datarobot · carsongee · Dec 27, 2023 · Dec 14, 2023 · Dec 14, 2023 · carsongee
diff --git a/pkg/result/filter.go b/pkg/result/filter.go
@@ -62,14 +62,14 @@
 
 	filteredVulns := filterVulnerabilities(result, severities, opt.IgnoreStatuses, ignoreConf.Vulnerabilities)
 	misconfSummary, filteredMisconfs := filterMisconfigurations(result, severities, opt.IncludeNonFailures, ignoreConf.Misconfigurations)
-	result.Secrets = filterSecrets(result, severities, ignoreConf.Secrets)
-	result.Licenses = filterLicenses(result.Licenses, severities, opt.IgnoreLicenses, ignoreConf.Licenses)
+	filteredSecrets := filterSecrets(result, severities, ignoreConf.Secrets)
+	filteredLicenses := filterLicenses(result.Licenses, severities, opt.IgnoreLicenses, ignoreConf.Licenses)
 
 	var ignoredMisconfs int
 	if opt.PolicyFile != "" {
 		var err error
 		var ignored int
-		filteredVulns, filteredMisconfs, ignored, err = applyPolicy(ctx, filteredVulns, filteredMisconfs, opt.PolicyFile)
+		filteredVulns, filteredMisconfs, ignored, filteredSecrets, filteredLicenses, err = applyPolicy(ctx, filteredVulns, filteredMisconfs, filteredSecrets, filteredLicenses, opt.PolicyFile)
 		if err != nil {
 			return xerrors.Errorf("failed to apply the policy: %w", err)
 		}
@@ -83,6 +83,8 @@
 		result.MisconfSummary.Exceptions += ignoredMisconfs
 	}
 	result.Misconfigurations = filteredMisconfs
+	result.Secrets = filteredSecrets
+	result.Licenses = filteredLicenses
 
 	return nil
 }
@@ -221,11 +223,11 @@
 	}
 }
 
-func applyPolicy(ctx context.Context, vulns []types.DetectedVulnerability, misconfs []types.DetectedMisconfiguration,
-	policyFile string) ([]types.DetectedVulnerability, []types.DetectedMisconfiguration, int, error) {
+func applyPolicy(ctx context.Context, vulns []types.DetectedVulnerability, misconfs []types.DetectedMisconfiguration, scrts []ftypes.SecretFinding, lics []types.DetectedLicense,
+	policyFile string) ([]types.DetectedVulnerability, []types.DetectedMisconfiguration, int, []ftypes.SecretFinding, []types.DetectedLicense, error) {
 	policy, err := os.ReadFile(policyFile)
 	if err != nil {
-		return nil, nil, 0, xerrors.Errorf("unable to read the policy file: %w", err)
+		return nil, nil, 0, nil, nil, xerrors.Errorf("unable to read the policy file: %w", err)
 	}
 
 	query, err := rego.New(
@@ -234,15 +236,15 @@
 		rego.Module("trivy.rego", string(policy)),
 	).PrepareForEval(ctx)
 	if err != nil {
-		return nil, nil, 0, xerrors.Errorf("unable to prepare for eval: %w", err)
+		return nil, nil, 0, nil, nil, xerrors.Errorf("unable to prepare for eval: %w", err)
 	}
 
 	// Vulnerabilities
 	var filteredVulns []types.DetectedVulnerability
 	for _, vuln := range vulns {
 		ignored, err := evaluate(ctx, query, vuln)
 		if err != nil {
-			return nil, nil, 0, err
+			return nil, nil, 0, nil, nil, err
 		}
 		if ignored {
 			continue
@@ -256,16 +258,44 @@
 	for _, misconf := range misconfs {
 		ignored, err := evaluate(ctx, query, misconf)
 		if err != nil {
-			return nil, nil, 0, err
+			return nil, nil, 0, nil, nil, err
 		}
 		if ignored {
 			ignoredMisconfs++
 			continue
 		}
 		filteredMisconfs = append(filteredMisconfs, misconf)
 	}
-	return filteredVulns, filteredMisconfs, ignoredMisconfs, nil
+
+	// Secrets
+	var filteredSecrets []ftypes.SecretFinding
+	for _, scrt := range scrts {
+		ignored, err := evaluate(ctx, query, scrt)
+		if err != nil {
+			return nil, nil, 0, nil, nil, err
+		}
+		if ignored {
+			continue
+		}
+		filteredSecrets = append(filteredSecrets, scrt)
+	}
+
+	// Licenses
+	var filteredLics []types.DetectedLicense
+	for _, lic := range lics {
+		ignored, err := evaluate(ctx, query, lic)
+		if err != nil {
+			return nil, nil, 0, nil, nil, err
+		}
+		if ignored {
+			continue
+		}
+		filteredLics = append(filteredLics, lic)
+	}
+
+	return filteredVulns, filteredMisconfs, ignoredMisconfs, filteredSecrets, filteredLics, nil
 }
+
 func evaluate(ctx context.Context, query rego.PreparedEvalQuery, input interface{}) (bool, error) {
 	results, err := query.Eval(ctx, rego.EvalInput(input))
 	if err != nil {

diff --git a/pkg/result/filter_test.go b/pkg/result/filter_test.go
@@ -722,6 +722,33 @@ func TestFilter(t *testing.T) {
 									Status:      types.StatusFailure,
 								},
 							},
+							Secrets: []ftypes.SecretFinding{
+								{
+									RuleID:      "generic-wanted-rule",
+									Severity:    dbTypes.SeverityHigh.String(),
+									Title:       "Secret that should pass filter on rule id",
+									StartLine:   1,
+									EndLine:     2,
+									Match:       "*****",
+								},
+								{
+									RuleID:      "generic-critical-rule",
+									Severity:    dbTypes.SeverityHigh.String(),
+									Title:       "Critical Secret shouldn't pass filter",
+									StartLine:   1,
+									EndLine:     2,
+									Match:       "*****",
+								},
+							},
+							Licenses: []types.DetectedLicense{
+								{
+									Name:        "GPL-3.0",
+									Severity:    dbTypes.SeverityHigh.String(),
+									FilePath:    "usr/share/gcc/python/libstdcxx/v6/printers.py",
+									Category:    "restricted",
+									Confidence:  1,
+								},
+						    },
 						},
 					},
 				},
@@ -746,6 +773,16 @@ func TestFilter(t *testing.T) {
 								Status:      types.StatusFailure,
 							},
 						},
+						Secrets: []ftypes.SecretFinding{
+							{
+								RuleID:      "generic-critical-rule",
+								Severity:    dbTypes.SeverityHigh.String(),
+								Title:       "Critical Secret shouldn't pass filter",
+								StartLine:   1,
+								EndLine:     2,
+								Match:       "*****",
+							},
+						},
 					},
 				},
 			},

diff --git a/pkg/result/testdata/test-ignore-policy-misconf.rego b/pkg/result/testdata/test-ignore-policy-misconf.rego
@@ -7,3 +7,11 @@ default ignore=false
 ignore {
 	input.AVDID != "AVD-TEST-0001"
 }
+
+ignore {
+    input.RuleID == "generic-wanted-rule"
+}
+
+ignore {
+    input.Name == "GPL-3.0"
+}