Ignore List gives error when CVE not present

[kwalsh-rz]

I think that when a CVE on your ignore list is no longer present on the image it should not fail (or be configurable to not fail). I think a warning would be more appropriate.

Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.

[pzi]

This would mean changing the following lines:

204  if (ignoreList.length !== ignoredFindings.length) {
205    const missedIgnores = ignoreList.filter(name => !ignoredFindings.map(({ name }) => name).includes(name))
206    console.log('The following CVEs were not found in the result set:')
207    missedIgnores.forEach(miss => console.log(`  ${miss}`))
208    throw new Error(`Ignore list contains CVE IDs that were not returned in the findings result set. They may be invalid or no longer be current vulnerabilities.`)
209  }

Link: https://github.com/alexjurkiewicz/ecr-scan-image/blob/master/index.js#L204-L209

Guess there are 2 approaches?

1. Change line 208 to just use core.warning
2. Add 1 extra piece of configuration that makes it a choice whether or not it should respond with an error or warning and then use the appropriate method given the config choice. Plus, set the default to error as that would be a non-breaking change.

I think 2. is nicer as it doesn't break existing behaviour.

[josh-linushealth]

I've opened https://github.com/alexjurkiewicz/ecr-scan-image/pull/48 to address this.

[pzi]

Merged your changes and released in v3.0.0