chore: fix presentation for suppressions pending approval (#568)

CatalinSnyk · web-flow · commit b9ea94f06443 · 2026-03-17T12:57:18.000+01:00
diff --git a/internal/presenters/testdata/ufm/secrets.human.readable b/internal/presenters/testdata/ufm/secrets.human.readable
@@ -1,12 +1,23 @@
 [1mTesting  () ...[0m
 
-[1mOpen Secrets issues: 1[0m
+[1mOpen Secrets issues: 2[0m
 
  ✗ [31m[HIGH][0m [1mGeneric API Key[0m
    Finding ID: 99999999-8888-7777-6665-000000000000
    Info: Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.
    Path: config.env, line 3 to 44
 
+ ! [PENDING IGNORE...] [35m[CRITICAL][0m [1mGeneric Secret[0m
+   Finding ID: bbbbbbbb-bbbb-cccc-dddd-eeeeeeeeeeee
+   Info: Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.
+   Path: aws_keys.txt, line 4 to 4
+
+   Expiration: September 09, 2027
+   Category:   wont-fix
+   Ignored on: February 05, 2026
+   Ignored by: Someone
+   Reason:     Someone is ignoring this
+
 [1mIgnored Secrets issues: 1[0m
 [1m[0m                         
  ! [IGNORED] [31m[HIGH][0m [1mGeneric API Key[0m
@@ -24,8 +35,8 @@
 │   Test type:         Secret Detection                   │
 │   Project path:                                         │
 │                                                         │
-│   Total secrets issues: 2                               │
+│   Total secrets issues: 3                               │
 │   Ignored: [1m1[0m [[35m 0 CRITICAL [0m[31m 1 HIGH [0m[33m 0 MEDIUM [0m 0 LOW ]    │
-│   Open   : [1m1[0m [[35m 0 CRITICAL [0m[31m 1 HIGH [0m[33m 0 MEDIUM [0m 0 LOW ]    │
+│   Open   : [1m2[0m [[35m 1 CRITICAL [0m[31m 1 HIGH [0m[33m 0 MEDIUM [0m 0 LOW ]    │
 ╰─────────────────────────────────────────────────────────╯
 
