You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would nice to have a whitelist where certain vulnerabilities / packages that are ignored in the evaluation of the error code.
What feature or behavior is this required for?
There might be packages that have known vulnerabilities but are patched manually or not used in a fashion that makes them vulnerable. In these cases it would be nice to have a kind of "whitelist".
This is especially relevant if the error code returned by jake is relevant in some way or another (pre commit hook for example).
How could we solve this issue? (Not knowing is okay!)
This is going to be a problem soon for people trying to use this on a build server, as soon as a common package has an unpatchable vulnerability, e.g. pip's CVE-2018-20225.
It doesn't look like I can give jake a list of packages (it is checking packages in the venv?) or I could "skip" unfixable that way.
The output for a given failure is many idiosyncratic lines, so I can't easily parse the text & ignore the cve that way.
A note, don't use the term whitelist, we were in process of switching this in auditjs, just never got it taken care of. The issue where we were tracking that is here: sonatype-nexus-community/auditjs#202.
Suggestion allow-list or deny-list for the inverse if you went that direction.
The bonus of using the new terms is they are easier to translate outside of English, as well!
It would nice to have a whitelist where certain vulnerabilities / packages that are ignored in the evaluation of the error code.
There might be packages that have known vulnerabilities but are patched manually or not used in a fashion that makes them vulnerable. In these cases it would be nice to have a kind of "whitelist".
This is especially relevant if the error code returned by jake is relevant in some way or another (pre commit hook for example).
auditjs has a "whitelist" option that might be applicable here as well:
https://github.com/sonatype-nexus-community/auditjs#whitelisting
or something similar.
cc @bhamail / @DarthHater
The text was updated successfully, but these errors were encountered: