|
| 1 | +<# |
| 2 | +.SYNOPSIS |
| 3 | +Filters PoliCheck Result. |
| 4 | +.DESCRIPTION |
| 5 | +This script will read data speciefied in one or more PoliCheckAllowList.yml files, |
| 6 | +It then reamoves all allwed entries from the PoliCheckResult |
| 7 | +.PARAMETER PoliCheckResultFilePath |
| 8 | +The Path to the PoliCheck Result. Usually named PoliCheck.sarif |
| 9 | +.PARAMETER ServiceDirtectory |
| 10 | +If the PoliCheck scan is scoped to a particular service provide the ServiceDirectory |
| 11 | +.EXAMPLE |
| 12 | +PS> ./FilterPoliCheckResults.ps1 -PoliCheckResultFilePath .\PoliCheck.sarif |
| 13 | +#> |
| 14 | +[CmdletBinding()] |
| 15 | +param( |
| 16 | + [Parameter(Mandatory=$true)] |
| 17 | + [String] $PoliCheckResultFilePath, |
| 18 | + [String] $ServiceDirtectory |
| 19 | +) |
| 20 | + |
| 21 | +. "${PSScriptRoot}\logging.ps1" |
| 22 | + |
| 23 | +$RepoRoot = Resolve-Path -Path "${PSScriptRoot}\..\..\..\" |
| 24 | +$PathToAllowListFiles = Join-Path $RepoRoot $ServiceDirtectory |
| 25 | +$PolicCheckAllowListFiles = Get-ChildItem -Path $PathToAllowListFiles -Recurse -File -Include "PoliCheckAllowList.yml" |
| 26 | +$allowListData = @{} |
| 27 | + |
| 28 | +# Combine all AllowLists Found |
| 29 | +foreach ($file in $PolicCheckAllowListFiles) |
| 30 | +{ |
| 31 | + $allowListDataInFile = ConvertFrom-Yaml (Get-Content $file.FullName -Raw) |
| 32 | + $allowListData["PC1001"] += $allowListDataInFile["PC1001"] |
| 33 | + $allowListData["PC1002"] += $allowListDataInFile["PC1002"] |
| 34 | + $allowListData["PC1003"] += $allowListDataInFile["PC1003"] |
| 35 | + $allowListData["PC1004"] += $allowListDataInFile["PC1004"] |
| 36 | + $allowListData["PC1005"] += $allowListDataInFile["PC1005"] |
| 37 | + $allowListData["PC1006"] += $allowListDataInFile["PC1006"] |
| 38 | +} |
| 39 | + |
| 40 | +$poliCheckData = Get-Content $PoliCheckResultFilePath | ConvertFrom-Json |
| 41 | +$poliCheckResultsCount = $poliCheckData.runs[0].results.Count |
| 42 | +$newCount |
| 43 | + |
| 44 | +$updatedRuns = @() |
| 45 | + |
| 46 | +foreach ($run in $poliCheckData.runs) |
| 47 | +{ |
| 48 | + $updatedResults = @() |
| 49 | + foreach ($result in $run.results) |
| 50 | + { |
| 51 | + $ruleId = $result.ruleId |
| 52 | + $allowedEntries = $allowListData[$ruleId] |
| 53 | + if ($allowedEntries) |
| 54 | + { |
| 55 | + $updatedLocations = @() |
| 56 | + |
| 57 | + foreach ($location in $result.locations) |
| 58 | + { |
| 59 | + $filePath = $location.physicalLocation.artifactLocation.uri |
| 60 | + $text = $location.physicalLocation.region.snippet.text |
| 61 | + $contextRegion = $location.physicalLocation.contextRegion.snippet.text |
| 62 | + |
| 63 | + $allowedEntry = $allowedEntries[0] | Where-Object { $_.FilePath -eq $filePath } |
| 64 | + |
| 65 | + if ($allowedEntry.Count -gt 0) |
| 66 | + { |
| 67 | + $foundAllowedInstance = $false |
| 68 | + foreach ($instance in $allowedEntry.instances) |
| 69 | + { |
| 70 | + if (($instance.Text.Trim() -eq $text.Trim()) -and ($instance.ContextRegion.Trim() -eq $contextRegion.Trim())) |
| 71 | + { |
| 72 | + Write-Host "Found instance" -ForegroundColor Green |
| 73 | + $foundAllowedInstance = $true |
| 74 | + } |
| 75 | + } |
| 76 | + if ($foundAllowedInstance -eq $true) |
| 77 | + { |
| 78 | + continue |
| 79 | + } |
| 80 | + } |
| 81 | + |
| 82 | + $updatedLocations += $location |
| 83 | + } |
| 84 | + |
| 85 | + $result.locations = $updatedLocations |
| 86 | + } |
| 87 | + |
| 88 | + if ($result.locations.Count -gt 0) |
| 89 | + { |
| 90 | + $updatedResults += $result |
| 91 | + } |
| 92 | + } |
| 93 | + $run.results = $updatedResults |
| 94 | + $newCount = $run.results.Count |
| 95 | + $updatedRuns += $run |
| 96 | +} |
| 97 | + |
| 98 | +$poliCheckData.runs = $updatedRuns |
| 99 | + |
| 100 | +Set-Content -Path $PoliCheckResultFilePath -Value ($poliCheckData | ConvertTo-Json -Depth 100) |
| 101 | + |
| 102 | +LogDebug "Original Result Count: ${poliCheckResultsCount}" |
| 103 | +LogDebug "New Result Count: ${newCount}" |
0 commit comments