Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Allow a user to exclude specific vulnerabilities from OSS Index #16

Open
DarthHater opened this issue Apr 4, 2020 · 0 comments
Open

[FEATURE] Allow a user to exclude specific vulnerabilities from OSS Index #16

DarthHater opened this issue Apr 4, 2020 · 0 comments
Assignees
@DarthHater
Labels
enhancement New feature or request help wanted Extra attention is needed
Milestone
v0.1.0

Comments

@DarthHater
Copy link
Member

DarthHater commented Apr 4, 2020
edited

Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.

Suggestions are to allow someone to have a .chelsea.json or .chelsea.yaml file in their repo, which would have a list of vulnerabilities they want ignored by chelsea.

This functionality could ignore off of:

  • The OSS Index ID for the vuln
  • The CVE title for the vuln
  • The CWE title for the vuln

As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.

By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.

If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).

Do not use the term whitelist related to this code.
@DarthHater DarthHater added enhancement New feature or request help wanted Extra attention is needed labels Apr 4, 2020
@DarthHater DarthHater self-assigned this Apr 4, 2020
@DarthHater DarthHater changed the title Allow a user to whitelist specific vulnerabilities from OSS Index Allow a user to exclude specific vulnerabilities from OSS Index Jun 17, 2020
@DarthHater DarthHater added this to the v0.1.0 milestone Jun 17, 2020
@DarthHater DarthHater changed the title Allow a user to exclude specific vulnerabilities from OSS Index [FEATURE] Allow a user to exclude specific vulnerabilities from OSS Index Jun 17, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DarthHater DarthHater

Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
v0.1.0
Development

No branches or pull requests
1 participant
@DarthHater