Description
Current state
Currently, the --ignore flag overwrites the ignored CVEs from a config file (--config):
|
ignore = if options[:ignore] |
|
Set.new(options[:ignore]) |
|
else |
|
config.ignore |
|
end |
With config.options coming from the passed configuration file:
|
@config = if File.exist?(config_dot_file_full_path) |
|
Configuration.load(config_dot_file_full_path) |
|
else |
|
Configuration.new |
|
end |
Why this would come in handy
In our CI pipelines, we have some template jobs that run bundle-audit across all projects. We also have a .bundler-audit.yml config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global" --ignore flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the --ignore parameter.
Potential implementation
Naive(?) solution: merge the two sets instead of taking one or the other.
Description
Current state
Currently, the
--ignoreflag overwrites the ignored CVEs from a config file (--config):bundler-audit/lib/bundler/audit/scanner.rb
Lines 221 to 225 in d8af649
With
config.optionscoming from the passed configuration file:bundler-audit/lib/bundler/audit/scanner.rb
Lines 91 to 95 in d8af649
Why this would come in handy
In our CI pipelines, we have some template jobs that run
bundle-auditacross all projects. We also have a.bundler-audit.ymlconfig file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global"--ignoreflag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the--ignoreparameter.Potential implementation
Naive(?) solution: merge the two sets instead of taking one or the other.