feat: ignore warnings via .nsci-ignore file

package.json

@@ -64,6 +64,7 @@
     "@types/chai": "^4.3.0",
     "@types/lodash.set": "^4.3.6",
     "@types/mocha": "^9.0.0",
+    "@types/mock-fs": "^4.13.1",
     "@types/node": "^16.11.12",
     "@types/pluralize": "^0.0.29",
     "@types/sade": "^1.7.4",
@@ -73,6 +74,7 @@
     "eslint-import-resolver-typescript": "^2.5.0",
     "eslint-plugin-prettier": "^4.0.0",
     "mocha": "^9.1.4",
+    "mock-fs": "^5.1.2",
     "prettier": "^2.5.1",
     "rimraf": "^3.0.2",
     "ts-node": "^10.4.0",
@@ -83,6 +85,7 @@
     "@nodesecure/scanner": "^3.6.0",
     "@nodesecure/vuln": "^1.7.0",
     "@slimio/async-cli-spinner": "^0.5.2",
+    "ajv": "^8.11.0",
     "kleur": "^4.1.4",
     "lodash.set": "^4.3.2",
     "pluralize": "^8.0.0",

src/analysis/interpretation/interpret.spec.ts

@@ -4,18 +4,27 @@ import { StandardVulnerability } from "@nodesecure/vuln/types/strategy";
 import { expect } from "chai";
 
 // Import Internal Dependencies
+import {
+  IgnorePatterns,
+  IgnoreWarningsPatterns
+} from "../../configuration/external/nodesecure/ignore-file";
 import { Nsci } from "../../configuration/standard/index.js";
 import * as pipeline from "../../reporting/status.js";
+import { DependencyWarning } from "../../types/index.js";
 
-import { runPayloadInterpreter } from "./interpret.js";
+import {
+  runPayloadInterpreter,
+  excludeIgnoredDependenciesWarnings
+} from "./interpret.js";
 
 // CONSTANTS
 const kDefaultRuntimeConfiguration: Nsci.Configuration = {
   rootDir: process.cwd(),
   strategy: Nsci.vulnStrategy.npm,
   reporters: [Nsci.reporterTarget.CONSOLE],
   vulnerabilitySeverity: Nsci.vulnSeverity.ALL,
-  warnings: Nsci.warnings.ERROR
+  warnings: Nsci.warnings.ERROR,
+  ignorePatterns: IgnorePatterns.default()
 };
 
 const kDefaultScannerPayload: Scanner.Payload = {
@@ -27,6 +36,41 @@ const kDefaultScannerPayload: Scanner.Payload = {
   vulnerabilityStrategy: "npm"
 };
 
+describe("excludeIgnoredDependenciesWarnings", () => {
+  it("should not filter warnings if ignorePatterns.warnings is an empty object", () => {
+    const warnings: DependencyWarning[] = [];
+    const emptyIgnorePatterns: IgnorePatterns = IgnorePatterns.default();
+
+    const filteredWarnings = excludeIgnoredDependenciesWarnings(
+      warnings,
+      emptyIgnorePatterns
+    );
+
+    expect(filteredWarnings).to.deep.equal(warnings);
+  });
+
+  it("should filter warnings if ignorePatterns.warnings is not an empty object", () => {
+    const warnings: DependencyWarning[] = [
+      {
+        package: "lodash.difference",
+        warnings: [{ kind: "unsafe-stmt", location: {} as any }]
+      }
+    ];
+    const ignorePatterns: IgnorePatterns = {
+      warnings: new IgnoreWarningsPatterns({
+        "unsafe-stmt": ["lodash.difference"]
+      })
+    };
+
+    const filteredWarnings = excludeIgnoredDependenciesWarnings(
+      warnings,
+      ignorePatterns
+    );
+
+    expect(filteredWarnings).to.deep.equal([]);
+  });
+});
+
 /* eslint-disable max-nested-callbacks */
 describe("Pipeline check workflow", () => {
   describe("When running the payload interpreter", () => {

src/analysis/interpretation/interpret.ts

@@ -4,8 +4,13 @@ import { GlobalWarning } from "@nodesecure/scanner/types/scanner";
 import set from "lodash.set";
 
 // Import Internal Dependencies
+import {
+  IgnorePatterns,
+  IgnoreWarningsPatterns
+} from "../../configuration/external/nodesecure/ignore-file.js";
 import { Nsci } from "../../configuration/standard/index.js";
 import { pipeline } from "../../reporting/index.js";
+import { DependencyWarning } from "../../types/index.js";
 import {
   extractScannerPayload,
   WorkableVulnerability
@@ -76,6 +81,33 @@ function interpretPayloadChecks(
   };
 }
 
+function hasWarningsIgnorePatterns(warnings?: IgnoreWarningsPatterns): boolean {
+  return warnings !== undefined && Object.keys(warnings).length > 0;
+}
+
+export function excludeIgnoredDependenciesWarnings(
+  dependenciesWarnings: DependencyWarning[],
+  ignorePatterns: IgnorePatterns
+): DependencyWarning[] {
+  if (!hasWarningsIgnorePatterns(ignorePatterns?.warnings)) {
+    return dependenciesWarnings;
+  }
+
+  return dependenciesWarnings.filter(function excludeIgnorableWarnings(
+    dependencyWarnings
+  ) {
+    if (
+      dependencyWarnings.warnings.find((w) =>
+        ignorePatterns.warnings.has(w.kind, dependencyWarnings.package)
+      )
+    ) {
+      return false;
+    }
+
+    return true;
+  });
+}
+
 /**
  * This interpreter accumulates each Check Function output in order to determine
  * a global pipeline status and at the same time compact the original payload to
@@ -89,11 +121,15 @@ export function runPayloadInterpreter(
   rc: Nsci.Configuration
 ): OutcomePayloadFromPipelineChecks {
   const { warnings, dependencies } = extractScannerPayload(payload);
+  const filteredDependencies = excludeIgnoredDependenciesWarnings(
+    dependencies.warnings,
+    rc.ignorePatterns
+  );
 
   /* eslint-disable @typescript-eslint/explicit-function-return-type */
   return interpretPayloadChecks([
     () => checkGlobalWarnings(warnings),
-    () => checkDependenciesWarnings(dependencies.warnings, rc),
+    () => checkDependenciesWarnings(filteredDependencies, rc),
     () => checkDependenciesVulns(dependencies.vulnerabilities, rc)
   ]);
 }

src/configuration/external/adapt.ts

@@ -110,7 +110,7 @@ function adaptSeverity(vulnerabilityThreshold: Nsci.Severity): Nsci.Severity {
  */
 export function adaptExternalToStandardConfiguration(
   sanitizedOptions: Partial<ExternalRuntimeConfiguration>
-): Nsci.Configuration {
+): Partial<Nsci.Configuration> {
   const { vulnerabilities, directory, strategy, warnings, reporters } = {
     ...defaultExternalConfigOptions,
     ...sanitizedOptions

src/configuration/external/nodesecure/ignore-file.ts

@@ -0,0 +1,61 @@
+// Import Third-party dependencies
+import JSXray from "@nodesecure/js-x-ray";
+import Validator from "ajv";
+
+export class IgnorePatterns {
+  public warnings: IgnoreWarningsPatterns;
+
+  constructor(warnings: IgnoreWarningsPatterns = new IgnoreWarningsPatterns()) {
+    this.warnings = warnings;
+  }
+
+  static default(): IgnorePatterns {
+    return new IgnorePatterns();
+  }
+}
+
+export class IgnoreWarningsPatterns {
+  public entries: Record<JSXray.WarningName, string[]>;
+
+  constructor(entries: Record<string, string[]> = {}) {
+    this.entries = entries;
+  }
+
+  has(warning: JSXray.WarningName, pkg: string): boolean {
+    return this.entries[warning]?.includes(pkg);
+  }
+}
+
+const kIgnoreFileSchema = {
+  type: "object",
+  properties: {
+    warnings: {
+      type: "object",
+      patternProperties: {
+        "^[0-9]{2,6}$": {
+          type: "array",
+          items: {
+            type: "string"
+          }
+        }
+      }
+    }
+  },
+  additionalProperties: false
+} as const;
+
+export const kIgnoreFileName = ".nsci-ignore";
+
+export function validateIgnoreFile(ignoreFile: string): {
+  isValid: boolean;
+  error?: string;
+} {
+  const validator = new Validator();
+  const validate = validator.compile(kIgnoreFileSchema);
+  const isValid = validate(ignoreFile);
+
+  return {
+    isValid,
+    error: validate.errors ? validate?.errors[0]?.message : undefined
+  };
+}

