Bearer · cfabianski · Jan 11, 2023 · Jan 10, 2023 · Jan 10, 2023 · elsapet
diff --git a/pkg/classification/db/db.go b/pkg/classification/db/db.go
@@ -40,12 +40,13 @@ type DefaultDB struct {
 }
 
 type Recipe struct {
-	URLS     []string  `json:"urls" yaml:"urls"`
-	Name     string    `json:"name" yaml:"name"`
-	Type     string    `json:"type" yaml:"type"`
-	SubType  string    `json:"sub_type" yaml:"sub_type"`
-	Packages []Package `json:"packages" yaml:"packages"`
-	UUID     string    `json:"uuid" yaml:"uuid"`
+	URLS        []string  `json:"urls" yaml:"urls"`
+	ExcludeURLS []string  `json:"exclude_urls" yaml:"exclude_urls"`
+	Name        string    `json:"name" yaml:"name"`
+	Type        string    `json:"type" yaml:"type"`
+	SubType     string    `json:"sub_type" yaml:"sub_type"`
+	Packages    []Package `json:"packages" yaml:"packages"`
+	UUID        string    `json:"uuid" yaml:"uuid"`
 }
 
 type Package struct {

diff --git a/pkg/classification/db/recipes/google_cloud_apis.json b/pkg/classification/db/recipes/google_cloud_apis.json
@@ -2,9 +2,8 @@
   "metadata": { "version": "1.0" },
   "name": "Google Cloud APIs",
   "type": "external_service",
-  "urls": [
-    "https://*.googleapis.com"
-  ],
+  "urls": ["https://*.googleapis.com"],
+  "exclude_urls": ["https://ajax.googleapis.com"],
   "packages": [
     {
       "name": "Google.Apis",

diff --git a/pkg/classification/interfaces/interfaces.go b/pkg/classification/interfaces/interfaces.go
@@ -39,11 +39,12 @@ type Config struct {
 }
 
 type Recipe struct {
-	UUID    string
-	Name    string
-	Type    string
-	SubType string
-	URLS    []RecipeURL
+	UUID        string
+	Name        string
+	Type        string
+	SubType     string
+	URLS        []RecipeURL
+	ExcludeURLS []RecipeURL
 }
 
 type RecipeURL struct {
@@ -57,6 +58,7 @@ type RecipeURLMatch struct {
 	RecipeUUID       string
 	RecipeName       string
 	RecipeSubType    string
+	ExcludedURL      bool
 }
 
 var ErrInvalidRecipes = errors.New("invalid interface recipe")
@@ -75,9 +77,9 @@ func New(config Config) (*Classifier, error) {
 	var preparedRecipes []Recipe
 	for _, recipe := range config.Recipes {
 		preparedRecipe := Recipe{
-			UUID: recipe.UUID,
-			Name: recipe.Name,
-			Type: recipe.Type,
+			UUID:    recipe.UUID,
+			Name:    recipe.Name,
+			Type:    recipe.Type,
 			SubType: recipe.SubType,
 		}
 		for _, recipeURL := range recipe.URLS {
@@ -92,6 +94,20 @@ func New(config Config) (*Classifier, error) {
 			}
 			preparedRecipe.URLS = append(preparedRecipe.URLS, preparedRecipeURL)
 		}
+
+		for _, excludedRecipeURL := range recipe.ExcludeURLS {
+			regexpMatcher, err := url.PrepareRegexpMatcher(excludedRecipeURL)
+			if err != nil {
+				return nil, ErrInvalidRecipes
+			}
+
+			preparedRecipeURL := RecipeURL{
+				URL:           excludedRecipeURL,
+				RegexpMatcher: regexpMatcher,
+			}
+			preparedRecipe.ExcludeURLS = append(preparedRecipe.ExcludeURLS, preparedRecipeURL)
+		}
+
 		preparedRecipes = append(preparedRecipes, preparedRecipe)
 	}
 
@@ -184,12 +200,26 @@ func (classifier *Classifier) Classify(data detections.Detection) (*ClassifiedIn
 	if err != nil {
 		return nil, err
 	}
+
 	if recipeMatch != nil {
+		if recipeMatch.ExcludedURL {
+			return &ClassifiedInterface{
+				Detection: &data,
+				Classification: &Classification{
+					URL: value,
+					Decision: classify.ClassificationDecision{
+						State:  classify.Invalid,
+						Reason: "ignored_url_in_recipe",
+					},
+				},
+			}, nil
+		}
+
 		classifiedInterface := &ClassifiedInterface{
 			Detection: &data,
 			Classification: &Classification{
-				URL:         recipeMatch.DetectionURLPart,
-				RecipeMatch: true,
+				URL:           recipeMatch.DetectionURLPart,
+				RecipeMatch:   true,
 				RecipeUUID:    recipeMatch.RecipeUUID,
 				RecipeName:    recipeMatch.RecipeName,
 				RecipeSubType: recipeMatch.RecipeSubType,
@@ -233,6 +263,19 @@ func (classifier *Classifier) FindMatchingRecipeUrl(detectionURL string) (*Recip
 
