fix: Made it possible to have nullable spec and allowlists. Also enforced allowed reason types (#49)

EnturWilhelm · web-flow · commit 7d0a91289b9c · 2024-11-01T15:04:45.000+01:00
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -392,17 +392,19 @@ jobs:
               'spec': {
                   'type': 'dict',
                   'required': True,
+                  'nullable': True,
                   'schema': {
                       'inherit': {'type': 'string', 'required' : False},
                       'allowlist': {
                           'required' : False,
+                          'nullable': True,
                           'type': 'list',
                           'schema': {
                               'type': 'dict',
                               'schema': {
                                   'cwe': {'type': 'string', 'required': True},
                                   'comment': {'type': 'string', 'required': True},
-                                  'reason': {'type': 'string', 'required': True},
+                                  'reason': {'type': 'string', 'required': True, 'allowed': ['false_positive', 'wont_fix', 'test']},
                               },
                           },
                       },
diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml
@@ -131,17 +131,19 @@ jobs:
               'spec': {
                   'type': 'dict',
                   'required': True,
+                  'nullable': True,
                   'schema': {
                       'inherit': {'type': 'string', 'required': False},
                       'allowlist': {
                           'required': False,
+                          'nullable': True,
                           'type': 'list',
                           'schema': {
                               'type': 'dict',
                               'schema': {
                                   'cve': {'type': 'string', 'required': True},
                                   'comment': {'type': 'string', 'required': True},
-                                  'reason': {'type': 'string', 'required': True},
+                                  'reason': {'type': 'string', 'required': True, 'allowed': ['false_positive', 'wont_fix', 'test']},
                               },
                           },
                       },
diff --git a/README-code-scan.md b/README-code-scan.md
@@ -138,9 +138,9 @@ The OPTIONAL `allowlist` field MUST be a list of vulnerabilities that you want t
  - The `cwe` field corresponds to the CWE-ID of the vulnerability you want to dismiss, 
  - The `comment` field is a comment explaining why the vulnerability is dismissed.
  - The `reason` field MUST be one of the following types:
-  - `false_positive`
-  - `wont_fix`
-  - `test`
+  - `false_positive` This alert is not valid
+  - `wont_fix` This alert is not relevant
+  - `test` This alert is not in production code
 
 *Note:* `inherit` and `allowlist` are NOT mutually exclusive. Any items in `allowlist` takes presedence over allowlist.
 
diff --git a/README-docker-scan.md b/README-docker-scan.md
@@ -147,9 +147,9 @@ The OPTIONAL `allowlist` field MUST be a list of vulnerabilities that you want t
  - The `cve` field corresponds to the CWE-ID of the vulnerability you want to dismiss, 
  - The `comment` field is a comment explaining why the vulnerability is dismissed.
  - The `reason` field MUST be one of the following types:
-  - `false_positive`
-  - `wont_fix`
-  - `test`
+  - `false_positive` This alert is not valid
+  - `wont_fix` This alert is not relevant
+  - `test` This alert is not in production code
 
 *Note:* `inherit` and `allowlist` are NOT mutually exclusive. Any items in `allowlist` takes presedence over allowlist.
 
