Supporting Regex in Policy

Author: MindPatch

src/automation/mod.rs

@@ -112,10 +112,14 @@ pub struct ScanPolicy {
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct PolicyConditions {
     pub title_contains: Option<Vec<String>>, // Keywords like "unauth", "xss"
+    pub title_regex: Option<Vec<String>>, // Regex patterns for title matching
+    pub description_contains: Option<Vec<String>>, // Keywords in vulnerability description
+    pub description_regex: Option<Vec<String>>, // Regex patterns for description matching
     pub severity: Option<Vec<String>>, // "critical", "high", "medium", "low"
     pub ecosystems: Option<Vec<Ecosystem>>,
     pub cve_pattern: Option<String>, // Regex pattern for CVE IDs
     pub packages: Option<Vec<String>>, // Specific package names
+    pub package_regex: Option<Vec<String>>, // Regex patterns for package names
 }
 
 /// Policy actions when conditions are met
@@ -125,6 +129,7 @@ pub struct PolicyActions {
     pub priority: PolicyPriority,
     pub custom_message: Option<String>,
     pub ignore: bool, // Ignore vulnerabilities matching this policy
+    pub filter_only: bool, // If true, ONLY show vulnerabilities that match this policy (whitelist mode)
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -236,6 +241,50 @@ impl ScanPolicy {
             }
         }
 
+        // Check title regex patterns
+        if let Some(patterns) = &conditions.title_regex {
+            let title = &vulnerability.summary;
+            let matches_pattern = patterns.iter().any(|pattern| {
+                match Regex::new(pattern) {
+                    Ok(regex) => regex.is_match(title),
+                    Err(_) => {
+                        // Log warning but don't fail the match
+                        false
+                    }
+                }
+            });
+            if !matches_pattern {
+                return false;
+            }
+        }
+
+        // Check description contains keywords (if vulnerability has description field)
+        if let Some(keywords) = &conditions.description_contains {
+            // Note: Vulnerability struct might not have a separate description field
+            // For now, we'll check against the summary field as well
+            let text_to_search = vulnerability.summary.to_lowercase();
+            let has_keyword = keywords.iter().any(|keyword| {
+                text_to_search.contains(&keyword.to_lowercase())
+            });
+            if !has_keyword {
+                return false;
+            }
+        }
+
+        // Check description regex patterns
+        if let Some(patterns) = &conditions.description_regex {
+            let text_to_search = &vulnerability.summary;
+            let matches_pattern = patterns.iter().any(|pattern| {
+                match Regex::new(pattern) {
+                    Ok(regex) => regex.is_match(text_to_search),
+                    Err(_) => false,
+                }
+            });
+            if !matches_pattern {
+                return false;
+            }
+        }
+
         // Check severity
         if let Some(severities) = &conditions.severity {
             if let Some(vuln_severity) = &vulnerability.severity {
@@ -257,12 +306,18 @@ impl ScanPolicy {
             }
         }
 
-        // Check packages
+        // Check packages (basic string matching)
         if let Some(_packages) = &conditions.packages {
             // This would need to be checked against the package name from scan context
             // For now, we'll skip this check as we don't have package context in Vulnerability
         }
 
+        // Check package regex patterns
+        if let Some(_patterns) = &conditions.package_regex {
+            // This would need to be checked against the package name from scan context
+            // For now, we'll skip this check as we don't have package context in Vulnerability
+        }
+
         true
     }
 } 

src/automation/policy.rs

@@ -41,10 +41,49 @@ impl PolicyEngine {
             .map(|p| (format!("{}@{}", p.name, p.version), p))
             .collect();
 
