fix(findings): adjusting suppressions within ASH on false positive findings

Author: scrthq

.github/workflows/ash-build-and-scan.yml

@@ -1,3 +1,4 @@
+#checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
 name: ASH - Core Pipeline
 on:
   push:
@@ -26,6 +27,7 @@ jobs:
       ARCH: ubuntu-latest
       SUMMARY_FILE: "ASH Scan Results Summary.md"
     permissions:
+      #checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
       actions: read
       checks: write
       contents: read
@@ -113,6 +115,7 @@ jobs:
     needs: []
     runs-on: ubuntu-latest
     permissions:
+      #checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
       contents: read
     if: github.event_name == 'pull_request' || (github.event_name == 'push' && github.ref != 'refs/heads/main')
 
@@ -148,6 +151,7 @@ jobs:
     needs: []
     runs-on: ubuntu-latest
     permissions:
+      #checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
       contents: write
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'
 

.github/workflows/ash-scan-validation.yml

@@ -1,4 +1,5 @@
-name: ASH - Scan Validation  #checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
+#checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
+name: ASH - Scan Validation
 
 on:
   push:

.github/workflows/unit-tests.yml

@@ -1,3 +1,4 @@
+#checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
 name: ASH - Matrix Unit Tests
 
 on:
@@ -16,7 +17,8 @@ jobs:
   unit-test:
     name: Unit Test Python
     runs-on: ${{ matrix.runner }}
-    permissions:  #checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
+    permissions:
+      #checkov:skip=CKV2_GHA_1:The permissions are not set to write-all at the top-level, or any level
       actions: read
       checks: write
       pull-requests: write

automated_security_helper/schemas/cyclonedx_bom_1_6_schema/__init__.py

@@ -4594,17 +4594,17 @@ class Component(BaseModel):
         None,
         description="Asserts the identity of the component using the OmniBOR Artifact ID. The OmniBOR, if specified, must be valid and conform to the specification defined at: [https://www.iana.org/assignments/uri-schemes/prov/gitoid](https://www.iana.org/assignments/uri-schemes/prov/gitoid). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.",
         examples=[
-            # pragma: allowlist secret - Not actually a secret
+            # pragma: allowlist nextline secret - Not actually a secret
             "gitoid:blob:sha1:a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
-            # pragma: allowlist secret - Not actually a secret
+            # pragma: allowlist nextline secret - Not actually a secret
             "gitoid:blob:sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
         ],
         title="OmniBOR Artifact Identifier (gitoid)",
     )
     swhid: Optional[List[str]] = Field(
         None,
         description="Asserts the identity of the component using the Software Heritage persistent identifier (SWHID). The SWHID, if specified, must be valid and conform to the specification defined at: [https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html](https://docs.softwareheritage.org/devel/swh-model/persistent-identifiers.html). Refer to `@.evidence.identity` to optionally provide evidence that substantiates the assertion of the component's identity.",
-        # pragma: allowlist secret - Not actually a secret
+        # pragma: allowlist nextline secret - Not actually a secret
         examples=["swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2"],
         title="Software Heritage Identifier",
     )