From 7bab18fc4124937e24334927329a69a885bcf88b Mon Sep 17 00:00:00 2001
From: "Sascha L. Teichmann" <sascha.teichmann@intevation.de>
Date: Wed, 16 Aug 2023 17:22:19 +0200
Subject: [PATCH] Checker: ignore advisories by given patterns

* Ignore advisories in checker.
---------

Co-authored-by: JanHoefelmeyer <hoefelmeyer.jan@gmail.com>
---
 cmd/csaf_checker/config.go    | 48 ++++++++++++++++++++++++++---------
 cmd/csaf_checker/processor.go |  9 +++++++
 docs/csaf_checker.md          | 12 +++++++++
 3 files changed, 57 insertions(+), 12 deletions(-)

diff --git a/cmd/csaf_checker/config.go b/cmd/csaf_checker/config.go
index a2581d9..ba6b8f7 100644
--- a/cmd/csaf_checker/config.go
+++ b/cmd/csaf_checker/config.go
@@ -15,6 +15,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/csaf-poc/csaf_distribution/v2/internal/filter"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/models"
 	"github.com/csaf-poc/csaf_distribution/v2/internal/options"
 )
@@ -29,16 +30,17 @@ const (
 type config struct {
 	Output string `short:"o" long:"output" description:"File name of the generated report" value-name:"REPORT-FILE" toml:"output"`
 	//lint:ignore SA5008 We are using choice twice: json, html.
-	Format      outputFormat      `short:"f" long:"format" choice:"json" choice:"html" description:"Format of report" toml:"format"`
-	Insecure    bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
-	ClientCert  *string           `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE" toml:"client_cert"`
-	ClientKey   *string           `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE" toml:"client_key"`
-	Version     bool              `long:"version" description:"Display version of the binary" toml:"-"`
-	Verbose     bool              `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"`
-	Rate        *float64          `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"`
-	Years       *uint             `long:"years" short:"y" description:"Number of years to look back from now" value-name:"YEARS" toml:"years"`
-	Range       *models.TimeRange `long:"timerange" short:"t" description:"RANGE of time from which advisories to download" value-name:"RANGE" toml:"timerange"`
-	ExtraHeader http.Header       `long:"header" short:"H" description:"One or more extra HTTP header fields" toml:"header"`
+	Format        outputFormat      `short:"f" long:"format" choice:"json" choice:"html" description:"Format of report" toml:"format"`
+	Insecure      bool              `long:"insecure" description:"Do not check TLS certificates from provider" toml:"insecure"`
+	ClientCert    *string           `long:"client-cert" description:"TLS client certificate file (PEM encoded data)" value-name:"CERT-FILE" toml:"client_cert"`
+	ClientKey     *string           `long:"client-key" description:"TLS client private key file (PEM encoded data)" value-name:"KEY-FILE" toml:"client_key"`
+	Version       bool              `long:"version" description:"Display version of the binary" toml:"-"`
+	Verbose       bool              `long:"verbose" short:"v" description:"Verbose output" toml:"verbose"`
+	Rate          *float64          `long:"rate" short:"r" description:"The average upper limit of https operations per second (defaults to unlimited)" toml:"rate"`
+	Years         *uint             `long:"years" short:"y" description:"Number of years to look back from now" value-name:"YEARS" toml:"years"`
+	Range         *models.TimeRange `long:"timerange" short:"t" description:"RANGE of time from which advisories to download" value-name:"RANGE" toml:"timerange"`
+	IgnorePattern []string          `long:"ignorepattern" short:"i" description:"Do not download files if their URLs match any of the given PATTERNs" value-name:"PATTERN" toml:"ignorepattern"`
+	ExtraHeader   http.Header       `long:"header" short:"H" description:"One or more extra HTTP header fields" toml:"header"`
 
