search

RetireJS / retire.js

scanner detecting the use of JavaScript libraries with known vulnerabilities. Can also generate an SBOM of the libraries it finds.
https://retirejs.github.io/retire.js/
Other
3.66k stars 414 forks source link

ignore .retireignore.json is not skipping node_modules #311

Closed patil-akshay closed 4 years ago

patil-akshay commented 4 years ago

Retire.js version: (retire --version): 2.0.3

node version: (node --version): 8.17.0

Type: Bug

Description: its not skipping the node_modules below mentioned is .retireignore.json file contents. [ { "component": "jquery", "version": "1.12.1", "justification": "This CVE (CVE-2019-11358) deals with pollution of prototype. The CVE is a blocker and should be solved with the release of SIW 3.0" }, { "path" : "node_modules", "justification" : "The node modules are only used for building - client side dependencies are using bower" } ]

Expected behaviour: It should skip node_modules.

eoftedal commented 4 years ago

Sorry for the late reply. If you want to ignore anything in the node_modules folder and you are only scanning for frontend stuff, you should try retire --js.

Yivan commented 4 years ago

@eoftedal Hello, even with --js, retire scan inside node_modules directories. It should not, and as we have everywhere some node_modules directories and --ignore don't accept something like **/node_modules/**, we are stuck ; ((

Could it be reopened please ?

I mention this issue,as it is linked: https://github.com/RetireJS/retire.js/issues/301

Thanks