fix(general): Support CVE suppressions with the root file in repo (#6948)

support suppressions with the root file in repo

Author: rotemavni

checkov/common/bridgecrew/integration_features/features/suppressions_integration.py

@@ -169,6 +169,25 @@ def _check_suppressions(self, record: Record, suppressions: Optional[list[dict[s
                     return suppression
         return None
 
+    def _check_cve_suppression(self, record: Record, suppression: dict[str, Any]) -> bool:
+        if 'accountIds' not in suppression:
+            return False
+        if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in \
+                suppression['accountIds'] \
+                and suppression['cves']:
+            repo_name = align_path(self.bc_integration.repo_id).split('/')[-1]
+            suppression_path = self._get_cve_suppression_path(suppression)
+            repo_file_path = align_path(record.repo_file_path)
+            file_abs_path = align_path(record.file_abs_path)
+            if file_abs_path == suppression_path[1:] or \
+                    file_abs_path == suppression_path or \
+                    file_abs_path.endswith("".join([repo_name, suppression_path])) or \
+                    removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/') \
+                    or record.file_path == suppression_path:
+                return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
+                           for cve in suppression['cves'])
+        return False
+
     def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> bool:
         """
         Returns True if and only if the specified suppression applies to the specified record.
@@ -217,21 +236,7 @@ def _check_suppression(self, record: Record, suppression: dict[str, Any]) -> boo
             return False
 
         elif type == 'Cves':
-            if 'accountIds' not in suppression:
-                return False
-            if self.bc_integration.repo_id and self.bc_integration.source_id and self.bc_integration.source_id in suppression['accountIds']\
-                    and suppression['cves']:
-                repo_name = align_path(self.bc_integration.repo_id).split('/')[-1]
-                suppression_path = self._get_cve_suppression_path(suppression)
-                repo_file_path = align_path(record.repo_file_path)
-                file_abs_path = align_path(record.file_abs_path)
-                if file_abs_path == suppression_path[1:] or \
-                        file_abs_path == suppression_path or \
-                        file_abs_path.endswith("".join([repo_name, suppression_path])) or \
-                        removeprefix(repo_file_path, '/') == removeprefix(suppression_path, '/'):
-                    return any(record.vulnerability_details and record.vulnerability_details['id'] == cve['cve']
-                               for cve in suppression['cves'])
-            return False
+            return self._check_cve_suppression(record, suppression)
 
         elif type == 'LicenseType':
             return any(record.vulnerability_details and record.vulnerability_details['license'] == license_type

tests/common/integration_features/test_suppressions_integration.py

@@ -515,11 +515,19 @@ def test_supress_by_cve_for_package_scan(self):
                          resource=None, evaluations=None,
                          check_class=None, file_abs_path='notrequirements.txt', entity_tags=None,
                          vulnerability_details={'id': 'CVE-2022-45452'})
+        record5 = Record(check_id='BC_VUL_2', check_name=None, check_result=None,
+                         code_block=None, file_path=None,
+                         file_line_range=None,
+                         resource=None, evaluations=None,
+                         check_class=None, file_abs_path='home/requirements.txt', entity_tags=None,
+                         vulnerability_details={'id': 'CVE-2021-23727'})
+        record5.file_path = '/requirements.txt'
 
         self.assertTrue(suppressions_integration._check_suppression(record1, suppression))
         self.assertTrue(suppressions_integration._check_suppression(record2, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record3, suppression))
         self.assertFalse(suppressions_integration._check_suppression(record4, suppression))
+        self.assertTrue(suppressions_integration._check_suppression(record5, suppression))
 
     def test_suppress_by_cve_with_empty_cves(self):
         instance = BcPlatformIntegration()