From 6444c6593443664c64ad75a1bcd3701abf548bac Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Thu, 30 Jan 2025 08:19:15 +0100 Subject: [PATCH] Set IgnoredVulns in osv-scanner config Use specific IgnoredVulns for each id Signed-off-by: Arthit Suriyawongkul --- osv-scanner.toml | 38 +++++++++++++++++++++++++++++++++ tests/data/osv-scanner.toml | 4 ---- tests/doc_fest/osv-scanner.toml | 4 ---- 3 files changed, 38 insertions(+), 8 deletions(-) create mode 100644 osv-scanner.toml delete mode 100644 tests/data/osv-scanner.toml delete mode 100644 tests/doc_fest/osv-scanner.toml diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000..a3cf656 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,38 @@ +[[IgnoredVulns]] +id = "CVE-2022-48174" +reason = "Alpine/BusyBox-related, which is not used by this package. The matching vulnerability data may come from an SBOM test file in /tests directory." + +[[IgnoredVulns]] +id = "CVE-2023-42363" +reason = "Alpine/BusyBox-related, which is not used by this package. The matching vulnerability data may come from an SBOM test file in /tests directory." + +[[IgnoredVulns]] +id = "CVE-2023-42364" +reason = "Alpine/BusyBox-related, which is not used by this package. The matching vulnerability data may come from an SBOM test file in /tests directory." + +[[IgnoredVulns]] +id = "CVE-2023-42365" +reason = "Alpine/BusyBox-related, which is not used by this package. The matching vulnerability data may come from an SBOM test file in /tests directory." + +[[IgnoredVulns]] +id = "CVE-2023-42366" +reason = "Alpine/BusyBox-related, which is not used by this package. The matching vulnerability data may come from an SBOM test file in /tests directory." + +[[IgnoredVulns]] +id = "GHSA-269g-pwp5-87pp" +reason = "Maven/JUnit-related, which is not used by this package. The matching vulnerability data may come from an SBOM test file in /tests directory." + +# We can also ignore the entire category of vulnerabilities, +# using PackageOverrides + +# # ignore packages named "busybox" in the Alpine ecosystem +# [[PackageOverrides]] +# name = "busybox" +# ecosystem = "Alpine" +# ignore = true + +# # ignore packages named "junit:junit" in the Maven ecosystem +# [[PackageOverrides]] +# name = "junit:junit" +# ecosystem = "Maven" +# ignore = true diff --git a/tests/data/osv-scanner.toml b/tests/data/osv-scanner.toml deleted file mode 100644 index 6b67399..0000000 --- a/tests/data/osv-scanner.toml +++ /dev/null @@ -1,4 +0,0 @@ -# ignore everything in the current directory -[[PackageOverrides]] -ignore = true -reason = "This directory contains SBOM test files. A SBOM test file may contains data that represent vulnerabilities of a system, but that system is not this particular ntia-conformance-checker package." diff --git a/tests/doc_fest/osv-scanner.toml b/tests/doc_fest/osv-scanner.toml deleted file mode 100644 index 6b67399..0000000 --- a/tests/doc_fest/osv-scanner.toml +++ /dev/null @@ -1,4 +0,0 @@ -# ignore everything in the current directory -[[PackageOverrides]] -ignore = true -reason = "This directory contains SBOM test files. A SBOM test file may contains data that represent vulnerabilities of a system, but that system is not this particular ntia-conformance-checker package."