severity filter implementation

Author: northdpole

components/filters/severity/README.md

@@ -0,0 +1,5 @@
+# Severity Filter
+
+This component implements a [filter component](https://github.com/smithy-security/smithy/blob/main/sdk/component/component.go)
+This filter accepts a minimum Severity and adds a "Filtered" enrichment to all findings that don't have at least the min severity.
+This component does not care about the severity of each individual vulnerability, it only matches on the Finding Severity.

components/filters/severity/cmd/main.go

@@ -0,0 +1,78 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"log/slog"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/smithy-security/smithy/sdk/component"
+	vf "github.com/smithy-security/smithy/sdk/component/vulnerability-finding"
+	ocsffindinginfo "github.com/smithy-security/smithy/sdk/gen/ocsf_ext/finding_info/v1"
+	v1 "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
+	"google.golang.org/protobuf/encoding/protojson"
+)
+
+var providerName = "severity-filter"
+
+type SeverityFilter struct {
+	minimumSeverity v1.VulnerabilityFinding_SeverityId
+}
+
+func NewSeverityFilter() (*SeverityFilter, error) {
+	severityStr := os.Getenv("MINIMUM_SEVERITY")
+	if severityStr == "" {
+		severityStr = "MEDIUM" // Default to MEDIUM if not specified
+	}
+	severityStr = strings.ToUpper(severityStr)
+	severityId, ok := v1.VulnerabilityFinding_SeverityId_value["SEVERITY_ID_"+severityStr]
+	if !ok {
+		return nil, fmt.Errorf("invalid MINIMUM_SEVERITY value: %s. Must be one of: UNKNOWN, INFORMATIONAL, LOW, MEDIUM, HIGH, CRITICAL", severityStr)
+	}
+
+	return &SeverityFilter{
+		minimumSeverity: v1.VulnerabilityFinding_SeverityId(severityId),
+	}, nil
+}
+
+func (s SeverityFilter) Filter(ctx context.Context, findings []*vf.VulnerabilityFinding) ([]*vf.VulnerabilityFinding, bool, error) {
+	component.LoggerFromContext(ctx).Info("Running Severity Filter")
+	findings_filtered := 0
+	for _, f := range findings {
+		if f.Finding.SeverityId >= s.minimumSeverity {
+			enrichment := ocsffindinginfo.Enrichment{
+				EnrichmentType: ocsffindinginfo.Enrichment_ENRICHMENT_FILTER,
+				Enrichment:     &ocsffindinginfo.Enrichment_Filter{},
+			}
+			toBytes, err := protojson.Marshal(&enrichment)
+			if err != nil {
+				return nil, false, fmt.Errorf("failed to marshal enrichment %v err: %w", enrichment, err)
+			}
+			f.Finding.Enrichments = append(f.Finding.Enrichments, &v1.Enrichment{
+				Name:     providerName,
+				Provider: &providerName,
+				Value:    string(toBytes),
+			})
+			findings_filtered++
+		}
+	}
+	component.LoggerFromContext(ctx).Info("filtered", slog.Int("findings_filtered", findings_filtered))
+	return findings, findings_filtered > 0, nil
+}
+
+func main() {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*10)
+	defer cancel()
+
+	filter, err := NewSeverityFilter()
+	if err != nil {
+		log.Fatalf("failed to create severity filter: %v", err)
+	}
+
+	if err := component.RunFilter(ctx, *filter, component.RunnerWithComponentName("Severity Filter")); err != nil {
+		log.Fatalf("unexpected run error: %v", err)
+	}
+}

