Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No warnings when ignoreUntil and effectiveUntil have typos #1098

Open
faern opened this issue Jul 4, 2024 · 0 comments
Open

No warnings when ignoreUntil and effectiveUntil have typos #1098

faern opened this issue Jul 4, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@faern
Copy link

faern commented Jul 4, 2024
edited
Loading

Great addition with [[PackageOverrides]] in the latest release 馃憤 But why is the way to set an expiry time on the ignore named differently? ignoreUntil != effectiveUntil. We almost merged a bunch of [[PackageOverrides]] with an ignoreUntil set... And here comes the problem: If you do this mistake, or you simply have a typo in the key name, everything looks fine, but the vulnerability ignore is forever.

[[IgnoredVulns]]
id = "GHSA-jgvc-jfgh-rjvv"
ignoreUntiI = 2024-08-02
reason = "..."

The above ignores GHSA-jgvc-jfgh-rjvv forever, which is clearly not the intention of the author here (typo is that the last letter is an I not an l).

My preference would be for osv-scanner to exit with an error on any configuration entry/key it does not recognize.
@another-rex another-rex added the enhancement New feature or request label Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@faern @another-rex