retire.js icon indicating copy to clipboard operation
retire.js copied to clipboard

Published 20 hours ago verified publisher icon RetireJS

.retireignore.json single justification for vulnerable version

Open lifenautjoe opened this issue 6 years ago • 1 comments

When a given library version has multiple vulnerabilities, a justification has to be given per vulnerability.

There are many scenarios where a library version can be ignored as a whole.

e.g. If a package for development purposes is the responsible for these multiple vulnerabilities, a single justification applies for all.

So instead of writing the justification as

    {
        "component": "jquery",
        "version": "1.8.3",
        "identifiers": {
            "issue": "11974"
        },
        "justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
    },
    {
        "component": "jquery",
        "version": "1.8.3",
        "identifiers": {
            "issue": "2432"
        },
        "justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
    },
    {
        "component": "jquery",
        "version": "1.8.3",
        "identifiers": {
            "issue": "11290"
        },
        "justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
    },
    {
        "component": "jquery",
        "version": "1.8.3",
        "identifiers": {
            "issue": "2432"
        },
        "justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
    },

We should be able to write it as

    {
        "component": "jquery",
        "version": "1.8.3",
        "identifiers": [
            {
                "issue": "11974"
            },
            {
                "issue": "2432"
            },
            {
                "issue": "2432"
            },
            {
                "bug": "11290"
            }

        ],
        "justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
    }

lifenautjoe avatar Jan 31 '18 09:01 lifenautjoe

I see how this could be useful. In your example though, if you're not at all worried about that library, you could just go with this I think:

    {
        "component": "jquery",
        "version": "1.8.3",
        "justification": "Its included in the directory because the library can be used as a jquery plugin but we use it as plain javascript, so no jQuery."
    }

eoftedal avatar Feb 01 '18 19:02 eoftedal