SentinelScan/inline_ignore.py at main · Saharsh1123/SentinelScan · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
"""
Inline ignore support for SentinelScan findings.

Inline ignores are parsed from Python comments using `tokenize`, so ignore
markers inside string literals do not suppress findings accidentally.
"""

import io
import tokenize
from tokenize import TokenError

INLINE_IGNORE_MARKER = "sentinelscan: ignore"


def finding_has_inline_ignore(line, finding):
    """
    Return True when a source line suppresses a finding.

    Generic ignores suppress all findings on the line:
        # sentinelscan: ignore

    Rule-specific ignores suppress only listed rule IDs:
        # sentinelscan: ignore AWS_ACCESS_KEY API_KEY

    Args:
        line (str): Source line containing the finding.
        finding (Finding): Finding being checked for suppression.

    Returns:
        bool: True if the finding should be ignored.
    """
    tokens = tokenize.generate_tokens(io.StringIO(line).readline)

    try:
        for token in tokens:
            token_type = token.type
            token_value = token.string

            if token_type != tokenize.COMMENT:
                continue

            if INLINE_IGNORE_MARKER not in token_value:
                continue

            after_ignore = token_value.partition(INLINE_IGNORE_MARKER)[2].strip()
            ignored_rules = after_ignore.split()

            if not ignored_rules:
                return True

            if finding.rule_id in ignored_rules:
                return True

    except TokenError:
        return False

    return False