Update check-vulernabilities.ps1 to skip packages specified in JSON f…

…ile (#4218) * changes for updating skipping cve packages in json * adding comment * adding check for validating if CVE in json file is still valid
Azure · Jan 6, 2025 · 6f1f4ad · 6f1f4ad
1 parent 3e421ca
commit 6f1f4ad
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 9 deletions.
diff --git a/check-vulnerabilities.ps1 b/check-vulnerabilities.ps1
@@ -1,6 +1,7 @@
 $projectPath = ".\src\Azure.Functions.Cli"
 $projectFileName = ".\Azure.Functions.Cli.csproj"
 $logFilePath = "..\..\build.log"
+$skipCveFilePath = "..\..\skipPackagesCve.json"
 if (-not (Test-Path $projectPath))
 {
     throw "Project path '$projectPath' does not exist."
@@ -12,22 +13,55 @@ $cmd = "restore"
 Write-Host "dotnet $cmd"
 dotnet $cmd | Tee-Object $logFilePath
 
-$cmd = "list", "package", "--include-transitive", "--vulnerable"
+$cmd = "list", "package", "--include-transitive", "--vulnerable", "--format", "json"
 Write-Host "dotnet $cmd"
 dotnet $cmd | Tee-Object $logFilePath
 
-$result = Get-content $logFilePath | select-string "has no vulnerable packages given the current sources"
+# Parse JSON output
+$logContent = Get-Content $logFilePath -Raw | ConvertFrom-Json
+$topLevelPackages = $logContent.projects.frameworks.topLevelPackages
+
+# Load skip-cve.json
+$skipCveContent = Get-Content $skipCveFilePath -Raw | ConvertFrom-Json
+$skipPackages = $skipCveContent.packages
+
+# Validate files in skipPackagesCve.json are still valid security vulnerabilities
+$topLevelPackageIds = $topLevelPackages.id
+$invalidSkips = $skipPackages | Where-Object { $_ -notin $topLevelPackageIds }
+
+if ($invalidSkips.Count -gt 0) {
+    Write-Host "The following packages in 'skipPackagesCve.json' do not exist in the vulnerable packages list: $($invalidSkips -join ', '). Please remove these packages from the JSON file."
+    Exit 1
+}
+
+# Filter vulnerabilities
+$vulnerablePackages = @()
+foreach ($package in $topLevelPackages) {
+    if ($skipPackages -notcontains $package.id) {
+        $vulnerablePackages += $package
+    }
+}
+
+# Check for remaining vulnerabilities
+if ($vulnerablePackages.Count -gt 0) {
+    Write-Host "Security vulnerabilities found (excluding skipped packages):"
+    $vulnerablePackages | ForEach-Object {
+        Write-Host "Package: $($_.id)"
+        Write-Host "Version: $($_.resolvedVersion)"
+        $_.vulnerabilities | ForEach-Object {
+            Write-Host "Severity: $($_.severity)"
+            Write-Host "Advisory: $($_.advisoryurl)"
+        }
+    }
+    Exit 1
+} else {
+    Write-Host "No security vulnerabilities found (excluding skipped packages)."
+}
 
 $logFileExists = Test-Path $logFilePath -PathType Leaf
 if ($logFileExists)
 {
   Remove-Item $logFilePath
 }
 
-cd ../..
-
-if (!$result)
-{
-  Write-Host "Vulnerabilities found" 
-  Exit 1
-}
+cd ../..
diff --git a/skipPackagesCve.json b/skipPackagesCve.json
@@ -0,0 +1,5 @@
+{
+  "packages": [
+    "DotNetZip"
+  ]
+}