-        // Apply each policy to each vulnerability
+        // Check if any policies have filter_only=true (whitelist mode)
+        let has_filter_only_policies = self.policies.iter().any(|p| p.enabled && p.actions.filter_only);
+        let mut filter_only_matched_vulns = std::collections::HashSet::new();
+
+        // First pass: collect vulnerabilities that match filter_only policies
+        if has_filter_only_policies {
+            for vulnerability in &scan_result.vulnerabilities {
+                for policy in &self.policies {
+                    if policy.enabled && policy.actions.filter_only {
+                        let package_name = self.find_package_for_vulnerability(vulnerability, &package_map);
+                        
+                        if self.vulnerability_matches_policy(vulnerability, policy, package_name.as_deref()) {
+                            filter_only_matched_vulns.insert(vulnerability.id.clone());
+                            
+                            let policy_match = PolicyMatch {
+                                policy_name: policy.name.clone(),
+                                vulnerability_id: vulnerability.id.clone(),
+                                package_name: package_name.clone().unwrap_or_else(|| "unknown".to_string()),
+                                actions: policy.actions.clone(),
+                            };
+                            policy_matches.push(policy_match);
+                            
+                            if policy.actions.notify {
+                                prioritized_vulnerabilities.push(vulnerability.id.clone());
+                                info!("Filter-only policy '{}' matched and prioritized vulnerability: {} ({})", 
+                                      policy.name, vulnerability.id, policy.actions.priority.as_str());
+                            }
+                            break; // One filter_only match is enough to include the vulnerability
+                        }
+                    }
+                }
+            }
+        }
+
+        // Second pass: apply regular policies to remaining vulnerabilities
         for vulnerability in &scan_result.vulnerabilities {
+            // If we have filter_only policies and this vulnerability didn't match any, skip it
+            if has_filter_only_policies && !filter_only_matched_vulns.contains(&vulnerability.id) {
+                continue;
+            }
+
             for policy in &self.policies {
-                if policy.enabled {
+                if policy.enabled && !policy.actions.filter_only {
                     // Find the package associated with this vulnerability
                     let package_name = self.find_package_for_vulnerability(vulnerability, &package_map);
 
@@ -74,18 +113,31 @@ impl PolicyEngine {
             }
         }
 
-        // Remove ignored vulnerabilities from the result
+        // Filter vulnerabilities based on policy results
         let filtered_vulnerabilities: Vec<Vulnerability> = scan_result
             .vulnerabilities
             .iter()
-            .filter(|v| !ignored_vulnerabilities.contains(&v.id))
+            .filter(|v| {
+                // If we have filter_only policies, only include vulnerabilities that matched them
+                if has_filter_only_policies {
+                    filter_only_matched_vulns.contains(&v.id) && !ignored_vulnerabilities.contains(&v.id)
+                } else {
+                    // Normal mode: exclude only ignored vulnerabilities
+                    !ignored_vulnerabilities.contains(&v.id)
+                }
+            })
             .cloned()
             .collect();
 
         let mut filtered_scan_result = scan_result.clone();
         filtered_scan_result.vulnerabilities = filtered_vulnerabilities;
         filtered_scan_result.policies_applied = self.policies.iter().map(|p| p.name.clone()).collect();
 
+        info!("Policy filtering results: {} vulnerabilities -> {} vulnerabilities (filter_only_mode: {})", 
+              scan_result.vulnerabilities.len(), 
+              filtered_scan_result.vulnerabilities.len(),
+              has_filter_only_policies);
+
         FilteredScanResult {
             scan_result: filtered_scan_result,
             policy_matches,
@@ -112,6 +164,57 @@ impl PolicyEngine {
             }
         }
 
+        // Check title regex patterns
+        if let Some(patterns) = &conditions.title_regex {
+            let title = &vulnerability.summary;
+            let matches_pattern = patterns.iter().any(|pattern| {
+                match Regex::new(pattern) {
+                    Ok(regex) => regex.is_match(title),
+                    Err(e) => {
+                        warn!("Invalid regex pattern in policy '{}': {} - Error: {}", policy.name, pattern, e);
+                        false
+                    }
+                }
+            });
+            
+            if !matches_pattern {
+                return false;
+            }
+        }
+
+        // Check description contains keywords
+        if let Some(keywords) = &conditions.description_contains {
+            // For now, we'll search in the summary field since Vulnerability might not have separate description
+            let text_to_search = vulnerability.summary.to_lowercase();
+            
+            let has_keyword = keywords.iter().any(|keyword| {
+                let keyword_lower = keyword.to_lowercase();
+                text_to_search.contains(&keyword_lower)
+            });
+            
+            if !has_keyword {
+                return false;
+            }
+        }
+
+        // Check description regex patterns
+        if let Some(patterns) = &conditions.description_regex {
+            let text_to_search = &vulnerability.summary;
+            let matches_pattern = patterns.iter().any(|pattern| {
+                match Regex::new(pattern) {
+                    Ok(regex) => regex.is_match(text_to_search),
+                    Err(e) => {
+                        warn!("Invalid regex pattern in policy '{}': {} - Error: {}", policy.name, pattern, e);
+                        false
+                    }
+                }
+            });
+            
+            if !matches_pattern {
+                return false;
+            }
+        }
+
         // Check severity levels
         if let Some(severities) = &conditions.severity {
             if let Some(vuln_severity) = &vulnerability.severity {
@@ -168,6 +271,28 @@ impl PolicyEngine {
             }
         }
 
