suppression

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package suppression provides domain logic for platform-controlled false positive management.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrRuleNotFound      = errors.New("suppression rule not found")
	ErrRuleAlreadyExists = errors.New("suppression rule already exists")
	ErrRuleNotPending    = errors.New("suppression rule is not pending")
	ErrRuleExpired       = errors.New("suppression rule has expired")
	ErrInvalidCriteria   = errors.New("invalid suppression criteria")
	ErrSuppressionExists = errors.New("finding already suppressed by this rule")
)

Domain errors for suppression rules.

Functions

This section is empty.

Types

type ApproveRuleInput 

type ApproveRuleInput struct {
	TenantID   shared.ID
	RuleID     shared.ID
	ApprovedBy shared.ID
}

ApproveRuleInput contains input for approving a rule.

type CreateRuleInput 

type CreateRuleInput struct {
	TenantID        shared.ID
	Name            string
	Description     string
	SuppressionType SuppressionType
	RuleID          string     // Tool rule ID pattern
	ToolName        string     // Tool name filter
	PathPattern     string     // File path pattern
	AssetID         *shared.ID // Optional asset filter
	RequestedBy     shared.ID
	ExpiresAt       *string // ISO8601 format
}

CreateRuleInput contains input for creating a suppression rule.

type FindingMatch 

type FindingMatch struct {
	ToolName string
	RuleID   string
	FilePath string
	AssetID  shared.ID
}

MatchesFinding checks if the rule matches a finding.

type FindingSuppression 

type FindingSuppression struct {
	ID                shared.ID
	FindingID         shared.ID
	SuppressionRuleID shared.ID
	AppliedAt         string
	AppliedBy         string
}

FindingSuppression represents a suppression applied to a finding.

type RejectRuleInput 

type RejectRuleInput struct {
	TenantID   shared.ID
	RuleID     shared.ID
	RejectedBy shared.ID
	Reason     string
}

RejectRuleInput contains input for rejecting a rule.

type Repository 

type Repository interface {
	// Rule operations
	Save(ctx context.Context, rule *Rule) error
	FindByID(ctx context.Context, tenantID, id shared.ID) (*Rule, error)
	Delete(ctx context.Context, tenantID, id shared.ID) error

	// Query operations
	FindByTenant(ctx context.Context, tenantID shared.ID, filter RuleFilter) ([]*Rule, error)
	FindActiveByTenant(ctx context.Context, tenantID shared.ID) ([]*Rule, error)
	FindPendingByTenant(ctx context.Context, tenantID shared.ID) ([]*Rule, error)

	// Matching
	FindMatchingRules(ctx context.Context, tenantID shared.ID, match FindingMatch) ([]*Rule, error)

	// Bulk operations
	ExpireRules(ctx context.Context) (int64, error)

	// Finding suppressions
	RecordSuppression(ctx context.Context, findingID, ruleID shared.ID, appliedBy string) error
	FindSuppressionsByFinding(ctx context.Context, findingID shared.ID) ([]*FindingSuppression, error)
	RemoveSuppression(ctx context.Context, findingID, ruleID shared.ID) error

	// Audit
	RecordAudit(ctx context.Context, ruleID shared.ID, action string, actorID *shared.ID, details map[string]any) error
}

Repository defines the interface for suppression rule persistence.

type Rule 

type Rule struct {
	// contains filtered or unexported fields
}

Rule represents a suppression rule for findings.

func NewRule 

func NewRule(
	tenantID shared.ID,
	name string,
	suppressionType SuppressionType,
	requestedBy shared.ID,
) (*Rule, error)

NewRule creates a new suppression rule.

func ReconstituteRule 

func ReconstituteRule(data RuleData) *Rule

ReconstituteRule recreates a Rule from persistence.

func (*Rule) Approve 

func (r *Rule) Approve(approvedBy shared.ID) error

Approve approves the suppression rule.

