fix: [#8] Support suppression of all kind of vulnerabilities. (#9)

030 · Jan 13, 2024 · f7a6a2c · f7a6a2c
1 parent 5abbd7b
commit f7a6a2c
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 15 deletions.
diff --git a/action.yml b/action.yml
@@ -2,7 +2,9 @@
 name: trivyignore-validator
 description: trivyignore-validator
 runs:
-  using: 'composite'
+  using: "composite"
   steps:
+    - run: bash --version
+      shell: bash
     - run: ${GITHUB_ACTION_PATH}/src/action.sh
       shell: bash
diff --git a/src/action.sh b/src/action.sh
@@ -13,42 +13,47 @@ createEmptyDotTrivyignoreIfAbsent() {
   exit 0
 }
 
-inspectCveExpiry() {
+inspectVulnerabilityExpiry() {
   echo "checking whether an expiry has been attached..."
 
-  if ! echo ${1} | grep -qE "^CVE\-.*exp:[0-9]{4}(\-[0-9]{2}){2}$"; then
+  if ! echo ${1} | grep -qE "^[A-Z]+\-.*exp:[0-9]{4}(\-[0-9]{2}){2}$"; then
     echo "no expiry associated to: '${1}'. Add it by adding: 'exp:yyyy-mm-dd'"
     exit 1
   fi
 }
 
-inspectCveExpiryMaxOneMonth() {
+inspectVulnerabilityExpiryMaxOneMonth() {
   echo "checking whether the expiry will take place in one month..."
-  current=$(echo "${1}" | sed -e "s|CVE\-.*exp:\(.*\)|\1|g")
+  current=$(echo "${1}" | sed -e "s|^[A-Z]\{3,\}\-.*exp:\(.*\)|\1|g")
+  if ! echo "${current}" | grep -qE "^[0-9]{4}(\-[0-9]{2}){2}$"; then
+    echo "extracted date: ${current} is invalid"
+    exit 1
+  fi
+
   max=$(date +"%F" --date="$(date +%F) next month")
 
-  if [[ "${current}" > "${max}" ]]; then
+  if [ "${current}" \> "${max}" ]; then
     echo "current date: '${current}' in line: '${1}' exceeds"
     echo "the maximum date of one month. Choose a new date that is"
     echo "before: ${max}"
     exit 1
   fi
 }
 
-inspectCveExpiryAndMaxOneMonth() {
+inspectVulnerabilityExpiryAndMaxOneMonth() {
   while read -r line; do
-    if echo "${line}" | grep -qE "^CVE\-"; then
-      echo "found a 'CVE-' entry in the ${filename}...";
+    if echo "${line}" | grep -qE "^[A-Z]+\-"; then
+      echo "found a vulnerability entry in the ${filename}...";
 
-      inspectCveExpiry "${line}"
-      inspectCveExpiryMaxOneMonth "${line}"
+      inspectVulnerabilityExpiry "${line}"
+      inspectVulnerabilityExpiryMaxOneMonth "${line}"
     fi
   done < "${filename}"
 }
 
 main() {
   createEmptyDotTrivyignoreIfAbsent
-  inspectCveExpiryAndMaxOneMonth
+  inspectVulnerabilityExpiryAndMaxOneMonth
 }
 
 main
diff --git a/test/inspect-cve-expiry-max-one-month.bats → ...t-vulnerability-expiry-max-one-month.bats b/test/inspect-cve-expiry-max-one-month.bats → ...t-vulnerability-expiry-max-one-month.bats
@@ -1,7 +1,7 @@
 setup() {
   filename=".trivyignore"
 
-  echo -en "CVE-123 exp:2124-02-15\nCVE-456 exp:2124-02-16" > "${filename}"
+  echo -en "DEF-123 exp:2124-02-15\nCVE-456 exp:2124-02-16" > "${filename}"
 }
 
 teardown() {
@@ -12,6 +12,6 @@ teardown() {
 @test "inspect cve expiry max one month" {
   run ./src/action.sh
   [ "$status" -eq 1 ]
-  regex=".*current date: '2124-02-15' in line: 'CVE-123 exp:2124-02-15' exceeds.*the maximum date of one month. Choose a new date that is.*before: .*"
+  regex=".*current date: '2124-02-15' in line: 'DEF-123 exp:2124-02-15' exceeds.*the maximum date of one month. Choose a new date that is.*before: .*"
   [[ "$output" =~ $regex ]]
 }
diff --git a/test/inspect-cve-expiry.bats → test/inspect-vulnerability-expiry.bats b/test/inspect-cve-expiry.bats → test/inspect-vulnerability-expiry.bats
@@ -1,7 +1,7 @@
 setup() {
   filename=".trivyignore"
 
-  echo -en "CVE-123\nCVE-456 exp:2124-02-16" > "${filename}"
+  echo -en "CVE-123\nABC-456 exp:2124-02-16" > "${filename}"
 }
 
 teardown() {