Comments (7)
Hey @quinnturner, I'm interested on working on this if thats okay? 😄
from audit-ci.
Hey @andrewdetorres, yep, I would accept a PR that adds this functionality! If you have questions, feel free to drop them here 😄
from audit-ci.
Hey @quinnturner,
After taking a look into this issue, the way that the code works with module name allowlist is that the package name with the vulnerability should be used. In the example above GHSA-pw2r-vq6v-hr8c|proxy-client-ts>axios>follow-redirects
this should be follow-redirects
instead of proxy-client-ts
.
Having the root package in the allowlist would be a cool feature so you don't have to write out the full path. Is this something you would like to consider as a feature? 😄
from audit-ci.
Root module advisory allow listing is supported with *|module-name>*
. I believe the problem is that since these are private packages, the private package is not listed in the audit. Unfortunately, that means adding context of the private dependency in the audit response.
I haven't reviewed how the package manager's audit responds to private dependencies. If they still handle the transitive dependencies, there may we a way to workaround it with a different allowlist without much or any code.
from audit-ci.
It appears that the above syntax *|module-name>*
works with private packages. Having tested this with our own private package and the advisories were correctly ignored.
The root module advisory allow listing support seems slightly hidden in the docs. I'm happy to make a contribution to make this more clear if you're happy for me to go ahead with that?
from audit-ci.
I am always interested in making the documentation better! Allowlisting all transitive dependencies of a package is not usually recommended workflow because legitimate advisories may slip through, so the wording would have to be considered. However, I am open to PRs!
from audit-ci.
I am closing for now because of the improved documentation. While this is still technically an issue, it can be worked around and "fixing it" involves mutating the received audit. If "natively" solving this receives a lot of positive desire, I will consider reopening!
from audit-ci.
Related Issues (20)
- Long summary output for only one vulnerable advisory HOT 6
- Cannot convert undefined or null to object Exiting HOT 9
- Recommend pinning to commit SHA or release tag HOT 3
- Add expiration time for allow list items HOT 1
- Allow notes for allowlist items HOT 2
- [Feature] Support Gitlab SAST report-type HOT 2
- Let the severity level influence the json output HOT 1
- Fail on unmatched ignores HOT 1
- Invalid JSON config file when using new allowlist NSPRecord syntax HOT 3
- Add support for registry flag for PNPM HOT 1
- Support Yarn's `--exclude` HOT 2
- Handle errors from Yarn Berry more gracefully HOT 2
- Tests should include all major Yarn versions HOT 2
- packages starting with "@" are not working in allowlist HOT 2
- Replace event-stream with something secure and supported HOT 4
- The audit report format changed? HOT 2
- CI commands fail because no version 7 HOT 1
- Support Yarn v4 HOT 6
- v7 ignores command line arguments HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audit-ci.