Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support specifying path to config file #303

Closed
G-Rath opened this issue May 18, 2021 · 4 comments · Fixed by #306
Closed

Support specifying path to config file #303

G-Rath opened this issue May 18, 2021 · 4 comments · Fixed by #306
Labels
feature

Comments

@G-Rath
Copy link
Contributor

G-Rath commented May 18, 2021

It'd be nice to have a cli flag to allow pointing bundler-audit to an arbitrary config file, i.e

bundle-audit --config bundler-config.yml

My use-case for this is that we have a central project auditor that runs against all of our projects and audits them with compatible tools (i.e if there's a package-lock.json it does npm audit, if there's a Gemfile it does bundle-audit, if there's a requirements.txt it does safety, etc).

This tool is managed by our long-term app support team, so maintains its own ignore lists for each project independently of the projects themselves - this means for tools that support config files we explicitly ensure project-level versions of these files are not used when auditing (commonly by pointing at a blank version of that tools config).

Being able to provide an explicit path to the config would allow us to ensure this for bundler-audit, as well as let us maintain ignore lists for each app in their own file without any extra work (this is what we currently do for javascript auditing, since we use audit-app which supports a custom path).

I've not yet played around with v0.8.0, so it's possible that bundler-audit ignores the ignores in the config file if you use the --ignore flag, but there's a number of ways you could interpret having both the --ignore flag + a config (i.e merging vs overriding; + what if I don't have any CVEs to ignore?)

I'm happy to help implement this, but don't know when I'll have the time so opening an issue in-case others want to implement :)
@G-Rath G-Rath mentioned this issue May 21, 2021
Merged
@postmodern
Copy link
Member

A --config-file option sounds like a generally good feature idea. Currently, there is no --no-ignore or --no-config-file options for disabling any ignored advisory IDs from the config file. The current behavior is that if --ignore is specified, the explicit ignores will override the config file's ignores listed, instead of unioning the two ignore lists together.

@G-Rath
Copy link
Contributor Author

G-Rath commented Jun 4, 2021

@postmodern glad you think so! I've got a PR open implementing this - let me know if you'd like any changes made :)

@postmodern
Copy link
Member

Merged #306. Had to rebase and squash.

@G-Rath
Copy link
Contributor Author

G-Rath commented Jun 29, 2021

The current behavior is that if --ignore is specified, the explicit ignores will override the config file's ignores listed, instead of unioning the two ignore lists together.

Just to follow up: while that might be true, you can't pass an empty ignore (i.e --ignore by itself results in No value provided for option '--ignore') - imo the best way to support this would be with a --no-config, but it seems that Thor currently doesn't support that natively.

I've left a comment on rails/thor#733 which I think would be the pathway to supporting this in Thor, which'd allow supporting that here by extension.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support config path
2 participants
@postmodern @G-Rath