rubysec / bundler-audit

Description

Current state

Currently, the --ignore flag overwrites the ignored CVEs from a config file (--config):

bundler-audit/lib/bundler/audit/scanner.rb

Lines 221 to 225 in d8af649

    
           ignore = if options[:ignore] 
        
                      Set.new(options[:ignore]) 
        
                    else 
        
                      config.ignore 
        
                    end

With config.options coming from the passed configuration file:

bundler-audit/lib/bundler/audit/scanner.rb

Lines 91 to 95 in d8af649

    
           @config = if File.exist?(config_dot_file_full_path) 
        
                       Configuration.load(config_dot_file_full_path) 
        
                     else 
        
                       Configuration.new 
        
                     end

Why this would come in handy

In our CI pipelines, we have some template jobs that run bundle-audit across all projects. We also have a .bundler-audit.yml config file to ignore specific CVEs on a per-project basis. If we now want to ignore a CVE across all projects, we have to add the CVE to the ignore file in each project. If the CVEs from the "global" --ignore flag and the config file would be taken both into account, we could just add the CVEs to be ignored globally to the --ignore parameter.

Potential implementation

Naive(?) solution: merge the two sets instead of taking one or the other.

	ignore = if options[:ignore]
	Set.new(options[:ignore])
	else
	config.ignore
	end

	@config = if File.exist?(config_dot_file_full_path)
	Configuration.load(config_dot_file_full_path)
	else
	Configuration.new
	end

Combine ignored CVEs from both `--config` with `--ignore` flag

Description

Current state

Why this would come in handy

Potential implementation