Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add vulnerabilities.ignore flag to just ignore vulnerabilties. #1226

Closed
another-rex opened this issue Sep 5, 2024 · 2 comments · Fixed by #1268
Closed

Add vulnerabilities.ignore flag to just ignore vulnerabilties. #1226

another-rex opened this issue Sep 5, 2024 · 2 comments · Fixed by #1268
Labels
backlog Important but currently unprioritized

Comments

@another-rex
Copy link
Collaborator

another-rex commented Sep 5, 2024
edited
Loading

the PackageOveride.ignore field is ambiguous as to whether license scanning is still performed. Solution could be to rename ignore to ignoreVulns.

Ignore flag already ignores both vulnerabilities and license violations. We should have a second flag for just vulnerabilities. The opposite of #1124
@another-rex another-rex added the backlog Important but currently unprioritized label Sep 5, 2024
@G-Rath
Copy link
Collaborator

G-Rath commented Sep 5, 2024

I thought that ignore had it ignored from both license scanning and vulnerabilities?

fwiw, I'd recommend doing something like vulnerabilities.ignore to mirror license.overrides

@another-rex
Copy link
Collaborator Author

Huh you are right, I am just very confused at the behavior of our configs. I'll update this issue to be to introduce a just ignore vulns option.

@another-rex another-rex changed the title Deprecate ignore field in config and rename to ignoreVulns Add vulnerabilities.ignore flag to just ignore vulnerabilties. Sep 5, 2024
@G-Rath G-Rath mentioned this issue Sep 11, 2024
Merged
@G-Rath G-Rath mentioned this issue Sep 23, 2024
Merged
another-rex pushed a commit that referenced this issue Oct 3, 2024
@G-Rath
feat: support vulnerabilities.ignore in package overrides (#1268)
e963fef 
This implements the ability to ignore vulnerabilities in a matching
group of packages while still reporting license violations, as the
inverse to `license.ignore`.

Resolves #1226
@BrewTestBot BrewTestBot mentioned this issue Oct 31, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog Important but currently unprioritized
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: support vulnerabilities.ignore in package overrides ackama/osv-scanner
2 participants
@G-Rath @another-rex