src/configuration/external/nodesecure/index.spec.ts

@@ -0,0 +1,51 @@
+// Third-party Dependencies
+import { expect } from "chai";
+import mock from "mock-fs";
+
+// Internal Dependencies
+import { IgnorePatterns } from "./ignore-file";
+
+import { getIgnoreFile, kIgnoreFilePath } from "./index";
+
+describe("getIgnoreFile", () => {
+  const kDefaultIgnoreFileContent = IgnorePatterns.default();
+
+  it("should return empty object if file doen't exist", async () => {
+    const result = await getIgnoreFile();
+
+    expect(result).deep.equal(kDefaultIgnoreFileContent);
+  });
+
+  it("should return empty object if file format is invalid", async () => {
+    const invalidIgnoreFile = { foo: "bar" };
+    createFakeIgnoreFile(JSON.stringify(invalidIgnoreFile));
+
+    const result = await getIgnoreFile();
+
+    expect(result).deep.equal(kDefaultIgnoreFileContent);
+    mock.restore();
+  });
+
+  it("should return the ignore file if it's valid", async () => {
+    const validIgnoreFile = { warnings: {} };
+    createFakeIgnoreFile(JSON.stringify(validIgnoreFile));
+
+    const result = await getIgnoreFile();
+
+    expect(result).to.be.deep.equal(validIgnoreFile);
+    mock.restore();
+  });
+});
+
+/**
+ *  HELPERS
+ */
+
+function createFakeIgnoreFile(fileContent: string): void {
+  mock(
+    {
+      [kIgnoreFilePath]: Buffer.from(fileContent)
+    },
+    {} as any
+  );
+}

src/configuration/external/nodesecure/index.ts

@@ -1,16 +1,30 @@
+// Node.Js Dependencies
+import { readFile } from "fs/promises";
+import { join } from "path";
+
 // Import Third-party Dependencies
 import { RC as NodeSecureRuntimeConfig, read } from "@nodesecure/rc";
 import { match } from "ts-pattern";
 import type { Result } from "ts-results";
 
 // Import Internal Dependencies
+import { consolePrinter } from "../../../../lib/console-printer";
 import { Maybe } from "../../../types/index.js";
 import {
   defaultExternalConfigOptions,
   ExternalConfigAdapter,
   ExternalRuntimeConfiguration
 } from "../common.js";
 
+import {
+  validateIgnoreFile,
+  kIgnoreFileName,
+  IgnorePatterns
+} from "./ignore-file";
+
+const { font: log } = consolePrinter;
+export const kIgnoreFilePath = join(process.cwd(), kIgnoreFileName);
+
 function interpretNodeSecureConfigResult(
   config: Result<NodeSecureRuntimeConfig, NodeJS.ErrnoException>
 ): NodeSecureRuntimeConfig | undefined {
@@ -55,6 +69,30 @@ export async function getNodeSecureConfig(): Promise<
   return interpretNodeSecureConfigResult(config);
 }
 
+export async function getIgnoreFile(): Promise<IgnorePatterns> {
+  try {
+    const ignoreFile = await readFile(kIgnoreFilePath, "utf8");
+    const ignoreObject = JSON.parse(ignoreFile);
+    const { isValid, error } = validateIgnoreFile(ignoreObject);
+    if (!isValid) {
+      log
+        .error(
+          `x Invalid ignore file: ${error}, empty one will be used instead`
+        )
+        .print();
+
+      return IgnorePatterns.default();
+    }
+    log.success("✔ Ignore file loaded").print();
+
+    return JSON.parse(ignoreFile) as IgnorePatterns;
+  } catch (error: any) {
+    log.error(`x Cannot load ignore file: ${error.message}`).print();
+
+    return IgnorePatterns.default();
+  }
+}
+
 function adaptNodeSecureConfigToExternalConfig(
   runtimeConfig: NodeSecureRuntimeConfig
 ): ExternalRuntimeConfiguration {

src/configuration/external/standardize.spec.ts

@@ -3,6 +3,7 @@ import { RC as NodeSecureRuntimeConfig } from "@nodesecure/rc";
 import { expect } from "chai";
 
 // Import Internal Dependencies
+import { IgnorePatterns } from "../../configuration/external/nodesecure/ignore-file";
 import { Nsci } from "../standard/index.js";
 
 import { ExternalRuntimeConfiguration } from "./common.js";
@@ -29,7 +30,8 @@ describe("Standardize CLI/API configuration to Nsci runtime configuration", () =
         strategy: "NPM_AUDIT",
         reporters: ["console", "html"],
         vulnerabilitySeverity: "all",
-        warnings: "error"
+        warnings: "error",
+        ignorePatterns: IgnorePatterns.default()
       };
 
       expect(
@@ -131,6 +133,7 @@ it("should standardize NodeSecure runtime configuration to Nsci runtime configur
       "encoded-literal": "off",
       "unsafe-regex": "error",
       "short-identifiers": "warning"
-    }
+    },
+    ignorePatterns: IgnorePatterns.default()
   });
 });