Allow ignoring CVEs

[micheller]

Motivation:
One might need a way to ignore a vulnerability

• temporarily
  until a migration to a new library would take place
  so that safety check does not fail every day until you migrate
• permanently
  for example, if you faced a CVE like this: https://nvd.nist.gov/vuln/detail/CVE-2020-28463

[twu]

Hej!

Thanks for giving skjold a shot! Sounds like a great idea! I already had a TODO for adding something like it at one point. So why not do it now :)

Here is my idea. Let me know what you think and whether you want to work on it or not :) Otherwise I will try to add it within the next weeks as I'm a little swamped with work ATM.

permanently

A file containing a list of identifiers of the findings to be ignored from the various sources should be easy enough to implement e.g. pyup.io-25625 (PyUp), GHSA-xwhf-g6j5-j5gc (Github) and CVE-2014-3225 (Gemnasium).

File .skjoldignore

pyup.io-39293  # user comment
pyup.io-25625  # some comment
GHSA-xwhf-g6j5-j5gc
...

The .skjoldignore file would then be picked up when running audit based on the ignore_file setting in the pyproject.toml or via passing -i <path-to-ignore>.

I'm not yet sure how output should be handled though and whether ignored findings should still be presented somehow. Maybe add a small note to cli and an ignored field to the json output, I guess?

temporarily

Adding an additional optional parameter I to pass a list of identifiers to be ignore e.g.

skjold audit -I pyup.io-25625,GHSA-xwhf-g6j5-j5gc ./requirements.txt

What do you think?

[twu]

I started implementing a slightly different approach after discovering how snyk and the .snyk file are handling this topic. I quite like the idea, see #47. I will try to release this as part of v0.3.0 later this month. Let me know what you think :)

[twu]

Added it to develop and will do a release (v0.3.0) tomorrow (2020-06-20).