+        // Check package regex patterns
+        if let Some(patterns) = &conditions.package_regex {
+            if let Some(pkg_name) = package_name {
+                let matches_pattern = patterns.iter().any(|pattern| {
+                    match Regex::new(pattern) {
+                        Ok(regex) => regex.is_match(pkg_name),
+                        Err(e) => {
+                            warn!("Invalid package regex pattern in policy '{}': {} - Error: {}", policy.name, pattern, e);
+                            false
+                        }
+                    }
+                });
+                
+                if !matches_pattern {
+                    return false;
+                }
+            } else {
+                // No package name available, can't match package regex condition
+                return false;
+            }
+        }
+
         // Check ecosystems
         if let Some(_ecosystems) = &conditions.ecosystems {
             // This would need ecosystem context from the scan
@@ -208,16 +333,21 @@ impl PolicyEngine {
                         "privilege".to_string(),
                         "escalation".to_string(),
                     ]),
+                    title_regex: None,
+                    description_contains: None,
+                    description_regex: None,
                     severity: Some(vec!["high".to_string(), "critical".to_string()]),
                     ecosystems: None,
                     cve_pattern: None,
                     packages: None,
+                    package_regex: None,
                 },
                 actions: PolicyActions {
                     notify: true,
                     priority: crate::automation::PolicyPriority::Critical,
                     custom_message: Some("🚨 Critical authentication vulnerability detected!".to_string()),
                     ignore: false,
+                    filter_only: false,
                 },
             },
             ScanPolicy {
@@ -229,16 +359,21 @@ impl PolicyEngine {
                         "cross-site scripting".to_string(),
                         "script injection".to_string(),
                     ]),
+                    title_regex: None,
+                    description_contains: None,
+                    description_regex: None,
                     severity: Some(vec!["medium".to_string(), "high".to_string(), "critical".to_string()]),
                     ecosystems: None,
                     cve_pattern: None,
                     packages: None,
+                    package_regex: None,
                 },
                 actions: PolicyActions {
                     notify: true,
                     priority: crate::automation::PolicyPriority::High,
                     custom_message: Some("⚠️ XSS vulnerability requires attention".to_string()),
                     ignore: false,
+                    filter_only: false,
                 },
             },
             ScanPolicy {
@@ -250,23 +385,31 @@ impl PolicyEngine {
                         "sqli".to_string(),
                         "sql".to_string(),
                     ]),
+                    title_regex: None,
+                    description_contains: None,
+                    description_regex: None,
                     severity: Some(vec!["medium".to_string(), "high".to_string(), "critical".to_string()]),
                     ecosystems: None,
                     cve_pattern: None,
                     packages: None,
+                    package_regex: None,
                 },
                 actions: PolicyActions {
                     notify: true,
                     priority: crate::automation::PolicyPriority::High,
                     custom_message: Some("💉 SQL injection vulnerability detected".to_string()),
                     ignore: false,
+                    filter_only: false,
                 },
             },
             ScanPolicy {
                 name: "Low Priority Development Dependencies".to_string(),
                 enabled: true,
                 conditions: PolicyConditions {
                     title_contains: None,
+                    title_regex: None,
+                    description_contains: None,
+                    description_regex: None,
                     severity: Some(vec!["low".to_string()]),
                     ecosystems: None,
                     cve_pattern: None,
@@ -276,12 +419,14 @@ impl PolicyEngine {
                         "*dev".to_string(),
                         "*test".to_string(),
                     ]),
+                    package_regex: None,
                 },
                 actions: PolicyActions {
                     notify: false,
                     priority: crate::automation::PolicyPriority::Low,
                     custom_message: None,
                     ignore: true, // Ignore low-severity issues in dev dependencies
+                    filter_only: false,
                 },
             },
         ]