Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow notes for allowlist items #278

Closed
villesau opened this issue Jun 10, 2022 · 2 comments · Fixed by #284
Closed

Allow notes for allowlist items #278

villesau opened this issue Jun 10, 2022 · 2 comments · Fixed by #284
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@villesau
Copy link

Usually it is good to let other devs to know why something has been ignored. That's why being able to leave notes next to the ignore is important. It might be that the vulnerability does not affect the repo, or then there is no fix available, or it might be something else.

For the reference, this is how better-npm-audit does it: https://github.com/jeemok/better-npm-audit#using-nsprc-file-to-manage-exceptions
@quinnturner
Copy link
Member

Thanks for the feedback! I see no reason why we can't support a similar nsprc file format (at least, within the already existing allowlist array).

"allowlist": [
  "GHSA-42xw-2xvc-qx8m",
  "GHSA-rp65-9cf3-cjxr": {
    "active": true,
    "notes": "Ignored since we don't use xxx method",
    "expiry": 1615462134681
  }
]

Until that's implemented, we do support comments within the JSON. If you're going to use comments, I recommend using the file extension .jsonc for compatibility with IDEs.

@quinnturner quinnturner added enhancement New feature or request good first issue Good for newcomers labels Jun 10, 2022
@villesau
Copy link
Author

Thanks for the hint! Indeed a comment is a good workaround for this for the time being.

@kyletsang kyletsang mentioned this issue Nov 15, 2022
Merged
quinnturner pushed a commit that referenced this issue Dec 7, 2022
@kyletsang
feat: implement allowlist records (#284)
e4385b6 
Closes #277
Closes #278
This was referenced Dec 7, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: implement allowlist records kyletsang/audit-ci
2 participants
@villesau @quinnturner