-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding ignore file support #7
base: master
Are you sure you want to change the base?
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Hi @maxbeutel @julieqiu @jba @zpavlinovic , I was thinking of doing the same thing and found this PR. is this something you are considering? I'm using a workaround script at the moment: https://github.com/kaleido-io/kaleido-sdk-go/blob/7ba2d147a282bd98b707879484667d9a14398cca/govulnchecktool.sh which is prone to changes of json structure of the output data. |
Nice idea @Chengxuan . I was wondering if this PR doesn't get through how to implement ignoring reported vulns. Filtering the output on "client side" is indeed an option, as you demonstrated. I'm wondering is this the wrong repo to raise the MR? Because I also saw MRs for this project in the main golang repo, under https://github.com/golang/go/labels/vulncheck%20or%20vulndb |
@maxbeutel The main Go bug tracker is at https://github.com/golang/go, as you have noticed. The Go project does not usually use Pull Requests (it uses Gerrit code review), but there is some support for dealing with PRs and converting them to code reviews. There are a few options for you:
|
What's the current status of this? |
Note that this is a mirror repo and we don't accept pull requests. This is also something that would need a proposal. We are not looking to add ignore files at the moment. Note that govulncheck provides json (as well as sarif and openvex) output, so users can write their own simple wrappers that can do the filtering. |
@AkihiroSuda I share @zpavlinovic 's opinion that the feature requested here feels like a level above, it is worth looking at https://github.com/aquasecurity/trivy if you are not aware of it. It covers the scan tool wrap-around logic that is not golang specific. |
The lack of the standardization will incur reinventing a bunch of similar but incompatible wrappers.
I'm aware of it, and I don't think that having an extra dependency on Trivy should be (practically) necessary for scanning Go programs. Also, until the upstream govulncheck officially supports ignorelist, program maintainers will continue to receive false-positive reports from people who just run govulncheck. |
See related golang/go#59507 |
Hello!
Wanted to check if it would there would be a possibility to add support for a file where users can specify vulnerability IDs that are supposed to be ignored.
Use case:
GO-2023-1621
highlighted "The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an incorrect result if called with some specific unreduced scalars"GO-2023-1621
to some file in the repo like.govulnignore
, and thengovulncheck
would ignore the vulnerability, but still scan for other vulnerabilities.Aquasec for container scanning supports a
.trivyignore
file that offers a similar feature (ignoring vulnerabilities), see: https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/Implementation
The MR is designed to be a non-breaking change:
-ignore-file
which defaults to empty stringGO-2023-1621
which is supposed to be ignored.govulncheck
are then filtered against this lookup set before getting reported to the user.Example command line invocation:
Open tasks
.... And of course in general, if such a feature would be even accepted (which I don't take for granted but I thought it's worth a try.)
Thank you in advance for considering this proposal.