filter issues according to the severity and confidence

rleungx · rleungx · commit c1ec2a02d33e · 2021-10-18T16:49:58.000+08:00
Signed-off-by: Ryan Leung &lt;rleungx@gmail.com&gt;
diff --git a/.golangci.example.yml b/.golangci.example.yml
@@ -369,6 +369,10 @@ linters-settings:
     # Available rules: https://github.com/securego/gosec#available-rules
     excludes:
       - G204
+    # Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high.
+    serveity: "high"
+    # Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high.
+    confidence: "medium"
     # To specify the configuration of rules.
     # The configuration of rules is not fully documented by gosec:
     # https://github.com/securego/gosec#configuration
diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
@@ -294,9 +294,11 @@ type GoModGuardSettings struct {
 }
 
 type GoSecSettings struct {
-	Includes []string
-	Excludes []string
-	Config   map[string]interface{} `mapstructure:"config"`
+	Includes   []string
+	Excludes   []string
+	Severity   string
+	Confidence string
+	Config     map[string]interface{} `mapstructure:"config"`
 }
 
 type GovetSettings struct {
diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"
 
+	"github.com/pkg/errors"
 	"github.com/securego/gosec/v2"
 	"github.com/securego/gosec/v2/rules"
 	"golang.org/x/tools/go/analysis"
@@ -68,7 +69,16 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
 			if len(issues) == 0 {
 				return nil, nil
 			}
+			severity, err := convertToScore(settings.Severity)
+			if err != nil {
+				lintCtx.Log.Warnf("Provided severity %s, use low instead. Valid options: low, medium, high", err)
+			}
 
+			confidence, err := convertToScore(settings.Confidence)
+			if err != nil {
+				lintCtx.Log.Warnf("Provided string %s, use low instead. Valid options: low, medium, high", err)
+			}
+			issues = filterIssues(issues, severity, confidence)
 			res := make([]goanalysis.Issue, 0, len(issues))
 			for _, i := range issues {
 				text := fmt.Sprintf("%s: %s", i.RuleID, i.What) // TODO: use severity and confidence
@@ -126,3 +136,27 @@ func gosecRuleFilters(includes, excludes []string) []rules.RuleFilter {
 
 	return filters
 }
+
+func convertToScore(str string) (gosec.Score, error) {
+	str = strings.ToLower(str)
+	switch str {
+	case "", "low":
+		return gosec.Low, nil
+	case "medium":
+		return gosec.Medium, nil
+	case "high":
+		return gosec.High, nil
+	default:
+		return gosec.Low, errors.Errorf("'%s' not valid", str)
+	}
+}
+
+func filterIssues(issues []*gosec.Issue, severity, confidence gosec.Score) []*gosec.Issue {
+	res := make([]*gosec.Issue, 0)
+	for _, issue := range issues {
+		if issue.Severity >= severity && issue.Confidence >= confidence {
+			res = append(res, issue)
+		}
+	}
+	return res
+}
diff --git a/test/testdata/configs/gosec.yml b/test/testdata/configs/gosec.yml
@@ -3,6 +3,8 @@ linters-settings:
     includes:
       - G306
       - G101
+    serveity: "low"
+    confidence: "low"
     config:
       G306: "0666"
       G101:

Original file line number	Diff line number	Diff line change
`@@ -294,9 +294,11 @@ type GoModGuardSettings struct {`
`294`	`294`	`}`
`295`	`295`
`296`	`296`	`type GoSecSettings struct {`
`297`		`- Includes []string`
`298`		`- Excludes []string`
`299`		- Config map[string]interface{} `mapstructure:"config"`
	`297`	`+ Includes []string`
	`298`	`+ Excludes []string`
	`299`	`+ Severity string`
	`300`	`+ Confidence string`
	`301`	+ Config map[string]interface{} `mapstructure:"config"`
`300`	`302`	`}`
`301`	`303`
`302`	`304`	`type GovetSettings struct {`