add -e --exclude arument for excluding path (#876)

cve_bin_tool/cli.py

@@ -77,6 +77,13 @@ def main(argv=None):
     input_group.add_argument(
         "directory", help="directory to scan", nargs="?", default=None
     )
+    input_group.add_argument(
+        "-e",
+        "--exclude",
+        action=StringToListAction,
+        help="Comma separated Exclude directory path",
+        default=None,
+    )
 
     input_group.add_argument(
         "-i", "--input-file", action="store", default="", help="provide input filename",
@@ -164,6 +171,7 @@ def main(argv=None):
     )
     defaults = {
         "directory": "",
+        "exclude": [],
         "input_file": "",
         "log_level": "info",
         "format": "console",
@@ -294,7 +302,9 @@ def main(argv=None):
                     cve_scanner.get_cves(product_info, triage_data)
         if args["directory"]:
             version_scanner = VersionScanner(
-                should_extract=args["extract"], error_mode=error_mode
+                should_extract=args["extract"],
+                exclude_folders=args["exclude"],
+                error_mode=error_mode,
             )
             version_scanner.remove_skiplist(skips)
             LOGGER.info(version_scanner.print_checkers())

cve_bin_tool/util.py

@@ -146,16 +146,25 @@ def walk(self, roots=None):
             for dirpath, dirnames, filenames in os.walk(root):
                 # Filters
                 filenames[:] = [
-                    i
-                    for i in filenames
-                    if self.pattern_match(i, self.pattern)
-                    and not self.pattern_match(i, self.file_exclude_pattern)
+                    filename
+                    for filename in filenames
+                    if self.pattern_match(os.path.join(dirpath, filename), self.pattern)
+                    and not self.pattern_match(
+                        os.path.join(dirpath, filename), self.file_exclude_pattern
+                    )
+                    and not self.pattern_match(
+                        os.path.join(dirpath, filename), self.folder_exclude_pattern
+                    )
                 ]
                 dirnames[:] = [
-                    i
-                    for i in dirnames
-                    if self.pattern_match(i, self.folder_include_pattern)
-                    and not self.pattern_match(i, self.folder_exclude_pattern)
+                    dirname
+                    for dirname in dirnames
+                    if self.pattern_match(
+                        os.path.join(dirpath, dirname), self.folder_include_pattern
+                    )
+                    and not self.pattern_match(
+                        os.path.join(dirpath, dirname), self.folder_exclude_pattern
+                    )
                 ]
                 # Yields
                 if self.yield_files:

cve_bin_tool/version_scanner.py

@@ -25,6 +25,7 @@ class VersionScanner:
     def __init__(
         self,
         should_extract=False,
+        exclude_folders=[],
         checkers=None,
         logger=None,
         error_mode=ErrorMode.TruncTrace,
@@ -40,8 +41,15 @@ def __init__(
         self.checkers = checkers or self.load_checkers()
         self.score = score
         self.total_scanned_files = 0
-        exclude_folders = [".git"]
-        self.walker = DirWalk(folder_exclude_pattern=";".join(exclude_folders)).walk
+        self.exclude_folders = exclude_folders
+        self.exclude_folders.append(".git")
+
+        self.walker = DirWalk(
+            folder_exclude_pattern=";".join(
+                exclude if exclude.endswith("*") else exclude + "*"
+                for exclude in exclude_folders
+            )
+        ).walk
         self.should_extract = should_extract
         self.file_stack = []
         self.error_mode = error_mode

test/test_cli.py

@@ -12,6 +12,7 @@
 from cve_bin_tool.cli import main
 from cve_bin_tool.cvedb import DISK_LOCATION_DEFAULT
 from cve_bin_tool.extractor import Extractor
+from cve_bin_tool.version_scanner import VersionScanner
 from .utils import (
     TempDirTest,
     download_file,
@@ -56,6 +57,15 @@ def test_no_extraction(self):
         """ Test scanner against curl-7.20.0 rpm with extraction turned off """
         assert main(["cve-bin-tool", os.path.join(self.tempdir, CURL_7_20_0_RPM)]) == 0
 
+    def test_exclude(self, caplog):
+        """ Test that the exclude paths are not scanned """
+        test_path = os.path.abspath(os.path.dirname(__file__))
+        exclude_path = os.path.join(test_path, "assets/")
+        checkers = list(VersionScanner().checkers.keys())
+        with caplog.at_level(logging.INFO):
+            main(["cve-bin-tool", test_path, "-e", ",".join(exclude_path)])
+        self.check_exclude_log(caplog, exclude_path, checkers)
+
     def test_usage(self):
         """ Test that the usage returns 0 """
         with pytest.raises(SystemExit) as e:
@@ -101,6 +111,20 @@ def test_update_flags(self):
             main(["cve-bin-tool", "-u", "whatever", self.tempdir])
         assert e.value.args[0] == -2
 
+    @staticmethod
+    def check_exclude_log(caplog, exclude_path, checkers):
+        # The final log has all the checkers detected
+        final_log = [
+            record for record in caplog.records if "NewFound CVEs" in record.message
+        ]
+        assert len(final_log) == 0, "Checkers from excluded path scanned!!"
+        if final_log:
+            final_log = final_log[0].message
+            for checker in checkers:
+                assert checker in final_log, f"found a CVE {checker} in {exclude_path}"
+
+        caplog.clear()
+
     @staticmethod
     def check_checkers_log(caplog, skip_checkers, include_checkers):
         # The final log has all the checkers detected

test/test_config.py

@@ -12,6 +12,7 @@ class TestConfig:
         "cvss": 0,
         "directory": "test/assets",
         "disable_version_check": False,
+        "exclude": [],
         "extract": False,
         "format": "console",
         "input_file": "test/csv/triage.csv",