Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.
Suggestions are to allow someone to have a .chelsea.json or .chelsea.yaml file in their repo, which would have a list of vulnerabilities they want ignored by chelsea.
This functionality could ignore off of:
The OSS Index ID for the vuln
The CVE title for the vuln
The CWE title for the vuln
As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.
By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.
If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).
Do not use the term whitelist related to this code.
Much as we've done in the other tools, allow a user to exclude specific vulnerabilities so that they can be ignored from OSS Index.
Suggestions are to allow someone to have a
.chelsea.jsonor.chelsea.yamlfile in their repo, which would have a list of vulnerabilities they want ignored bychelsea.This functionality could ignore off of:
As well, as an extra mile type of step, you could allow someone to ignore the vuln for only a specific period of time. We did that on Nancy, so that people could exclude something if there was no way to upgrade that dependency, and then have it fail at a later date to remind them to check back in on it.
By default you'd check the repository for the file, but also allow someone to pass in a file via the command line from an alternative location.
If someone has ignored a vuln, it should not show up in the audit results, or specifically say it was ignored, and also not cause the application to exit with a non zero code (if it's the only vulnerability found).
Do not use the term
whitelistrelated to this code.