Add a flag to filter issues by confidence (#316)

ccojocar · web-flow · commit ee80733faf72 · 2019-05-10T10:15:09.000+02:00
Refactor also how the issues are filtered by severity.

Signed-off-by: Cosmin Cojocar &lt;cosmin.cojocar@gmx.ch&gt;
diff --git a/cmd/gosec/main.go b/cmd/gosec/main.go
@@ -93,7 +93,10 @@ var (
 	flagScanVendor = flag.Bool("vendor", false, "Scan the vendor folder")
 
 	// fail by severity
-	flagSeverity = flag.String("severity", "low", "Fail the scanning for issues with the given or higher severity. Valid options are: low, medium, high")
+	flagSeverity = flag.String("severity", "low", "Filter out the issues with a lower severity than the given value. Valid options are: low, medium, high")
+
+	// fail by confidence
+	flagConfidence = flag.String("confidence", "low", "Filter out the issues with a lower confidence than the given value. Valid options are: low, medium, high")
 
 	// do not fail
 	flagNoFail = flag.Bool("no-fail", false, "Do not fail the scanning, even if issues were found")
@@ -199,6 +202,16 @@ func convertToScore(severity string) (gosec.Score, error) {
 	}
 }
 
+func filterIssues(issues []*gosec.Issue, severity gosec.Score, confidence gosec.Score) []*gosec.Issue {
+	result := []*gosec.Issue{}
+	for _, issue := range issues {
+		if issue.Severity >= severity && issue.Confidence >= confidence {
+			result = append(result, issue)
+		}
+	}
+	return result
+}
+
 func main() {
 	// Setup usage description
 	flag.Usage = usage
@@ -232,10 +245,15 @@ func main() {
 
 	failSeverity, err := convertToScore(*flagSeverity)
 	if err != nil {
-		logger.Fatal(err)
+		logger.Fatalf("Invalid severity value: %v", err)
 	}
 
-	// Load config
+	failConfidence, err := convertToScore(*flagConfidence)
+	if err != nil {
+		logger.Fatalf("Invalid confidence value: %v", err)
+	}
+
+	// Load the analyzer configuration
 	config, err := loadConfig(*flagConfig)
 	if err != nil {
 		logger.Fatal(err)
@@ -284,16 +302,11 @@ func main() {
 		sortIssues(issues)
 	}
 
-	issuesFound := false
-	for _, issue := range issues {
-		if issue.Severity >= failSeverity {
-			issuesFound = true
-			break
-		}
-	}
+	// Filter the issues by severity and confidence
+	issues = filterIssues(issues, failSeverity, failConfidence)
 
 	// Exit quietly if nothing was found
-	if !issuesFound && *flagQuiet {
+	if len(issues) == 0 && *flagQuiet {
 		os.Exit(0)
 	}
 
@@ -307,7 +320,7 @@ func main() {
 	logWriter.Close() // #nosec
 
 	// Do we have an issue? If so exit 1 unless NoFail is set
-	if (issuesFound || len(errors) != 0) && !*flagNoFail {
+	if (len(issues) > 0 || len(errors) > 0) && !*flagNoFail {
 		os.Exit(1)
 	}
 }
