Support additional exclude vulnerability files #269
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for the contribution! Before we can merge this, we need @uvegla to sign the Sonatype Contributor License Agreement. |
|
@bhamail @DarthHater Can I please get your feedback / review on this change? Thanks in advance! 🙇🏻 |
bhamail
approved these changes
Jun 22, 2022
| @@ -262,13 +263,22 @@ We support exclusion of vulnerability either by CVE-ID (ex: `CVE-2018-20303`) or | |||
|
|
|||
| ##### Via file | |||
|
|
|||
| By default if a file named `.nancy-ignore` exists in the same directory that nancy is run it will use it, will no other options need to be passed. | |||
| By default, if a file named `.nancy-ignore` exists in the same directory that nancy is run it will use it - no other options need to be passed. | |||
There was a problem hiding this comment.
I hope you don't object to the doc change I made here. I think it is clearer, but happy to revert if you disagree.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds the possibility to split
.nancy-ignorefiles into multiple ones in a non-breaking way. The "root" file is still kept as.nancy-ignoreor can be overwritten with the-x/--exclude-vulnerability-fileflag but on top of that a list of additional files can be set via the-a/--additional-exclude-vulnerability-filesflag.The most common use case for using multiple files is when an organisation wants centrally control some of the common known vulnerabilities across hundreds of repositories by generating a file. It makes sense when there are common 3rd party libraries used in upstream dependencies that are either not updated anymore and the organisation cannot change the usage of them in a short period of time, but it takes a short migration for example. By generating am ignore file via automated means controlled by a central force it can save the headache for the rest of the organisation to handle these one-by-one.
However there can still be known vulnerabilities a team wants to ignore for their own repository that is specific to only that one, so the build pipeline for an organisation could look something like:
go list -json -deps | nancy sleuth -a .nancy-ignore.localI chose to add an additional flag to keep backwards compatibility when someone uses the
-x/--exclude-vulnerability-file. An other approach could be to change that flag to a list instead and rename it to-x/--exclude-vulnerability-files. Because of this it is still possible to control the root ignore file via that flag and do something like the below example.go list -json -deps | nancy sleuth -x .nancy-ignore.generated -a .nancy-ignore.localcc @bhamail / @DarthHater