SQL-147 Add suppression for core.async nvd FP #222
Conversation
Makefile
Outdated
| @@ -76,7 +76,7 @@ bench-async: | |||
| # Vulnerability check | |||
|
|
|||
| target/nvd: | |||
| clojure -Xnvd check :classpath '"'"$$(clojure -Spath -A:db-h2:db-sqlite:db-postgres)"'"' | |||
| clojure -Xnvd check :classpath '"'"$$(clojure -Spath -A:db-h2:db-sqlite:db-postgres)"'"' :config-filename '"nvd_config.json"' | |||
There was a problem hiding this comment.
Feel like nvd_config.json (and nvd_suppression.xml) could go in the dev_resources folder.
There was a problem hiding this comment.
(Unless the :nvd alias requires that the files be at the top level)
There was a problem hiding this comment.
It doesn't require that to my knowledge, but by convention I'd expect to see config & scan exception stuff like this at the top level
There was a problem hiding this comment.
That dev-time config goes in the root of the repo? Yeah, definitely. See deps.edn, Makefile, Dockerfile, etc... If you are for some reason compelled to put them in a directory, make it a new (possibly hidden) one, as config is not really a "resource". this is where you see things like .git, .github, etc.
There was a problem hiding this comment.
In that case you could create an .nvd directory to put all the NVD stuff
| @@ -0,0 +1,3 @@ | |||
| { | |||
| "nvd": {"suppression-file": ".nvd/suppression.xml"} | |||
There was a problem hiding this comment.
@kelvinqian00 this is a good example of why we put config in the root, file paths in config files. This works (because the .nvd/ added), but is immediately more confusing because it knows nothing of the relative path in the dir. In this case everything works so let's just go with it.
Per jeremylong/DependencyCheck#4384, we have a false positive on nvd scan. Add suppression file to clear core.async, at least until it is resolved.
Note that this should follow the merge + new version resulting from yetanalytics/actions#9