diff --git a/internal/presenters/testdata/ufm/secrets.sarif.json b/internal/presenters/testdata/ufm/secrets.sarif.json
@@ -42,6 +42,22 @@
 										"CWE-798"
 									]
 								}
+							},
+							{
+								"id": "generic-secret",
+								"shortDescription": {
+									"text": "Detected a generic secret, which could lead to unauthorized access and sensitive data exposure."
+								},
+								"help": {
+									"text": "",
+									"markdown": "Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead."
+								},
+								"properties": {
+									"tags": [
+										"security",
+										"CWE-798"
+									]
+								}
 							}
 						]
 					}
@@ -98,6 +114,36 @@
 							"kind": "external"
 						}
 					]
+				},
+				{
+					"ruleId": "generic-secret",
+					"level": "error",
+					"message": {
+						"text": "This file contains a critical severity Generic Secret vulnerability."
+					},
+					"locations": [
+						{
+							"physicalLocation": {
+								"artifactLocation": {
+									"uri": "aws_keys.txt"
+								},
+								"region": {
+									"startLine": 4,
+									"startColumn": 35,
+									"endLine": 4,
+									"endColumn": 75
+								}
+							}
+						}
+					],
+					"suppressions": [
+						{
+							"guid": "90b2fe3f-f811-4447-8f75-e32545d753ea",
+							"status": "underReview",
+							"justification": "Someone is ignoring this",
+							"kind": "external"
+						}
+					]
 				}
 			],"automationDetails": {
 					"id": "Snyk/Secrets/0/2026-02-03T11:03:16Z"
diff --git a/internal/presenters/testdata/ufm/secrets.testresult.json b/internal/presenters/testdata/ufm/secrets.testresult.json
@@ -68,9 +68,7 @@
         "source": "cwe"
       },
       "generic-api-key": {
-        "categories": [
-          "Security"
-        ],
+        "categories": ["Security"],
         "help": "Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.",
         "id": "generic-api-key",
         "name": "Generic API Key",
@@ -81,9 +79,7 @@
         "tags": []
       },
       "generic-api-key-2": {
-        "categories": [
-          "Security"
-        ],
+        "categories": ["Security"],
         "help": "Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.",
         "id": "generic-api-key-2",
         "name": "Generic API Key",
@@ -92,17 +88,23 @@
         "short_description": "Detected a Generic API Key, potentially exposing access to various services and sensitive operations.",
         "source": "secret",
         "tags": []
+      },
+      "generic-secret": {
+        "categories": ["Security"],
+        "help": "Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.",
+        "id": "generic-secret",
+        "name": "Generic Secret",
+        "precision": "very-high",
+        "severity": "high",
+        "short_description": "Detected a generic secret, which could lead to unauthorized access and sensitive data exposure.",
+        "source": "secret",
+        "tags": []
       }
     },
     "_problemRefs": {
-      "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee": [
-        "generic-api-key",
-        "CWE-798"
-      ],
-      "aaaaaaab-bbbb-cccc-dddd-eeeeeeeeeeee": [
-        "generic-api-key-2",
-        "CWE-798"
-      ]
+      "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee": ["generic-api-key", "CWE-798"],
+      "aaaaaaab-bbbb-cccc-dddd-eeeeeeeeeeee": ["generic-api-key-2", "CWE-798"],
+      "399f629d-d638-441c-82a0-379e327dc941": ["generic-secret", "CWE-798"]
     },
     "findings": [
       {
@@ -170,6 +172,88 @@
         "links": {},
         "relationships": {},
         "type": "findings"
+      },
+      {
+        "attributes": {
+          "cause_of_failure": false,
+          "description": "Do not hardcode passwords or other secrets directly in the source code. Use a secure secret management system instead.",
+          "evidence": [],
+          "finding_type": "secret",
+          "key": "bbbbbbbb-bbbb-cccc-dddd-eeeeeeeeeeee",
+          "locations": [
+            {
+              "file_path": "aws_keys.txt",
+              "from_column": 35,
+              "from_line": 4,
+              "to_column": 75,
+              "to_line": 4,
+              "type": "source"
+            }
+          ],
+          "policy_modifications": [
+            {
+              "pointer": "/attributes/rating/severity",
+              "reason": ""
+            }
+          ],
+          "problems": null,
+          "rating": {
+            "severity": "critical"
+          },
+          "risk": {},
+          "suppression": {
+            "created_at": "2026-02-05T15:38:05.824Z",
+            "expires_at": "2027-09-09T00:00:00Z",
+            "justification": "Someone is ignoring this",
+            "policy": {
+              "id": "90b2fe3f-f811-4447-8f75-e32545d753ea"
+            },
+            "status": "pending_ignore_approval"
+          },
+          "title": "Generic Secret"
+        },
+        "id": "399f629d-d638-441c-82a0-379e327dc941",
+        "links": {},
+        "relationships": {
+          "policy": {
+            "data": {
+              "attributes": {
+                "policies": [
+                  {
+                    "applied_policy": {
+                      "action_type": "ignore",
+                      "ignore": {
+                        "created": "2026-02-05T15:38:05.824Z",
+                        "expires": "2027-09-09T00:00:00Z",
+                        "ignored_by": {
+                          "email": "someone@snyk.io",
+                          "id": "00000000-0000-0000-0000-000000000000",
+                          "name": "Someone"
+                        },
+                        "reason": "Someone is ignoring this",
+                        "reason_type": "wont-fix",
+                        "source": ""
+                      },
+                      "rule": {
+                        "created": "0001-01-01T00:00:00Z",
+                        "id": "9a589a14-6ea4-49c5-9fd3-618dc3ebbbd1",
+                        "modified": "0001-01-01T00:00:00Z",
+                        "name": "",
+                        "review": "unknown"
+                      }
+                    },
+                    "id": "90b2fe3f-f811-4447-8f75-e32545d753ea",
+                    "type": "legacy_policy_snapshot"
+                  }
+                ]
+              },
+              "id": "91e77580-0b5d-4ae9-a7b2-4c035018857b",
+              "type": "policies"
+            },
+            "links": {}
+          }
+        },
+        "type": "findings"
       }
     ]
   }
diff --git a/pkg/apiclients/testapi/issues.go b/pkg/apiclients/testapi/issues.go
@@ -806,7 +806,7 @@ func (b *issueBuilder) deduplicate() {
 // build constructs the final Issue from collected data
 func (b *issueBuilder) build() *issue {
 	metadata := b.buildMetadata()
-	activeIgnoreDetail := determineActiveIgnoreDetail(b.ignoreDetails)
+	ignoreDetail := determineIgnoreDetail(b.ignoreDetails)
 
 	return &issue{
 		findings:          b.findings,
@@ -826,23 +826,23 @@ func (b *issueBuilder) build() *issue {
 		riskScore:         b.riskScore,
 		reachability:      b.reachability,
 		metadata:          metadata,
-		ignoreDetail:      activeIgnoreDetail,
+		ignoreDetail:      ignoreDetail,
 	}
 }
 
