Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello!
Wanted to check if it would there would be a possibility to add support for a file where users can specify vulnerability IDs that are supposed to be ignored.
Use case:
GO-2023-1621
highlighted "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars"GO-2023-1621
to some file in the repo like.govulnignore
, and thengovulncheck
would ignore the vulnerability, but still scan for other vulnerabilities.Aquasec for container scanning supports a
.trivyignore
file that offers a similar feature (ignoring vulnerabilities), see: https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/Implementation
The MR is designed to be a non-breaking change:
-ignore-file
which defaults to empty stringGO-2023-1621
which is supposed to be ignored.govulncheck
are then filtered against this lookup set before getting reported to the user.Example command line invocation:
Open tasks
.... And of course in general, if such a feature would be even accepted (which I don't take for granted but I thought it's worth a try.)
Thank you in advance for considering this proposal.