Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Combine ignored CVEs from both --config with --ignore flag #388

Open
TomNaessens opened this issue Sep 20, 2023 · 0 comments
Open

Combine ignored CVEs from both --config with --ignore flag #388

TomNaessens opened this issue Sep 20, 2023 · 0 comments
Labels

Comments

@TomNaessens
Copy link

Description

Current state

Currently, the --ignore flag overwrites the ignored CVEs from a config file (--config):

ignore = if options[:ignore]
Set.new(options[:ignore])
else
config.ignore
end

With config.options coming from the passed configuration file:

@config = if File.exist?(config_dot_file_full_path)
Configuration.load(config_dot_file_full_path)
else
Configuration.new
end

Why this would come in handy

In our CI pipelines, we have some template jobs that run bundle-audit across all projects. We also have a .bundler-audit.yml config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global" --ignore flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the --ignore parameter.

Potential implementation

Naive(?) solution: merge the two sets instead of taking one or the other.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant