You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.
Suggestions are to allow someone to have a .chelsea.json or .chelsea.yaml file in their repo, which would have a list of vulnerabilities they want ignored by chelsea.
This functionality could ignore off of:
The OSS Index ID for the vuln
The CVE title for the vuln
The CWE title for the vuln
As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.
By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.
If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).
Do not use the term whitelist related to this code.
The text was updated successfully, but these errors were encountered:
DarthHater
changed the title
Allow a user to whitelist specific vulnerabilities from OSS Index
Allow a user to exclude specific vulnerabilities from OSS Index
Jun 17, 2020
DarthHater
changed the title
Allow a user to exclude specific vulnerabilities from OSS Index
[FEATURE] Allow a user to exclude specific vulnerabilities from OSS Index
Jun 17, 2020
Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.
Suggestions are to allow someone to have a
.chelsea.json
or.chelsea.yaml
file in their repo, which would have a list of vulnerabilities they want ignored bychelsea
.This functionality could ignore off of:
As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.
By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.
If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).
Do not use the term
whitelist
related to this code.The text was updated successfully, but these errors were encountered: