aderyn CI check: add ability to suppress specific findings. (#794)

consensus-shipyard · Mar 14, 2024 · f2b97c0 · f2b97c0
1 parent 7b9189d
commit f2b97c0
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 21 deletions.
diff --git a/.github/workflows/contracts-sast.yaml b/.github/workflows/contracts-sast.yaml
@@ -42,7 +42,7 @@ jobs:
         run: cargo install aderyn
 
       - name: Run aderyn
-        run: cd contracts && aderyn ./
+        run: cd contracts && aderyn ./ -o report.json
 
       - name: Check results
         run: cd contracts && ./tools/check_aderyn.sh

diff --git a/contracts/.gitignore b/contracts/.gitignore
@@ -31,6 +31,7 @@ lcov.info
 
 # Aderyn scanner
 report.md
+report.json
 
 #vim
 *.un~
diff --git a/contracts/audit-resolve.json b/contracts/audit-resolve.json
@@ -55,6 +55,10 @@
         "1096544|json5": {
             "decision": "ignore",
             "madeAt": 1708963077846
+        },
+        "1096644|browserify-sign": {
+            "decision": "ignore",
+            "madeAt": 1710415772020
         }
     },
     "rules": {},

diff --git a/contracts/tools/check_aderyn.sh b/contracts/tools/check_aderyn.sh
@@ -2,23 +2,43 @@
 set -eu
 set -o pipefail
 
-REPORT_FILE="./report.md"
-
-if [ ! -f $REPORT_FILE ]; then
-    echo "Report file not found."
-    exit 1;
-fi
-
-# Check if one of `| Critical | 0 |`, `| High | 0 |`, or `| Medium | 0 |` line exist in the report.
-zero_findings=`(grep -e "Critical\s*|\s*0" $REPORT_FILE && grep -e  "High\s*|\s*0" $REPORT_FILE && grep -e  "Medium\s*|\s*0" $REPORT_FILE) | wc -l`
-
-if [ $zero_findings -eq 3 ]; then
-    echo "No critical or high issues found"
-    exit 0
-else
-    echo "Critical, high, or medium issue found".
-    echo "Check $REPORT_FILE for more information".
-    echo "Printing here..."
-    cat $REPORT_FILE
-    exit 1;
-fi
+# Path to the report file
+REPORT_FILE="./report.json"
+
+# List of severities that make us fail
+SEVERITIES=(critical high medium)
+
+# List of vulnerability titles to ignore
+IGNORE_TITLES=("Centralization Risk for trusted owners")
+
+containsElement() {
+  local e match="$1"
+  shift
+  for e; do [[ "$e" == "$match" ]] && return 0; done
+  return 1
+}
+
+# Read vulnerabilities from the report
+readVulnerabilities() {
+  level="$1"
+  jq -c --argjson ignoreTitles "$(printf '%s\n' "${IGNORE_TITLES[@]}" | jq -R . | jq -s .)" ".${level}_issues.issues[] | select(.title as \$title | \$ignoreTitles | index(\$title) | not)" $REPORT_FILE
+}
+
+# Main function to process the report
+processReport() {
+  local hasVulnerabilities=0
+
+  for level in ${SEVERITIES[@]}; do
+    while IFS= read -r vulnerability; do
+      title=$(echo "$vulnerability" | jq -r ".title")
+      echo "Found $level vulnerability: $title"
+      hasVulnerabilities=1
+    done < <(readVulnerabilities "$level")
+  done
+
+  return $hasVulnerabilities
+}
+
+# Process the report and exit with the code returned by processReport
+processReport
+exit $?