implement filtering by packages through the config #944
Conversation
|
I think I need a better way to filter based on semver parts. I know think deps.dev/util/semver does this, I will come back to it once I'm back from leave. |
pkg/config/config.go
Outdated
| LoadPath string `toml:"LoadPath"` | ||
| GoVersionOverride string `toml:"GoVersionOverride"` | ||
| IgnoredVulns []IgnoreEntry `toml:"IgnoredVulns"` | ||
| IgnoredPackageVersions []IgnorePackageVersionEntry `toml:"IgnoredPackageVersions"` |
There was a problem hiding this comment.
I feel like ignore package versions and override package versions both could have the same "package matching" logic.
Can we consolidate them into the same field, and just have a bool ignore which if true ignores the package entirely, otherwise an override field where someone can override the license.
E.g.
[[Package]]
name = "pkg-name"
exactVersion = "1.0.0"
ecosystem = "Go"
ignore = false # if true ignores the package entirely
licenseOverride = ["MIT", "0BSD"]
# In the future, if someone requests we can also add a versionOverride field here, or other overrides
reason = "abc"
# major ...
# minor ...
# ...
There was a problem hiding this comment.
+1.
version (Which I think we should exactVersion to) is optional right?
Additionally, would it make sense to make license a structured field of some sort instead?
I.e.
[[Package]]
[[Package.license]]
override = ["MIT"]
There was a problem hiding this comment.
This makes sense to me! done.
| Allowlist: []models.License{models.License("MIT"), models.License("0BSD")}, | ||
| }, | ||
| }, | ||
| Results: []models.PackageSource{ |
There was a problem hiding this comment.
For maintainability, can we just use the snapshot library here to store/match the results?
There was a problem hiding this comment.
should be done but check my code just in case I'm not understanding the snapshot library correctly
pkg/config/config.go
Outdated
| LoadPath string `toml:"LoadPath"` | ||
| GoVersionOverride string `toml:"GoVersionOverride"` | ||
| IgnoredVulns []IgnoreEntry `toml:"IgnoredVulns"` | ||
| IgnoredPackageVersions []IgnorePackageVersionEntry `toml:"IgnoredPackageVersions"` |
There was a problem hiding this comment.
+1.
version (Which I think we should exactVersion to) is optional right?
Additionally, would it make sense to make license a structured field of some sort instead?
I.e.
[[Package]]
[[Package.license]]
override = ["MIT"]
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #944 +/- ##
==========================================
+ Coverage 65.14% 65.18% +0.04%
==========================================
Files 149 149
Lines 12338 12384 +46
==========================================
+ Hits 8037 8072 +35
- Misses 3849 3859 +10
- Partials 452 453 +1 ☔ View full report in Codecov by Sentry. |
|
Was I supposed to provide a token? https://github.com/google/osv-scanner/actions/runs/8978083643/job/24657957118 |
|
We seem to be getting these errors every now and then, current workaround is just rerun the tests |
pkg/config/config.go
Outdated
| LoadPath string `toml:"LoadPath"` | ||
| GoVersionOverride string `toml:"GoVersionOverride"` | ||
| IgnoredVulns []IgnoreEntry `toml:"IgnoredVulns"` | ||
| PackageVersions []PackageVersionEntry `toml:"PackageVersions"` |
There was a problem hiding this comment.
Rename this to PackageOverrides and PackageOverrideEntry, since version is optional, and we are specifying packages for the scanner to override the interpretation of
josieang
force-pushed
the
package-config
branch
2 times, most recently
from
162fa59
to
b7e6db1
Compare
I'd like feedback on the config yaml schema, the filter message and it's behaviour if the version is empty (it filters any version of that package).
This is in response to #814