[Feature] Ignore specific path of vulnerability about audit-ci HOT 5 CLOSED

I agree that this is an issue, 100%. I would definitely be open to a PR for it!

Sorry for the late response, am on vacation now, just got Wi-Fi 😀

from audit-ci.

No problem 😉

Before starting a PR, how do you think we should handle this? I was thinking an option like whitelisted-paths which will include a list of the whitelisted paths with the related advisory.

The content of the option would be 476|dependency>nested-vulnerable-dependency (with 476 the advisory number). What do you think?

from audit-ci.

whitelisted-paths is a clear option, I like it!

I also like the <advisory #>|dep1>dep2>...>depn approach, works well for CLI as well as config.

One consideration I would look for in this PR is for audit-ci to tell the user if there's a whitelisted-path that is not actually vulnerable at or above their level; either due to a typo or a vulnerability that has been addressed by an update. You can see an example of this in common.js:

const found = summary.whitelistedAdvisoriesNotFound.join(', ');
const msg = `Vulnerable whitelisted advisories not found: ${found}.\nConsider not whitelisting them.`;
console.warn('\x1b[33m%s\x1b[0m', msg);

This can be revised to be whitelisted paths.

from audit-ci.

OK thank you for the feedback. I will look into it next week and open a PR as soon as I have something.

from audit-ci.

Introduced with #104 in release v2.3.0 😄 This makes the package significantly more secure and useful, thank you!

from audit-ci.