-
Notifications
You must be signed in to change notification settings - Fork 17.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vuln: add support for suppressing vulnerabilities by ID #59507
Comments
In my case, I'm wanting this because |
We would love to support this solution. 👍 In our case, our pipelines are set to fail if govulncheck fails. That being said, not all govulncheck errors are necessarily related to our production code use-cases. Is kind of an industry standard to make false-positives ignored in vulnarability checks, static code analysis tools etc. Thx. 👍 |
govulncheck does not support ignoring a particular vulnerability. Since we're on ibc-go v6.2.x which has a vulnerability, CI will report a red X on all future PRs because govulncheck fails. This PR removes govulncheck. We can re-enable it when govulncheck adds support for ignoring a particular vulnerability. See: 1. golang/go#59507 1. golang/go#61211
This would be useful for cases like https://pkg.go.dev/vuln/GO-2024-2698 which has "no known fix". |
What version of Go are you using (
go version
)?What operating system and processor architecture are you using (
go env
)?go env
OutputHi,
Requesting to introduce a config file (ideally) or a flag that allows users to explicitly exclude some vulnerabilities? Maybe until they resolve them, they can be suppressed in CI so on.
Thanks
Config file
# vuln.yaml vulnerability: exclude: - GO-2023-1704 - GO-2023-1705
Flag
The text was updated successfully, but these errors were encountered: