retire.js
retire.js copied to clipboard
.retireignore.json single justification for vulnerable version
When a given library version has multiple vulnerabilities, a justification has to be given per vulnerability.
There are many scenarios where a library version can be ignored as a whole.
e.g. If a package for development purposes is the responsible for these multiple vulnerabilities, a single justification applies for all.
So instead of writing the justification as
{
"component": "jquery",
"version": "1.8.3",
"identifiers": {
"issue": "11974"
},
"justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
},
{
"component": "jquery",
"version": "1.8.3",
"identifiers": {
"issue": "2432"
},
"justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
},
{
"component": "jquery",
"version": "1.8.3",
"identifiers": {
"issue": "11290"
},
"justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
},
{
"component": "jquery",
"version": "1.8.3",
"identifiers": {
"issue": "2432"
},
"justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
},
We should be able to write it as
{
"component": "jquery",
"version": "1.8.3",
"identifiers": [
{
"issue": "11974"
},
{
"issue": "2432"
},
{
"issue": "2432"
},
{
"bug": "11290"
}
],
"justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
}
I see how this could be useful. In your example though, if you're not at all worried about that library, you could just go with this I think:
{
"component": "jquery",
"version": "1.8.3",
"justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
}