advanced-security
diff --git a/‎.github/workflows/action-test.yml
Lines changed: 70 additions & 0 deletions b/‎.github/workflows/action-test.yml
Lines changed: 70 additions & 0 deletions
diff --git a/‎Dockerfile
Lines changed: 3 additions & 2 deletions b/‎Dockerfile
Lines changed: 3 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 89 additions & 0 deletions b/‎README.md
Lines changed: 89 additions & 0 deletions
diff --git a/‎action.yml
Lines changed: 10 additions & 4 deletions b/‎action.yml
Lines changed: 10 additions & 4 deletions
diff --git a/‎entrypoint.sh
Lines changed: 7 additions & 1 deletion b/‎entrypoint.sh
Lines changed: 7 additions & 1 deletion
diff --git a/‎filter-sarif
Lines changed: 3 additions & 0 deletions b/‎filter-sarif
Lines changed: 3 additions & 0 deletions
diff --git a/‎filter_sarif.py
Lines changed: 147 additions & 0 deletions b/‎filter_sarif.py
Lines changed: 147 additions & 0 deletions
@@ -0,0 +1,70 @@
+name: "Action Test"
+on:
+  workflow_dispatch:
+    inputs:
+      pattern1:
+        description: 'Include or exclude pattern'
+        required: true
+      pattern2:
+        description: 'Include or exclude pattern'
+        required: false
+      pattern3:
+        description: 'Include or exclude pattern'
+        required: false
+      pattern4:
+        description: 'Include or exclude pattern'
+        required: false
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+
+    - run: |
+        javatest/build
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
+      with:
+        upload: False
+        output: sarif-results
+
+    - name: filter-sarif
+      uses: zbazztian/filter-sarif@master
+      with:
+        #patterns: |
+        #  -**/*.java
+        #  +**/*Exposed*
+        patterns: |
+          ${{ github.event.inputs.pattern1 }}
+          ${{ github.event.inputs.pattern2 }}
+          ${{ github.event.inputs.pattern3 }}
+          ${{ github.event.inputs.pattern4 }}
+        input: sarif-results/java-builtin.sarif
+        output: sarif-results/java-builtin.sarif
+
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: sarif-results/java-builtin.sarif
+
+    - name: Upload loc as a Build Artifact
+      uses: actions/[email protected]
+      with:
+        name: sarif-results
+        path: sarif-results
+        retention-days: 1
@@ -1,4 +1,5 @@
-FROM alpine:latest
-RUN apk --no-cache add python3
+FROM ubuntu:latest
+RUN apt-get update && apt-get install -y python3
 COPY entrypoint.sh /entrypoint.sh
+COPY filter-sarif *.py /
 ENTRYPOINT ["/entrypoint.sh"]
@@ -0,0 +1,89 @@
+# filter-sarif
+
+Takes a SARIF file and a list of inclusion and exclusion patterns as input and removes alerts from the SARIF file according to those patterns.
+
+# Example
+
+The following example removes all alerts from all Java test files:
+
+```yaml
+name: "Filter SARIF"
+on:
+  push:
+    branches: [master]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1
+      with:
+        upload: False
+        output: sarif-results
+
+    - name: filter-sarif
+      uses: zbazztian/filter-sarif@master
+      with:
+        patterns: |
+          +**/*.java
+          -**/*Test*.java
+        input: sarif-results/java-builtin.sarif
+        output: sarif-results/java-builtin.sarif
+
+    - name: Upload SARIF
+      uses: github/codeql-action/upload-sarif@v1
+      with:
+        sarif_file: sarif-results/java-builtin.sarif
+
+    - name: Upload loc as a Build Artifact
+      uses: actions/[email protected]
+      with:
+        name: sarif-results
+        path: sarif-results
+        retention-days: 1
+```
+
+Note how we provided `upload: False` and `output: sarif-results` to the `analyze` action. That way we can filter the SARIF with the `filter-sarif` action before uploading it via `upload-sarif`. Finally, we also attach the resulting SARIF file to the build, which is convenient for later inspection.
+
+# Patterns
+
+Each pattern line is of the form:
+```
+[+/-]<file pattern>[:<rule pattern>]
+```
+
+for example:
+```
+-**/*Test*.java:**               # exclusion pattern: remove all alerts from all Java test files
+-**/*Test*.java                  # ditto, short form of the line above
++**/*.java:java/sql-injection    # inclusion pattern: This line has precedence over the first two
+                                 # and thus "whitelists" alerts of type "java/sql-injection"
+**/*.java:java/sql-injection     # ditto, the "+" in inclusion patterns is optional
+**                               # allow all alerts in all files (reverses all previous lines)
+```
+
+* The path separator character in patterns is always `/`, independent of the platform the code is running on and independent of the paths in the SARIF file.
+* `*` matches any character, except a path separator
+* `**` matches any character and is only allowed between path separators, e.g. `/**/file.txt`, `**/file.txt` or `**`. NOT allowed: `**.txt`, `/etc**`
+* The rule pattern is optional. If omitted, it will apply to alerts of all types.
+* Subsequent lines override earlier ones. By default all alerts are included.
+* If you need to use the literals `+`, `-`, `\` or `:` in your pattern, you can escape them with `\`, e.g. `\-this/is/an/inclusion/file/pattern\:with-a-semicolon:and/a/rule/pattern/with/a/\\/backslash`. For `+` and `-`, this is only necessary if they appear at the beginning of the pattern line.
