Contents

#!/usr/bin/env ruby
# frozen_string_literal: true

require 'dccscr/whitelist'

def load_dccscr_whitelist
  DCCSCR::Whitelist.new.tap do |wl|
    # load wl entries for args
    # will load parents as well
    ARGV.each { |arg| wl[arg] }
  end
end

def load_gitlab_allowlist
  if File.exist?('local-vulnerability-allowlist.yml')
    warn 'Loading local-vulnerability-allowlist.yml'
    YAML.safe_load(File.read('local-vulnerability-allowlist.yml'))
  elsif File.exist?('vulnerability-allowlist.yml')
    warn 'Loading and renaming vulnerability-allowlist.yml'
    YAML.safe_load(File.read('vulnerability-allowlist.yml'))
    File.rename('vulnerability-allowlist.yml', 'local-vulnerability-allowlist.yml')
  else
    warn 'No [local-]vulnerability-allowlist.yml'
    {}
  end
end

def allow_list_dccscr(wl)
  warn 'Generating dccscr list in gitlab format'

  {
    'generalallowlist' => Hash[
      wl.entries.map { |_, entry|
        entry.value['whitelisted_vulnerabilities'].map { |v|
          [v['vulnerability'], "dccscr-whitelists:\n#{v['justification']}"]
        }.compact
      }.flatten(1).sort
    ]
  }
end

def combined_list(dl, ll)
  warn 'Merging dccscr and local lists'

  dl.merge(ll) { |_, d, l|
    case d
    when Hash
      d.merge(l)
    else
      l
    end
  }
end

def update_allow_list_file(cl)
  warn 'Updating vulnerability-allowlist.yml'

  File.open('vulnerability-allowlist.yml', 'w') do |f|
    f << cl.to_yaml
  end
end

def run
  ll = load_gitlab_allowlist

  wl = load_dccscr_whitelist
  dl = allow_list_dccscr(wl)

  cl = combined_list(dl, ll)

  update_allow_list_file(cl)
end

run if __FILE__ == $0

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
dccscr-0.2.1	exe/update_allowlist_with_dccscr