Comments (5)
I agree that this is an issue, 100%. I would definitely be open to a PR for it!
Sorry for the late response, am on vacation now, just got Wi-Fi 😀
from audit-ci.
No problem 😉
Before starting a PR, how do you think we should handle this? I was thinking an option like whitelisted-paths
which will include a list of the whitelisted paths with the related advisory.
The content of the option would be 476|dependency>nested-vulnerable-dependency
(with 476 the advisory number). What do you think?
from audit-ci.
whitelisted-paths
is a clear option, I like it!
I also like the <advisory #>|dep1>dep2>...>depn
approach, works well for CLI as well as config.
One consideration I would look for in this PR is for audit-ci
to tell the user if there's a whitelisted-path
that is not actually vulnerable at or above their level; either due to a typo or a vulnerability that has been addressed by an update. You can see an example of this in common.js
:
const found = summary.whitelistedAdvisoriesNotFound.join(', ');
const msg = `Vulnerable whitelisted advisories not found: ${found}.\nConsider not whitelisting them.`;
console.warn('\x1b[33m%s\x1b[0m', msg);
This can be revised to be whitelisted paths.
from audit-ci.
OK thank you for the feedback. I will look into it next week and open a PR as soon as I have something.
from audit-ci.
Introduced with #104 in release v2.3.0
😄 This makes the package significantly more secure and useful, thank you!
from audit-ci.
Related Issues (20)
- Drop support for Node <12 HOT 1
- Long summary output for only one vulnerable advisory HOT 6
- Cannot convert undefined or null to object Exiting HOT 9
- Support allowlisting private packages by module HOT 7
- Recommend pinning to commit SHA or release tag HOT 3
- Add expiration time for allow list items HOT 1
- Allow notes for allowlist items HOT 2
- [Feature] Support Gitlab SAST report-type HOT 2
- Let the severity level influence the json output HOT 1
- Fail on unmatched ignores HOT 1
- Invalid JSON config file when using new allowlist NSPRecord syntax HOT 3
- Add support for registry flag for PNPM HOT 1
- Support Yarn's `--exclude` HOT 2
- Handle errors from Yarn Berry more gracefully HOT 2
- Tests should include all major Yarn versions HOT 2
- packages starting with "@" are not working in allowlist HOT 2
- Replace event-stream with something secure and supported HOT 4
- The audit report format changed? HOT 2
- CI commands fail because no version 7 HOT 1
- Support Yarn v4 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-ci.