@@ -1,8 +1,14 @@
-name: 'Filter Code Scanning paths'
-description: 'Filter Code Scanning paths'
+name: 'Filter SARIF'
+description: 'Filter SARIF results by path'
 inputs:
-  dir:
-    description: 'directory to remove'
+  patterns:
+    description: 'Patterns for the results to remove. If a pattern starts with "-", it is an exclusion pattern, otherwise, it is an inclusion pattern.'
+    required: true
+  input:
+    description: 'Path to the input SARIF file'
+    required: true
+  output:
+    description: 'Path to the input SARIF file'
     required: true
 runs:
   using: 'docker'
 
@@ -1,2 +1,8 @@
 #!/bin/sh
-ls -lah
+unset LD_PRELOAD
+/filter-sarif \
+  --input "/github/workspace/${INPUT_INPUT}" \
+  --output "/github/workspace/${INPUT_OUTPUT}" \
+  --split-lines \
+  -- \
+  "$INPUT_PATTERNS"
@@ -0,0 +1,3 @@
+#!/bin/sh
+HERE="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"
+python3 "${HERE}/filter_sarif.py" "$@"
@@ -0,0 +1,147 @@
+import sys
+import argparse
+import json
+import re
+from globber import match
+
+
+def fail(msg):
+    print(msg)
+    sys.exit(-1)
+
+
+def match_path_and_rule(path, rule, patterns):
+    result = True
+    for s, fp, rp in patterns:
+        if match(rp, rule) and match(fp, path):
+            result = s
+    return result
+
+
+def parse_pattern(line):
+    sepchar = ':'
+    escchar = '\\'
+    file_pattern = ''
+    rule_pattern = ''
+    seen_separator = False
+    sign = True
+
+    # inclusion or exclusion pattern?
+    uline = line
+    if line:
+        if line[0] == '-':
+            sign = False
+            uline = line[1:]
+        elif line[0] == '+':
+            uline = line[1:]
+
+    i = 0
+    while i < len(uline):
+        c = uline[i]
+        i = i + 1
+        if c == sepchar:
+            if seen_separator:
+                raise Exception('Invalid pattern: "' + line + '" Contains more than one separator!')
+            seen_separator = True
+            continue
+        elif c == escchar:
+            nextc = uline[i] if (i < len(uline)) else None
+            if nextc in ['+' , '-', escchar, sepchar]:
+                i = i + 1
+                c = nextc
+        if seen_separator:
+            rule_pattern = rule_pattern + c
+        else:
+            file_pattern = file_pattern + c
+
+    if not rule_pattern:
+        rule_pattern = '**'
+
+    return sign, file_pattern, rule_pattern
+
+
+def filter_sarif(args):
+    if args.split_lines:
+        tmp = []
+        for p in args.patterns:
+            tmp = tmp + re.split('\r?\n', p)
+        args.patterns = tmp
+
+    args.patterns = [parse_pattern(p) for p in args.patterns if p]
+
+    print('Given patterns:')
+    for s, fp, rp in args.patterns:
+        print(
+            'files: {file_pattern}    rules: {rule_pattern} ({sign})'.format(
+                file_pattern=fp,
+                rule_pattern=rp,
+                sign='positive' if s else 'negative'
+            )
+        )
+
+    with open(args.input, 'r') as f:
+        s = json.load(f)
+
+    for run in s.get('runs', []):
+        if run.get('results', []):
+            new_results = []
+            for r in run['results']:
+                if r.get('locations', []):
+                    new_locations = []
+                    for l in r['locations']:
+                        # TODO: The uri field is optional. We might have to fetch the actual uri from "artifacts" via "index"
+                        # (see https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#-linking-results-to-artifacts)
+                        uri = l.get('physicalLocation', {}).get('artifactLocation', {}).get('uri', None)
+                        # TODO: The ruleId field is optional and potentially ambiguous. We might have to fetch the actual
+                        # ruleId from the rule metadata via the ruleIndex field.
+                        # (see https://github.com/microsoft/sarif-tutorials/blob/main/docs/2-Basics.md#rule-metadata)
+                        ruleId = r['ruleId']
+                        if uri is None or match_path_and_rule(uri, ruleId, args.patterns):
+                            new_locations.append(l)
+                    r['locations'] = new_locations
+                    if new_locations:
+                        new_results.append(r)
+                else:
+                    # locations array doesn't exist or is empty, so we can't match on anything
+                    # therefore, we include the result in the output
+                    new_results.append(r)
+            run['results'] = new_results
+
+    with open(args.output, 'w') as f:
+        json.dump(s, f, indent=2)
+
+
+def main():
+    parser = argparse.ArgumentParser(
+        prog='filter-sarif'
+    )
+    parser.add_argument(
+        '--input',
+        help='Input SARIF file',
+        required=True
+    )
+    parser.add_argument(
+        '--output',
+        help='Output SARIF file',
+        required=True
+    )
+    parser.add_argument(
+        '--split-lines',
+        default=False,
+        action='store_true',
+        help='Split given patterns on newlines.'
+    )
+    parser.add_argument(
+        'patterns',
+        help='Inclusion and exclusion patterns.',
+        nargs='+'
+    )
+
+    def print_usage(args):
+        print(parser.format_usage())
+
+    args = parser.parse_args()
+    filter_sarif(args)
+
+
+main()
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/bin/sh`
	`2`	`+HERE="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"`
	`3`	`+python3 "${HERE}/filter_sarif.py" "$@"`