Support disabling deletion of certain CVEs

[glynternet]

--disable-cve-2021-45105-detection and --disable-cve-2021-44832-detection flags have been added to the delete command to allow for deleting only findings that map to certain CVEs. The solution has been done in this manner so that the flags remain the same across the crawl and delete subcommands, although it would probably be cleaner to implement a flag of the form --include-cve or --ignore-cve which could be an additive or subtractive CVE list. This change would not be hard to do and I'm happy to do that if we are willing to either make break or maintain some deprecated flag values.

Changes include:

• Extracted out common CVE flags for use in crawl and delete and a CVEResolver type that can be configured to ignore CVE-2021-45105 and CVE-2021-44832.
• Adds a VersionMatch to the Deleter which will block deletion of a finding unless the VersionMatch function resolves to true.
  • For the delete command, the VersionMatch function will cause findings to deleted when the valid findings versions have CVEs present, with the option to ignore the two CVEs mentioned above. If a finding has one of the CVEs configured to ignore and other CVEs are still contained within the finding, then the finding can still be deleted.
• Much of the CVE and Log4jVersion code has been put into separate files to make the project tidier.
• Some of the codepaths have had string versions replaced with parsing to Log4JVersion to make the codepaths more understandable when it comes to handling of unknown or invalid versions.
  • Specifically on the point above, with the Reporter.Report method, the original behaviour has been maintained, where strings containing "unknown version - unknown CVE status" and "invalid version - unknown CVE status" can still be populated in the cvesFound slice. I kept this here to maintain backwards compatibility but I am not opposed to making some simple changes here as I find this behaviour a little confusing tbh.

[changelog-app]

Generate changelog in changelog/@unreleased

Type

• Feature
• Improvement
• Fix
• Break
• Deprecation
• Manual task
• Migration

Description

Support disabling deletion of certain CVEs

--disable-cve-2021-45105-detection and --disable-cve-2021-44832-detection flags have been added to the delete command to allow for deleting only findings that map to certain CVEs. Some vulnerable files will contain multiple CVEs and so it is advised that the desired combination of --disable-cve-* flags be found by running with --dry-run=true (which is the default value) first.

Check the box to generate changelog(s)

• Generate changelog entry