components/filters/severity/cmd/main_test.go

@@ -0,0 +1,154 @@
+package main
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	vf "github.com/smithy-security/smithy/sdk/component/vulnerability-finding"
+	ocsf "github.com/smithy-security/smithy/sdk/gen/ocsf_schema/v1"
+)
+
+func TestSeverityFilter_Filter(t *testing.T) {
+	tests := []struct {
+		name             string
+		envSeverity      string
+		findings         []*vf.VulnerabilityFinding
+		expectedFiltered int
+		expectError      bool
+	}{
+		{
+			name:        "Valid configuration with HIGH severity",
+			envSeverity: "HIGH",
+			findings: []*vf.VulnerabilityFinding{
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_CRITICAL,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_LOW,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_INFORMATIONAL,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_UNKNOWN,
+					},
+				},
+			},
+			expectedFiltered: 2,
+			expectError:      false,
+		},
+		{
+			name:        "Valid configuration with MEDIUM severity",
+			envSeverity: "MEDIUM",
+			findings: []*vf.VulnerabilityFinding{
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_LOW,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_MEDIUM,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH,
+					},
+				},
+			},
+			expectedFiltered: 2,
+			expectError:      false,
+		},
+		{
+			name:        "Invalid configuration with unknown severity",
+			envSeverity: "INVALID",
+			findings: []*vf.VulnerabilityFinding{
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_CRITICAL,
+					},
+				},
+			},
+			expectedFiltered: 0,
+			expectError:      true,
+		},
+		{
+			name:             "Empty findings list",
+			envSeverity:      "HIGH",
+			findings:         []*vf.VulnerabilityFinding{},
+			expectedFiltered: 0,
+			expectError:      false,
+		},
+		{
+			name:        "Valid configuration with CRITICAL severity",
+			envSeverity: "CRITICAL",
+			findings: []*vf.VulnerabilityFinding{
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_CRITICAL,
+					},
+				},
+				{
+					Finding: &ocsf.VulnerabilityFinding{
+						SeverityId: ocsf.VulnerabilityFinding_SEVERITY_ID_HIGH,
+					},
+				},
+			},
+			expectedFiltered: 1,
+			expectError:      false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			os.Setenv("MINIMUM_SEVERITY", tt.envSeverity)
+			defer os.Unsetenv("MINIMUM_SEVERITY")
+
+			filter, err := NewSeverityFilter()
+			if tt.expectError {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			ctx := context.Background()
+			filteredFindings, filtered, err := filter.Filter(ctx, tt.findings)
+			require.NoError(t, err)
+			filteredFindingsCount := 0
+			for _, finding := range filteredFindings {
+				for _, enrichment := range finding.Finding.Enrichments {
+					if enrichment.Name == providerName {
+						assert.Equal(t, providerName, *enrichment.Provider)
+						assert.Equal(t, providerName, enrichment.Name)
+						assert.NotEmpty(t, enrichment.Value)
+						filteredFindingsCount++
+					}
+				}
+			}
+			assert.Equal(t, tt.expectedFiltered, filteredFindingsCount)
+			assert.Equal(t, tt.expectedFiltered > 0, filtered)
+		})
+	}
+}

components/filters/severity/component.yaml

@@ -0,0 +1,13 @@
+name: severity
+description: "Tags all findings below a certain severity as 'Filtered Out'"
+type: filter
+parameters:
+  - name: minimum_severity
+    type: string
+    value: "High"
+steps:
+  - name: filters
+    image: components/filters/severity
+    env_vars:
+      MINIMUM_SEVERITY: "{{.parameters.minimum_severity}}"
+    executable: /bin/app

examples/severity-filter/overrides.yaml

@@ -0,0 +1,7 @@
+git-clone:
+- name: "repo_url"
+  type: "string"
+  value: "https://github.com/0c34/govwa.git"
+- name: "reference"
+  type: "string"
+  value: "master"

examples/severity-filter/workflow.yaml

@@ -0,0 +1,9 @@
+description: GoSec based workflow
+name: gosec
+components:
+- component: file://components/targets/git-clone/component.yaml
+- component: file://components/scanners/gosec/component.yaml
+- component: file://components/scanners/nancy/component.yaml
+- component: file://components/enrichers/custom-annotation/component.yaml
+- component: file://components/filters/severity/component.yaml
+- component: file://components/reporters/json-logger/component.yaml