func (*Rule) ApprovedAt 

func (r *Rule) ApprovedAt() *time.Time

func (*Rule) ApprovedBy 

func (r *Rule) ApprovedBy() *shared.ID

func (*Rule) AssetID 

func (r *Rule) AssetID() *shared.ID

func (*Rule) CreatedAt 

func (r *Rule) CreatedAt() time.Time

func (*Rule) Description 

func (r *Rule) Description() string

func (*Rule) Expire 

func (r *Rule) Expire()

Expire marks the rule as expired.

func (*Rule) ExpiresAt 

func (r *Rule) ExpiresAt() *time.Time

func (*Rule) HasCriteria 

func (r *Rule) HasCriteria() bool

HasCriteria checks if the rule has at least one matching criterion.

func (*Rule) ID 

func (r *Rule) ID() shared.ID

func (*Rule) IsActive 

func (r *Rule) IsActive() bool

IsActive checks if the rule is currently active.

func (*Rule) IsExpired 

func (r *Rule) IsExpired() bool

IsExpired checks if the rule has expired.

func (*Rule) Matches 

func (r *Rule) Matches(f FindingMatch) bool

Matches checks if this suppression rule matches the given finding.

func (*Rule) Name 

func (r *Rule) Name() string

func (*Rule) PathPattern 

func (r *Rule) PathPattern() string

func (*Rule) Reject 

func (r *Rule) Reject(rejectedBy shared.ID, reason string) error

Reject rejects the suppression rule.

func (*Rule) RejectedAt 

func (r *Rule) RejectedAt() *time.Time

func (*Rule) RejectedBy 

func (r *Rule) RejectedBy() *shared.ID

func (*Rule) RejectionReason 

func (r *Rule) RejectionReason() string

func (*Rule) RequestedAt 

func (r *Rule) RequestedAt() time.Time

func (*Rule) RequestedBy 

func (r *Rule) RequestedBy() shared.ID

func (*Rule) RuleID 

func (r *Rule) RuleID() string

func (*Rule) SetAssetID 

func (r *Rule) SetAssetID(assetID *shared.ID)

SetAssetID sets the asset ID filter.

func (*Rule) SetDescription 

func (r *Rule) SetDescription(description string)

SetDescription sets the description.

func (*Rule) SetExpiresAt 

func (r *Rule) SetExpiresAt(expiresAt *time.Time)

SetExpiresAt sets the expiration date.

func (*Rule) SetName 

func (r *Rule) SetName(name string)

SetName sets the rule name.

func (*Rule) SetPathPattern 

func (r *Rule) SetPathPattern(pattern string)

SetPathPattern sets the file path pattern.

func (*Rule) SetRuleIDPattern 

func (r *Rule) SetRuleIDPattern(pattern string)

SetRuleIDPattern sets the rule ID pattern.

func (*Rule) SetToolName 

func (r *Rule) SetToolName(toolName string)

SetToolName sets the tool name filter.

func (*Rule) Status 

func (r *Rule) Status() RuleStatus

func (*Rule) SuppressionType 

func (r *Rule) SuppressionType() SuppressionType

func (*Rule) TenantID 

func (r *Rule) TenantID() shared.ID

func (*Rule) ToolName 

func (r *Rule) ToolName() string

func (*Rule) UpdatedAt 

func (r *Rule) UpdatedAt() time.Time

func (*Rule) Validate 

func (r *Rule) Validate() error

Validate validates the rule has proper criteria.

type RuleData 

type RuleData struct {
	ID              shared.ID
	TenantID        shared.ID
	RuleID          string
	ToolName        string
	PathPattern     string
	AssetID         *shared.ID
	Name            string
	Description     string
	SuppressionType SuppressionType
	Status          RuleStatus
	RequestedBy     shared.ID
	RequestedAt     time.Time
	ApprovedBy      *shared.ID
	ApprovedAt      *time.Time
	RejectedBy      *shared.ID
	RejectedAt      *time.Time
	RejectionReason string
	ExpiresAt       *time.Time
	CreatedAt       time.Time
	UpdatedAt       time.Time
}

RuleData contains all data needed to reconstitute a Rule from persistence.

