Merged
Conversation
2afd9c7 to
3992f5d
Compare
e27f614 to
4dda372
Compare
4dda372 to
d9fccbe
Compare
G-Rath
added a commit
that referenced
this pull request
May 10, 2024
This upgrades us to use the latest v3 version of the YAML library along with updating our unmarshal functions to use the new interface. While this annoyingly adds ~20kb to the binary, it gives us access to more stuff like information about comments and line numbers when unmarshalling and the ability to write indented output (which will be used for #248) - ultimately, we might as well just get the upgrade over with.
d9fccbe to
9bfce32
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds a
--update-config-ignoresflag that aims to update the osv-detector configs to ignore all found vulnerabilities for the related lockfile if a config exists.For now I'm keeping this as a draft because while I think it's actually good to go, the main cli tests defeated me a bit as it's painful to craft all the different tests required; that's also why I've not yet done any cleanup or deduplication of the test helpers.There's also a few "extensions" on this that could be done, including having the detector note when there are ignored vulnerabilities that are no longer present, a custom indent level, and
better handling of existing ignores (rather than requiring--no-config-ignoresbe set).