Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support ignoring findings using .skjoldignore files. #47

Merged
merged 16 commits into from
Jun 19, 2021
Merged

Support ignoring findings using .skjoldignore files. #47

merged 16 commits into from
Jun 19, 2021

Conversation

twu
Copy link
Owner

@twu twu commented Jun 19, 2021
edited
Loading

Fixes #42

Proposed Changes:

  • Add support for .skjoldignore file heavily inspired by the .snyk[0] ignore syntax. This should add support for permanently or temporarily ignoring findings based on their source identifier.
  • Extend cli output to show ignored entries.
  • Extend json output to show ignored entries.
  • Add cli command to append a new finding to the ignore file e.g. skjold ignore add CVE-2018-20060 ....
  • Allow setting the ignore file location via pyproject.toml.
  • Allow setting the ignore file location via cli and/or ENV.
  • Add and update tests.

Example .skjold_ignore:

ignore:
  CVE-2018-20060:
  - expires: 2021-01-01T00:00:00+0000
    package: urllib3
    reason: No remidiation available.
  CVE-2019-11236:
  - expires: 2022-01-01T00:00:00+0000
    package: urllib3
    reason: No remidiation available.
  PYSEC-2020-149:
  - expires: 2022-01-01T00:00:00+0000
    package: urllib3
    reason: No remidiation available.
version: "1.0"

Links

@twu twu added the enhancement New feature or request label Jun 19, 2021
@twu twu linked an issue Jun 19, 2021 that may be closed by this pull request
Allow ignoring CVEs #42
Closed
@twu twu added this to the v0.3.0 milestone Jun 19, 2021
@twu twu changed the base branch from master to develop June 19, 2021 11:13
@twu twu self-assigned this Jun 19, 2021
@twu twu mentioned this pull request Jun 19, 2021
Closed
@twu twu marked this pull request as ready for review June 19, 2021 18:03
@twu twu changed the title Initial support for (temporarily) ignoring findings using .skjoldignore. Support (temporarily) ignoring findings using .skjoldignore files. Jun 19, 2021
@twu twu merged commit c537b7a into develop Jun 19, 2021
@twu twu deleted the feature/42-support-ignoring-cves branch June 19, 2021 18:27
@twu twu changed the title Support (temporarily) ignoring findings using .skjoldignore files. Support ignoring findings using .skjoldignore files. Jun 19, 2021
twu added a commit that referenced this pull request Jun 20, 2021
@twu
Add support for OSV/PyPA sources and .skjoldignore files. (#48)
e109983 
* Initial support for OSV API/PyPA Advisory database. (#46)

* Update mypy and switch to 'pyproject.toml'-based setup.
* Add references to 'cli' output if present.
* Add support for OSV using either 'osv' (API) or 'pypa' (repository) as a source.
* Update README.md.
* Update pypi classifiers.
* Update tests.

* Support ignoring findings using `.skjoldignore` files. (#47)

* Support for '.skjoldignore' files during audit.
* Add dummy entry to '.skjoldignore'.
* Add 'ignore' command.
* Add warning about enabling 'report_only' in combination with using pre-commit.
* Always use 'verbose: true' with pre-commit hook by default.
* Add 'verbose: true' to README.md.
* Ensure findings/vulnerable packages are always printed to 'stderr'.
* Allow setting ignore file via env/cli.
* Update README.md.
* Add usage examples.

* Update README.md.
@twu twu mentioned this pull request Jun 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@twu twu

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow ignoring CVEs
1 participant
@twu