-func determineActiveIgnoreDetail(ignoreDetails []IssueIgnoreDetails) IssueIgnoreDetails {
-	activeIgnores := 0
-	var firstIgnoreDetail IssueIgnoreDetails
-	for _, detail := range ignoreDetails {
-		if detail != nil && detail.IsActive() {
-			firstIgnoreDetail = detail
-			activeIgnores++
-		}
+func determineIgnoreDetail(ignoreDetails []IssueIgnoreDetails) IssueIgnoreDetails {
+	statusPriority := []SuppressionStatus{
+		SuppressionStatusIgnored,
+		SuppressionStatusPendingIgnoreApproval,
+		SuppressionStatusOther,
 	}
 
-	// if all findings are ignored, return the first ignore details
-	if activeIgnores == len(ignoreDetails) {
-		return firstIgnoreDetail
+	for _, status := range statusPriority {
+		for _, detail := range ignoreDetails {
+			if detail != nil && detail.GetStatus() == status {
+				return detail
+			}
+		}
 	}
 
 	return nil
diff --git a/pkg/apiclients/testapi/issues_ignore_details_test.go b/pkg/apiclients/testapi/issues_ignore_details_test.go
@@ -171,6 +171,59 @@ func TestIssueIgnoreDetails_SuppressionFields(t *testing.T) {
 	assert.Equal(t, skipIfFixable, *details.SkipIfFixable())
 }
 
+func TestIssueIgnoreDetails_GetIgnoreDetails_BasedOnSuppressionStatus(t *testing.T) {
+	testCases := []struct {
+		name                string
+		suppressionStatuses []testapi.SuppressionStatus
+		expectedStatus      testapi.SuppressionStatus
+		expectNilDetails    bool
+	}{
+		{name: "single ignored", suppressionStatuses: []testapi.SuppressionStatus{testapi.SuppressionStatusIgnored}, expectedStatus: testapi.SuppressionStatusIgnored},
+		{name: "single pending", suppressionStatuses: []testapi.SuppressionStatus{testapi.SuppressionStatusPendingIgnoreApproval}, expectedStatus: testapi.SuppressionStatusPendingIgnoreApproval},
+		{name: "single other", suppressionStatuses: []testapi.SuppressionStatus{testapi.SuppressionStatusOther}, expectedStatus: testapi.SuppressionStatusOther},
+		{name: "ignored wins over pending and other", suppressionStatuses: []testapi.SuppressionStatus{testapi.SuppressionStatusOther, testapi.SuppressionStatusPendingIgnoreApproval, testapi.SuppressionStatusIgnored}, expectedStatus: testapi.SuppressionStatusIgnored},
+		{name: "pending wins over other", suppressionStatuses: []testapi.SuppressionStatus{testapi.SuppressionStatusOther, testapi.SuppressionStatusPendingIgnoreApproval}, expectedStatus: testapi.SuppressionStatusPendingIgnoreApproval},
+	}
+
+	for _, tt := range testCases {
+		t.Run(tt.name, func(t *testing.T) {
+			findings := make([]*testapi.FindingData, len(tt.suppressionStatuses))
+			for i, status := range tt.suppressionStatuses {
+				findings[i] = &testapi.FindingData{
+					Attributes: &testapi.FindingAttributes{Suppression: &testapi.Suppression{Status: status}},
+					Id:         func() *openapi_types.UUID { id := uuid.New(); return &id }(),
+				}
+			}
+
+			issue, err := testapi.NewIssueFromFindings(findings)
+			require.NoError(t, err)
+
+			details := issue.GetIgnoreDetails()
+			if tt.expectNilDetails {
+				assert.Nil(t, details)
+			} else {
+				require.NotNil(t, details)
+				assert.Equal(t, tt.expectedStatus, details.GetStatus())
+			}
+		})
+	}
+
+	t.Run("empty suppression status yields nil", func(t *testing.T) {
+		findings := []*testapi.FindingData{
+			{
+				Attributes: &testapi.FindingAttributes{Suppression: &testapi.Suppression{}},
+				Id:         func() *openapi_types.UUID { id := uuid.New(); return &id }(),
+			},
+		}
+
+		issue, err := testapi.NewIssueFromFindings(findings)
+		require.NoError(t, err)
+
+		details := issue.GetIgnoreDetails()
+		assert.Nil(t, details)
+	})
+}
+
 func TestIssueIgnoreDetails_IsActive(t *testing.T) {
 	tests := []struct {
 		name            string
@@ -179,7 +232,7 @@ func TestIssueIgnoreDetails_IsActive(t *testing.T) {
 		expectActive    bool
 	}{
 		{"ignored status", testapi.SuppressionStatusIgnored, false, true},
-		{"pending status", testapi.SuppressionStatusPendingIgnoreApproval, true, false},
+		{"pending status", testapi.SuppressionStatusPendingIgnoreApproval, false, false},
 		{"empty status", "", true, false},
 	}
 
