[FEATURE] add a optional whitelist to ddt

[daviskirk]

• What are you trying to do?

It would nice to have a whitelist where certain vulnerabilities / packages that are ignored in the evaluation of the error code.

• What feature or behavior is this required for?

There might be packages that have known vulnerabilities but are patched manually or not used in a fashion that makes them vulnerable. In these cases it would be nice to have a kind of "whitelist". This is especially relevant if the error code returned by jake is relevant in some way or another (pre commit hook for example).

• How could we solve this issue? (Not knowing is okay!)

auditjs has a "whitelist" option that might be applicable here as well: https://github.com/sonatype-nexus-community/auditjs#whitelisting

jake ddt --whitelist .jake.json 

or something similar.

cc @bhamail / @DarthHater

[matthewdeanmartin]

This is going to be a problem soon for people trying to use this on a build server, as soon as a common package has an unpatchable vulnerability, e.g. pip's CVE-2018-20225.

It doesn't look like I can give jake a list of packages (it is checking packages in the venv?) or I could "skip" unfixable that way.

The output for a given failure is many idiosyncratic lines, so I can't easily parse the text & ignore the cve that way.

[DarthHater]

A note, don't use the term whitelist, we were in process of switching this in auditjs, just never got it taken care of. The issue where we were tracking that is here: https://github.com/sonatype-nexus-community/auditjs/issues/202.

Suggestion allow-list or deny-list for the inverse if you went that direction.

The bonus of using the new terms is they are easier to translate outside of English, as well!

[matthewdeanmartin]

ignore is a good term as well.