Add per-VM whitelist to suppress known-safe findings

2026-04-17 23:07:38 +01:00
parent dc299e4262
commit 101fe444b1
3 changed files with 27 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 config.sh
+whitelist.conf
 logs/
--- a/npm-security-check.sh
+++ b/npm-security-check.sh
@@ -18,6 +18,11 @@ send_telegram() {
 HOSTNAME=$(hostname)
 DATE=$(date)
 LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}"
+WHITELIST="$SCRIPT_DIR/whitelist.conf"
+
+is_whitelisted() {
+    [[ -f "$WHITELIST" ]] && grep -qF "$1" "$WHITELIST" 2>/dev/null
+}

 RED='\033[0;31m'
 YELLOW='\033[1;33m'
@@ -85,6 +90,10 @@ else
    COUNT=$(echo "$LOCKFILES" | wc -l)
    log "Scanning $COUNT lock file(s)..."
    for pkg in "${BAD_PKGS[@]}"; do
+        if is_whitelisted "$pkg"; then
+            ok "$pkg is whitelisted — skipping"
+            continue
+        fi
        MATCHES=$(echo "$LOCKFILES" | xargs grep -l "\"$pkg\"" 2>/dev/null || true)
        if [[ -n "$MATCHES" ]]; then
            fail "Found '$pkg' in: $MATCHES"
@@ -206,12 +215,14 @@ for dir in /tmp /dev/shm /var/tmp; do
    EXEC_FILES=$(find "$dir" -type f -executable 2>/dev/null | head -20 || true)
    JS_FILES=$(find "$dir" -name "*.js" -o -name "*.mjs" 2>/dev/null | head -10 || true)
    if [[ -n "$EXEC_FILES" ]]; then
-        warn "Executable files in $dir:"
-        log "$EXEC_FILES"
+        while IFS= read -r f; do
+            is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "Executable file in $dir: $f"; }
+        done <<< "$EXEC_FILES"
    fi
    if [[ -n "$JS_FILES" ]]; then
-        warn "JS files in $dir:"
-        log "$JS_FILES"
+        while IFS= read -r f; do
+            is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "JS file in $dir: $f"; }
+        done <<< "$JS_FILES"
    fi
 done
 ok "Temp directory scan complete"
--- a/setup.sh
+++ b/setup.sh
@@ -35,6 +35,17 @@ chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
 # ── Create logs directory ──────────────────────────────────────────────────────
 mkdir -p "$SCRIPT_DIR/logs"

+# ── Create whitelist if absent ─────────────────────────────────────────────────
+if [[ ! -f "$SCRIPT_DIR/whitelist.conf" ]]; then
+    cat > "$SCRIPT_DIR/whitelist.conf" <<'EOF'
+# whitelist.conf — one entry per line, exact match against package names or file paths
+# Example:
+#   ua-parser-js
+#   /tmp/my-known-safe-script.sh
+EOF
+    echo "whitelist.conf created — add known-safe items to suppress false positives."
+fi
+
 # ── Cron jobs ──────────────────────────────────────────────────────────────────
 CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
 CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"