From 101fe444b138f02da53809980172d9be30e07d92 Mon Sep 17 00:00:00 2001 From: pdmarf <135653545+pdmarf@users.noreply.github.com> Date: Fri, 17 Apr 2026 23:07:38 +0100 Subject: [PATCH] Add per-VM whitelist to suppress known-safe findings --- .gitignore | 1 + npm-security-check.sh | 19 +++++++++++++++---- setup.sh | 11 +++++++++++ 3 files changed, 27 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index 3fc2310..935c093 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ config.sh +whitelist.conf logs/ diff --git a/npm-security-check.sh b/npm-security-check.sh index fc9e468..7c18647 100755 --- a/npm-security-check.sh +++ b/npm-security-check.sh @@ -18,6 +18,11 @@ send_telegram() { HOSTNAME=$(hostname) DATE=$(date) LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}" +WHITELIST="$SCRIPT_DIR/whitelist.conf" + +is_whitelisted() { + [[ -f "$WHITELIST" ]] && grep -qF "$1" "$WHITELIST" 2>/dev/null +} RED='\033[0;31m' YELLOW='\033[1;33m' @@ -85,6 +90,10 @@ else COUNT=$(echo "$LOCKFILES" | wc -l) log "Scanning $COUNT lock file(s)..." for pkg in "${BAD_PKGS[@]}"; do + if is_whitelisted "$pkg"; then + ok "$pkg is whitelisted — skipping" + continue + fi MATCHES=$(echo "$LOCKFILES" | xargs grep -l "\"$pkg\"" 2>/dev/null || true) if [[ -n "$MATCHES" ]]; then fail "Found '$pkg' in: $MATCHES" @@ -206,12 +215,14 @@ for dir in /tmp /dev/shm /var/tmp; do EXEC_FILES=$(find "$dir" -type f -executable 2>/dev/null | head -20 || true) JS_FILES=$(find "$dir" -name "*.js" -o -name "*.mjs" 2>/dev/null | head -10 || true) if [[ -n "$EXEC_FILES" ]]; then - warn "Executable files in $dir:" - log "$EXEC_FILES" + while IFS= read -r f; do + is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "Executable file in $dir: $f"; } + done <<< "$EXEC_FILES" fi if [[ -n "$JS_FILES" ]]; then - warn "JS files in $dir:" - log "$JS_FILES" + while IFS= read -r f; do + is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "JS file in $dir: $f"; } + done <<< "$JS_FILES" fi done ok "Temp directory scan complete" diff --git a/setup.sh b/setup.sh index 2684c27..0984c67 100755 --- a/setup.sh +++ b/setup.sh @@ -35,6 +35,17 @@ chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh" # ── Create logs directory ────────────────────────────────────────────────────── mkdir -p "$SCRIPT_DIR/logs" +# ── Create whitelist if absent ───────────────────────────────────────────────── +if [[ ! -f "$SCRIPT_DIR/whitelist.conf" ]]; then + cat > "$SCRIPT_DIR/whitelist.conf" <<'EOF' +# whitelist.conf — one entry per line, exact match against package names or file paths +# Example: +# ua-parser-js +# /tmp/my-known-safe-script.sh +EOF + echo "whitelist.conf created — add known-safe items to suppress false positives." +fi + # ── Cron jobs ────────────────────────────────────────────────────────────────── CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1" CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"