Add option to ignore certain advisories that have been manually worked around (#74)

* Add option to ignore certain advisories that have been manually worked around

* Remove unnecesary curly braces

* Add new config instructions on readme

Author: f-moya

Diff for: README.md

@@ -25,6 +25,20 @@ plugins:
       path: optional/path/to/Gemfile.lock
 ```
 
+In the same way you can ignore certain advisories that have been manually resolved:
+
+```yml
+# .codeclimate.yml
+plugins:
+  bunlder-audit:
+    enabled: true
+    config:
+      ignore:
+        - CVE-YYYY-XXXX
+```
+
+* `ignore:` \[Array\<String\>\] - A list of advisory IDs to ignore.
+
 ### Updating the vulnerability database
 
 If you want to update the vulnerability database, run

Diff for: lib/cc/engine/bundler_audit/analyzer.rb

@@ -25,7 +25,7 @@ def run
             FileUtils.cp(gemfile_path, File.join(dir, GEMFILE))
 
             Dir.chdir(dir) do
-              Bundler::Audit::Scanner.new.scan do |vulnerability|
+              Bundler::Audit::Scanner.new.scan(ignore: ignored_advisories) do |vulnerability|
                 if (issue = issue_for_vulerability(vulnerability))
                   stdout.print("#{issue.to_json}\0")
                 else
@@ -73,6 +73,10 @@ def engine_config
             end
         end
 
+        def ignored_advisories
+          engine_config.fetch("config", {}).fetch("ignore", [])
+        end
+
         def gemfile_lock_path
           File.join(directory, gemfile_lock_relative_path)
         end

Diff for: spec/cc/engine/bundler_audit/analyzer_spec.rb

@@ -18,6 +18,14 @@ module CC::Engine::BundlerAudit
         end
       end
 
+      it "ignores specified advisories" do
+        with_written_config(config: { ignore: %w[CVE-2016-0751 CVE-2015-7576] }) do |path|
+          directory = fixture_directory("ignore")
+          issues = analyze_directory(directory, engine_config_path: path)
+          expect(expected_issues("ignore")).to be_present_in(issues)
+        end
+      end
+
       it "emits issues for unpatched gems in Gemfile.lock" do
         with_default_written_config do |path|
           directory = fixture_directory("unpatched_versions")

Diff for: spec/fixtures/ignore/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+gem "rails", "~> 4.2.5"
+gem "devise", "~> 3.4.0"
+gem "jquery-rails", "~> 3.1.2"
+gem "uglifier", "~> 2.5.3"
+gem "simple_form", git: "git@github.com:plataformatec/simple_form.git"

Diff for: spec/fixtures/ignore/Gemfile.lock

@@ -0,0 +1,135 @@
+GIT
+  remote: git@github.com:plataformatec/simple_form.git
+  revision: ac63da0f0b38df82385493f25f649e320b0acb4a
+  specs:
+    simple_form (3.2.1)
+      actionpack (> 4, < 5.1)
+      activemodel (> 4, < 5.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionmailer (4.2.5)
+      actionpack (= 4.2.5)
+      actionview (= 4.2.5)
+      activejob (= 4.2.5)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+    actionpack (4.2.5)
+      actionview (= 4.2.5)
+      activesupport (= 4.2.5)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.5)
+      activesupport (= 4.2.5)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (4.2.5)
+      activesupport (= 4.2.5)
+      globalid (>= 0.3.0)
+    activemodel (4.2.5)
+      activesupport (= 4.2.5)
+      builder (~> 3.1)
+    activerecord (4.2.5)
+      activemodel (= 4.2.5)
+      activesupport (= 4.2.5)
+      arel (~> 6.0)
+    activesupport (4.2.5)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    arel (6.0.3)
+    bcrypt (3.1.7)
+    builder (3.2.2)
+    concurrent-ruby (1.0.0)
+    devise (3.4.0)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 3.2.6, < 5)
+      responders
+      thread_safe (~> 0.1)
+      warden (~> 1.2.3)
+    erubis (2.7.0)
+    execjs (2.2.1)
+    globalid (0.3.6)
+      activesupport (>= 4.1.0)
+    i18n (0.7.0)
+    jquery-rails (3.1.2)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.8.3)
+    loofah (2.0.3)
+      nokogiri (>= 1.5.9)
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    mime-types (2.99)
+    mini_portile2 (2.0.0)
+    minitest (5.8.3)
+    nokogiri (1.6.7.1)
+      mini_portile2 (~> 2.0.0.rc2)
+    orm_adapter (0.5.0)
+    rack (1.6.4)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails (4.2.5)
+      actionmailer (= 4.2.5)
+      actionpack (= 4.2.5)
+      actionview (= 4.2.5)
+      activejob (= 4.2.5)
+      activemodel (= 4.2.5)
+      activerecord (= 4.2.5)
+      activesupport (= 4.2.5)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.2.5)
+      sprockets-rails
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.7)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    railties (4.2.5)
+      actionpack (= 4.2.5)
+      activesupport (= 4.2.5)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.4.2)
+    responders (2.0.0)
+      railties (>= 4.2.0.alpha, < 5)
+    sprockets (3.5.2)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.0.0)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.5.3)
+      execjs (>= 0.3.0)
+      json (>= 1.8.0)
+    warden (1.2.3)
+      rack (>= 1.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  devise (~> 3.4.0)
+  jquery-rails (~> 3.1.2)
+  rails (~> 4.2.5)
+  simple_form!
+  uglifier (~> 2.5.3)
+
+BUNDLED WITH
+   1.11.2