOverrideEntry{
+					{
+						Name:           "lib1",
+						Ecosystem:      "Go",
+						Ignore:         true,
+						EffectiveUntil: time.Time{},
+						Reason:         "abc",
+					},
+				},
+			},
+			args: args{
+				name:      "lib1",
+				version:   "1.0.0",
+				ecosystem: "Go",
+			},
+			wantOk: true,
+			wantEntry: PackageOverrideEntry{
+				Name:           "lib1",
+				Ecosystem:      "Go",
+				Ignore:         true,
+				EffectiveUntil: time.Time{},
+				Reason:         "abc",
+			},
+		},
+		{
+			name: "Entry doesn't exist",
+			config: Config{
+				PackageOverrides: []PackageOverrideEntry{
+					{
+						Name:           "lib1",
+						Version:        "2.0.0",
+						Ecosystem:      "Go",
+						Ignore:         false,
+						EffectiveUntil: time.Time{},
+						Reason:         "abc",
+					},
+					{
+						Name:           "lib2",
+						Version:        "2.0.0",
+						Ignore:         true,
+						Ecosystem:      "Go",
+						EffectiveUntil: time.Time{},
+						Reason:         "abc",
+					},
+				},
+			},
+			args: args{
+				name:      "lib1",
+				version:   "2.0.0",
+				ecosystem: "Go",
+			},
+			wantOk:    false,
+			wantEntry: PackageOverrideEntry{},
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			gotOk, gotEntry := tt.config.ShouldIgnorePackageVersion(tt.args.name, tt.args.version, tt.args.ecosystem)
+			if gotOk != tt.wantOk {
+				t.Errorf("ShouldIgnorePackageVersion() gotOk = %v, wantOk %v", gotOk, tt.wantOk)
+			}
+			if !reflect.DeepEqual(gotEntry, tt.wantEntry) {
+				t.Errorf("ShouldIgnorePackageVersion() gotEntry = %v, wantEntry %v", gotEntry, tt.wantEntry)
+			}
+		})
+	}
+}
+
+func TestConfig_ShouldOverridePackageVersionLicense(t *testing.T) {
+	t.Parallel()
+
+	type args struct {
+		name      string
+		version   string
+		ecosystem string
+	}
+	tests := []struct {
+		name      string
+		config    Config
+		args      args
+		wantOk    bool
+		wantEntry PackageOverrideEntry
+	}{
+		{
+			name: "Exact version entry exists",
+			config: Config{
+				PackageOverrides: []PackageOverrideEntry{
+					{
+						Name:      "lib1",
+						Version:   "1.0.0",
+						Ecosystem: "Go",
+						License: License{
+							Override: []string{"mit"},
+						},
+						Reason: "abc",
+					},
+				},
+			},
+			args: args{
+				name:      "lib1",
+				version:   "1.0.0",
+				ecosystem: "Go",
+			},
+			wantOk: true,
+			wantEntry: PackageOverrideEntry{
+				Name:      "lib1",
+				Version:   "1.0.0",
+				Ecosystem: "Go",
+				License: License{
+					Override: []string{"mit"},
+				},
+				Reason: "abc",
+			},
+		},
+		{
+			name: "Version entry doesn't exist",
+			config: Config{
+				PackageOverrides: []PackageOverrideEntry{
+					{
+						Name:      "lib1",
+						Version:   "1.0.0",
+						Ecosystem: "Go",
+						License: License{
+							Override: []string{"mit"},
+						},
+						Reason: "abc",
+					},
+				},
+			},
+			args: args{
+				name:      "lib1",
+				version:   "1.0.1",
+				ecosystem: "Go",
+			},
+			wantOk:    false,
+			wantEntry: PackageOverrideEntry{},
+		},
+		{
+			name: "Name matches",
+			config: Config{
+				PackageOverrides: []PackageOverrideEntry{
+					{
+						Name:      "lib1",
+						Ecosystem: "Go",
+						License: License{
+							Override: []string{"mit"},
+						},
+						Reason: "abc",
+					},
+				},
+			},
+			args: args{
+				name:      "lib1",
+				version:   "1.0.1",
+				ecosystem: "Go",
+			},
+			wantOk: true,
+			wantEntry: PackageOverrideEntry{
+				Name:      "lib1",
+				Ecosystem: "Go",
+				License: License{
+					Override: []string{"mit"},
+				},
+				Reason: "abc",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			gotOk, gotEntry := tt.config.ShouldOverridePackageVersionLicense(tt.args.name, tt.args.version, tt.args.ecosystem)
+			if gotOk != tt.wantOk {
+				t.Errorf("ShouldOverridePackageVersionLicense() gotOk = %v, wantOk %v", gotOk, tt.wantOk)
+			}
+			if !reflect.DeepEqual(gotEntry, tt.wantEntry) {
+				t.Errorf("ShouldOverridePackageVersionLicense() gotEntry = %v, wantEntry %v", gotEntry, tt.wantEntry)
+			}
+		})
+	}
+}