filter issues according to the severity and confidence

rleungx · rleungx · commit 6b9bd1fa5d11 · 2021-10-19T10:10:04.000+08:00
Signed-off-by: Ryan Leung &lt;rleungx@gmail.com&gt;
diff --git a/.golangci.example.yml b/.golangci.example.yml
@@ -371,6 +371,10 @@ linters-settings:
       - G204
     # Exclude generated files
     exclude-generated: true
+    # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high.
+    serveity: "high"
+    # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high.
+    confidence: "medium"
     # To specify the configuration of rules.
     # The configuration of rules is not fully documented by gosec:
     # https://github.com/securego/gosec#configuration
diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
@@ -296,6 +296,8 @@ type GoModGuardSettings struct {
 type GoSecSettings struct {
 	Includes         []string
 	Excludes         []string
+	Severity         string
+	Confidence       string
 	ExcludeGenerated bool                   `mapstructure:"exclude-generated"`
 	Config           map[string]interface{} `mapstructure:"config"`
 }
diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/pkg/errors"
 	"github.com/securego/gosec/v2"
 	"github.com/securego/gosec/v2/rules"
 	"golang.org/x/tools/go/analysis"
@@ -68,7 +69,16 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
 			if len(issues) == 0 {
 				return nil, nil
 			}
+			severity, err := convertToScore(settings.Severity)
+			if err != nil {
+				lintCtx.Log.Warnf("Provided severity %s, use low instead. Valid options: low, medium, high", err)
+			}
 
+			confidence, err := convertToScore(settings.Confidence)
+			if err != nil {
+				lintCtx.Log.Warnf("Provided string %s, use low instead. Valid options: low, medium, high", err)
+			}
+			issues = filterIssues(issues, severity, confidence)
 			res := make([]goanalysis.Issue, 0, len(issues))
 			for _, i := range issues {
 				text := fmt.Sprintf("%s: %s", i.RuleID, i.What) // TODO: use severity and confidence
@@ -126,3 +136,27 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
 
 	return filters
 }
+
+func convertToScore(str string) (gosec.Score, error) {
+	str = strings.ToLower(str)
+	switch str {
+	case "", "low":
+		return gosec.Low, nil
+	case "medium":
+		return gosec.Medium, nil
+	case "high":
+		return gosec.High, nil
+	default:
+		return gosec.Low, errors.Errorf("'%s' not valid", str)
+	}
+}
+
+func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue {
+	res := make([]*gosec.Issue, 0)
+	for _, issue := range issues {
+		if issue.Severity >= severity && issue.Confidence >= confidence {
+			res = append(res, issue)
+		}
+	}
+	return res
+}
diff --git a/test/testdata/configs/gosec.yml b/test/testdata/configs/gosec.yml
@@ -3,6 +3,8 @@ linters-settings:
     includes:
       - G306
       - G101
+    serveity: "low"
+    confidence: "low"
     config:
       G306: "0666"
       G101:

Original file line number	Diff line number	Diff line change
`@@ -296,6 +296,8 @@ type GoModGuardSettings struct {`
`296`	`296`	`type GoSecSettings struct {`
`297`	`297`	`Includes []string`
`298`	`298`	`Excludes []string`
	`299`	`+ Severity string`
	`300`	`+ Confidence string`
`299`	`301`	ExcludeGenerated bool `mapstructure:"exclude-generated"`
`300`	`302`	Config map[string]interface{} `mapstructure:"config"`
`301`	`303`	`}`