Option to save ignored vulnerabilities.

Question

Option to save ignored vulnerabilities.

dimitrisfasoulas opened this issue 4 years ago · 3 comments

Right now if we are using a package that has a vulnerability in a method that we don't use, we can choose to ignore the specific vulnerability with -i flag. If we want to make this permanent (to pass CI/CD pipelines for example) then we can add this to the npm script in package.json.

I think it would be better if there is an option to save ignored vulnerabilities to a separate file and read them each time a scan is run. An nice option would also be to have an optional comment saved per ignored vulnerability ie

{
  "1337": "Ignored since we don't use xxx method"
}

Answer 1 · 2020-10-28T10:49:10.000Z

That's a good idea, NSP had it last time. We could reimplement that depreciated feature to read into .nsprc file that looked like this:

{
  "exceptions": [
    // Ignored since we don't use xxx method
    "https://nodesecurity.io/advisories/1337"
  ]
}

Answer 2 · 2021-03-10T22:53:25.000Z

Thanks for your consideration on this one.
I would also suggest adding the addition timestamp into the structure, allowing for extension to features like "ignoring until", etc.

{
    "1337": {
        "ignore": true,
        "reason": "Ignored since we don't use xxx method",
        "timestamp": 1615416734
    }
}

Also suggesting an object to allow extensibility in the future.

Answer 3 · 2021-03-11T12:37:45.000Z

Hi @dimitrisfasoulas @lachlan-harris I have added the file support to v1.8.0, please read the documentation for the available feature :)