 	RemoteValidator        string   `long:"validator" description:"URL to validate documents remotely" value-name:"URL" toml:"validator"`
 	RemoteValidatorCache   string   `long:"validatorcache" description:"FILE to cache remote validations" value-name:"FILE" toml:"validator_cache"`
@@ -46,8 +48,9 @@ type config struct {
 
 	Config string `short:"c" long:"config" description:"Path to config TOML file" value-name:"TOML-FILE" toml:"-"`
 
-	clientCerts []tls.Certificate
-	ageAccept   func(time.Time) bool
+	clientCerts   []tls.Certificate
+	ageAccept     func(time.Time) bool
+	ignorePattern filter.PatternMatcher
 }
 
 // configPaths are the potential file locations of the config file.
@@ -104,8 +107,19 @@ func (cfg *config) protectedAccess() bool {
 	return len(cfg.clientCerts) > 0 || len(cfg.ExtraHeader) > 0
 }
 
+// ignoreFile returns true if the given URL should not be downloaded.
+func (cfg *config) ignoreURL(u string) bool {
+	return cfg.ignorePattern.Matches(u)
+}
+
 // prepare prepares internal state of a loaded configuration.
 func (cfg *config) prepare() error {
+
+	// Pre-compile the regexes used to check if we need to ignore advisories.
+	if err := cfg.compileIgnorePatterns(); err != nil {
+		return err
+	}
+
 	// Load client certs.
 	if err := cfg.prepareCertificates(); err != nil {
 		return err
@@ -114,6 +128,16 @@ func (cfg *config) prepare() error {
 	return cfg.prepareTimeRangeFilter()
 }
 
+// compileIgnorePatterns compiles the configure patterns to be ignored.
+func (cfg *config) compileIgnorePatterns() error {
+	pm, err := filter.NewPatternMatcher(cfg.IgnorePattern)
+	if err != nil {
+		return err
+	}
+	cfg.ignorePattern = pm
+	return nil
+}
+
 // prepareCertificates loads the client side certificates used by the HTTP client.
 func (cfg *config) prepareCertificates() error {
 
diff --git a/cmd/csaf_checker/processor.go b/cmd/csaf_checker/processor.go
index bc1eeaa..4da23ad 100644
--- a/cmd/csaf_checker/processor.go
+++ b/cmd/csaf_checker/processor.go
@@ -642,6 +642,15 @@ func (p *processor) integrity(
 		fp = makeAbs(fp)
 
 		u := b.ResolveReference(fp).String()
+
+		// Should this URL be ignored?
+		if p.cfg.ignoreURL(u) {
+			if p.cfg.Verbose {
+				log.Printf("Ignoring %q\n", u)
+			}
+			continue
+		}
+
 		if p.markChecked(u, mask) {
 			continue
 		}
diff --git a/docs/csaf_checker.md b/docs/csaf_checker.md
index c54f505..5c8779c 100644
--- a/docs/csaf_checker.md
+++ b/docs/csaf_checker.md
@@ -17,6 +17,7 @@ Application Options:
   -r, --rate=                    The average upper limit of https operations per second (defaults to unlimited)
   -y, --years=YEARS              Number of years to look back from now
   -t, --timerange=RANGE          RANGE of time from which advisories to download
+  -i, --ignorepattern=PATTERN    Do not download files if their URLs match any of the given PATTERNs
   -H, --header=                  One or more extra HTTP header fields
       --validator=URL            URL to validate documents remotely
       --validatorcache=FILE      FILE to cache remote validations
@@ -98,6 +99,17 @@ It is only allowed to specify one off them.
 
 All interval boundaries are inclusive.
 
+You can ignore certain advisories while checking by specifying a list
+of regular expressions to match their URLs by using the `ignorepattern`
+option.
+
+E.g. `-i='.*white.*' -i='*.red.*'` will ignore files which URLs contain
+the sub strings **white** or **red**.
+In the config file this has to be noted as:
+```
+ignorepattern = [".*white.*", ".*red.*"]
+```
+
 ### Remarks
 
 The `role` given in the `provider-metadata.json` is not