You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In our CI pipelines, we have some template jobs that run bundle-audit across all projects. We also have a .bundler-audit.yml config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global" --ignore flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the --ignore parameter.
Potential implementation
Naive(?) solution: merge the two sets instead of taking one or the other.
The text was updated successfully, but these errors were encountered:
Description
Current state
Currently, the
--ignore
flag overwrites the ignored CVEs from a config file (--config
):bundler-audit/lib/bundler/audit/scanner.rb
Lines 221 to 225 in d8af649
With
config.options
coming from the passed configuration file:bundler-audit/lib/bundler/audit/scanner.rb
Lines 91 to 95 in d8af649
Why this would come in handy
In our CI pipelines, we have some template jobs that run
bundle-audit
across all projects. We also have a.bundler-audit.yml
config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global"--ignore
flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the--ignore
parameter.Potential implementation
Naive(?) solution: merge the two sets instead of taking one or the other.
The text was updated successfully, but these errors were encountered: