In our CI pipelines, we have some template jobs that run bundle-audit across all projects. We also have a .bundler-audit.yml config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global" --ignore flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the --ignore parameter.
Potential implementation
Naive(?) solution: merge the two sets instead of taking one or the other.
Description
Current state
Currently, the
--ignoreflag overwrites the ignored CVEs from a config file (--config): https://github.com/rubysec/bundler-audit/blob/d8af649e9bb7552b25e46e4de2aa0828e0b3076e/lib/bundler/audit/scanner.rb#L221-L225With
config.optionscoming from the passed configuration file: https://github.com/rubysec/bundler-audit/blob/d8af649e9bb7552b25e46e4de2aa0828e0b3076e/lib/bundler/audit/scanner.rb#L91-L95Why this would come in handy
In our CI pipelines, we have some template jobs that run
bundle-auditacross all projects. We also have a.bundler-audit.ymlconfig file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global"--ignoreflag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the--ignoreparameter.Potential implementation
Naive(?) solution: merge the two sets instead of taking one or the other.