search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.11k stars 343 forks source link

Is there a way to ignore all vulnerabilities for a given lockfile? #1155

Closed ia0 closed 3 days ago

ia0 commented 1 month ago

I'm currently having an osv-scanner.toml file next to the Cargo.lock file for which I don't care about vulnerabilities:

# This crate is used for benchmarks only. Those alerts can't be fixed because one of the comparison
# point, namely wasm3, is dead although it is the best benchmark reference so far.
IgnoredVulns = [
  { id = "GHSA-crf8-h2wq-2h9x" },
  { id = "GHSA-g98v-hv3f-hcfr" },
  { id = "GHSA-gq4p-4hxv-5rg9" },
  { id = "GHSA-r7qv-8r2h-pg27" },
  { id = "RUSTSEC-2021-0139" },
]

Ideally, I would like something like:

# This crate is used for benchmarks only. Those alerts can't be fixed because one of the comparison
# point, namely wasm3, is dead although it is the best benchmark reference so far.
ignore = true

This is more maintenable and describes the intent better.

I tried to find the schema of the osv-scanner.toml file, but only found the few examples in https://google.github.io/osv-scanner/configuration/.

Thanks!

another-rex commented 3 weeks ago

This is almost certainly something we want to add!

For now maybe you can try ignoring the packages with [[PackageOverrides]] (which might be fewer than all the vulnerabilities)

oliverchang commented 2 weeks ago

@G-Rath is this something you'd be able to help us with?

ia0 commented 1 day ago

Thanks a lot for the fix!