type RuleFilter 

type RuleFilter struct {
	Status          *RuleStatus
	SuppressionType *SuppressionType
	ToolName        *string
	AssetID         *shared.ID
	RequestedBy     *shared.ID
	IncludeExpired  bool
	Limit           int
	Offset          int
}

RuleFilter provides filtering options for rule queries.

type RuleStatus 

type RuleStatus string

RuleStatus represents the approval status of a suppression rule. 

const (
	RuleStatusPending  RuleStatus = "pending"
	RuleStatusApproved RuleStatus = "approved"
	RuleStatusRejected RuleStatus = "rejected"
	RuleStatusExpired  RuleStatus = "expired"
)

func (RuleStatus) IsValid 

func (s RuleStatus) IsValid() bool

IsValid checks if the rule status is valid.

type Service 

type Service struct {
	// contains filtered or unexported fields
}

Service provides business logic for suppression rules.

func NewService 

func NewService(repo Repository, log *logger.Logger) *Service

NewService creates a new suppression service.

func (*Service) ApplySuppression 

func (s *Service) ApplySuppression(ctx context.Context, findingID, ruleID shared.ID) error

ApplySuppression applies a suppression rule to a finding.

func (*Service) ApproveRule 

func (s *Service) ApproveRule(ctx context.Context, input ApproveRuleInput) (*Rule, error)

ApproveRule approves a pending suppression rule.

func (*Service) CheckSuppression 

func (s *Service) CheckSuppression(ctx context.Context, tenantID shared.ID, match FindingMatch) ([]*Rule, error)

CheckSuppression checks if a finding matches any active suppression rules.

func (*Service) CreateRule 

func (s *Service) CreateRule(ctx context.Context, input CreateRuleInput) (*Rule, error)

CreateRule creates a new suppression rule.

func (*Service) DeleteRule 

func (s *Service) DeleteRule(ctx context.Context, tenantID, ruleID, deletedBy shared.ID) error

DeleteRule deletes a suppression rule.

func (*Service) ExpireRules 

func (s *Service) ExpireRules(ctx context.Context) (int64, error)

ExpireRules expires all rules past their expiration date.

func (*Service) GetRule 

func (s *Service) GetRule(ctx context.Context, tenantID, ruleID shared.ID) (*Rule, error)

GetRule retrieves a suppression rule by ID.

func (*Service) ListActiveRules 

func (s *Service) ListActiveRules(ctx context.Context, tenantID shared.ID) ([]*Rule, error)

ListActiveRules lists all active (approved, not expired) rules.

func (*Service) ListPendingRules 

func (s *Service) ListPendingRules(ctx context.Context, tenantID shared.ID) ([]*Rule, error)

ListPendingRules lists all pending rules awaiting approval.

func (*Service) ListRules 

func (s *Service) ListRules(ctx context.Context, tenantID shared.ID, filter RuleFilter) ([]*Rule, error)

ListRules lists suppression rules for a tenant.

func (*Service) RejectRule 

func (s *Service) RejectRule(ctx context.Context, input RejectRuleInput) (*Rule, error)

RejectRule rejects a pending suppression rule.

func (*Service) UpdateRule 

func (s *Service) UpdateRule(ctx context.Context, input UpdateRuleInput) (*Rule, error)

UpdateRule updates an existing suppression rule. Only pending rules can be updated.

type SuppressionType 

type SuppressionType string

SuppressionType represents the type of suppression. 

const (
	SuppressionTypeFalsePositive SuppressionType = "false_positive"
	SuppressionTypeAcceptedRisk  SuppressionType = "accepted_risk"
	SuppressionTypeWontFix       SuppressionType = "wont_fix"
)

func (SuppressionType) IsValid 

func (t SuppressionType) IsValid() bool

IsValid checks if the suppression type is valid.

type UpdateRuleInput 

type UpdateRuleInput struct {
	TenantID    shared.ID
	RuleID      shared.ID
	Name        *string
	Description *string
	RuleIDPat   *string // Rule ID pattern
	ToolName    *string
	PathPattern *string
	ExpiresAt   *string // ISO8601 format, empty string to clear
	UpdatedBy   shared.ID
}

UpdateRuleInput contains input for updating a suppression rule.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.