 	matchSize := 0
 	for _, recipe := range classifier.Recipes {
+		for _, recipeURL := range recipe.ExcludeURLS {
+			match, err := url.Match(detectionURL, recipeURL.RegexpMatcher)
+			if err != nil {
+				return nil, err
+			}
+
+			if match != "" {
+				return &RecipeURLMatch{
+					ExcludedURL: true,
-					ExcludedURL: true,
+					ExcludedURL: true,
+					DetectionURLPart: match,
+					RecipeURL:        recipeURL.URL,
+					RecipeUUID:       recipe.UUID,
+					RecipeName:       recipe.Name,
+					RecipeSubType:    recipe.SubType,
-					ExcludedURL: true,
+					ExcludedURL: true,
+					DetectionURLPart: match,
+					RecipeURL:        recipeURL.URL,
+					RecipeUUID:       recipe.UUID,
+					RecipeName:       recipe.Name,
+					RecipeSubType:    recipe.SubType,
+				}, nil
+			}
+		}
+
 		for _, recipeURL := range recipe.URLS {
 			match, err := url.Match(detectionURL, recipeURL.RegexpMatcher)
 			if err != nil {

diff --git a/pkg/classification/interfaces/interfaces_test.go b/pkg/classification/interfaces/interfaces_test.go
@@ -42,11 +42,11 @@ func TestInterface(t *testing.T) {
 				},
 			},
 			Want: &interfaces.Classification{
-				URL:         "https://api.stripe.com",
-				RecipeName:  "Stripe",
+				URL:           "https://api.stripe.com",
+				RecipeName:    "Stripe",
 				RecipeSubType: "third_party",
-				RecipeUUID:  "c24b836a-d035-49dc-808f-1912f16f690d",
-				RecipeMatch: true,
+				RecipeUUID:    "c24b836a-d035-49dc-808f-1912f16f690d",
+				RecipeMatch:   true,
 				Decision: classify.ClassificationDecision{
 					State:  classify.Valid,
 					Reason: "recipe_match",
@@ -80,6 +80,33 @@ func TestInterface(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "when there is a matching recipe with a wildcard but it is part of the exclusion list",
+			Input: detections.Detection{
+				Value: reportinterfaces.Interface{
+					Type: reportinterfaces.TypeURL,
+					Value: &values.Value{
+						Parts: []values.Part{
+							&values.String{
+								Type:  values.PartTypeString,
+								Value: "https://",
+							},
+							&values.String{
+								Type:  values.PartTypeString,
+								Value: "ajax.googleapis.com",
+							},
+						},
+					},
+				},
+			},
+			Want: &interfaces.Classification{
+				URL: "https://ajax.googleapis.com",
+				Decision: classify.ClassificationDecision{
+					State:  classify.Invalid,
+					Reason: "ignored_url_in_recipe",
+				},
+			},
+		},
 		{
 			Name: "when there is a matching recipe with a wildcard",
 			Input: detections.Detection{
@@ -100,11 +127,11 @@ func TestInterface(t *testing.T) {
 				},
 			},
 			Want: &interfaces.Classification{
-				URL:         "http://*.stripe.com",
-				RecipeName:  "Stripe",
+				URL:           "http://*.stripe.com",
+				RecipeName:    "Stripe",
 				RecipeSubType: "third_party",
-				RecipeUUID:  "c24b836a-d035-49dc-808f-1912f16f690d",
-				RecipeMatch: true,
+				RecipeUUID:    "c24b836a-d035-49dc-808f-1912f16f690d",
+				RecipeMatch:   true,
 				Decision: classify.ClassificationDecision{
 					State:  classify.Potential,
 					Reason: "recipe_match_with_wildcard",
@@ -131,11 +158,11 @@ func TestInterface(t *testing.T) {
 				},
 			},
 			Want: &interfaces.Classification{
-				URL:         "https://googleapis.com/auth/spreadsheets",
-				RecipeName:  "Google Spreadsheets",
+				URL:           "https://googleapis.com/auth/spreadsheets",
+				RecipeName:    "Google Spreadsheets",
 				RecipeSubType: "third_party",
-				RecipeUUID:  "ebe2e05e-bc56-4204-9329-d9b8d3cf1837",
-				RecipeMatch: true,
+				RecipeUUID:    "ebe2e05e-bc56-4204-9329-d9b8d3cf1837",
+				RecipeMatch:   true,
 				Decision: classify.ClassificationDecision{
 					State:  classify.Valid,
 					Reason: "recipe_match",