ignore path wildcard feature

[bluthen]

Great project BTW. Recently was using this with a project with over 1000 dependencies.

I was thinking it would be nice to ignore a specific module's issues, or issue types. Or maybe all versions of that module. Could a possible way to support this be to allow resolved-issues.json to have an empty id, and only path,note? An empty id could be like a wildcard for all issues with that path. Or if wildcards are allowed in the id, so it can cover all versions.

"id": "SWRM-101-mymodule-*"

Edit: I removed the stuff to only partain to wildcard idea, then made new discussion #92 and #93

[gabidobo]

Hi @bluthen! Thank you for submitting your ideas!

Could I please ask you to create additional threads here in "Ideas" for each feature request? Basically two more, one for the license aliases and one for specifying your own license.json file. I think they all have merit and deserve being discussed separately.

Meanwhile, I'll respond to the wildcard idea here.

We've tried to stay away from using wildcards as we feel it generally encourages bad security practices - however, I do see your point about versions. So in your case, if I understand correctly, you have multiple versions of the same package, each with the same issue, and you'd like to be able to mark all of them as resolved in one go instead of having to use multiple issue ids?

[bluthen]

Thank you for responding.
I will add additional threads.

I think my wildcard use case is more like: I have internal packages, some of the issues they have, I am going to ignore them no matter the version. The next release of that internal package that gets released often(maybe daily/weekly/monthly), I am hoping I don't have to resolve those some issues again and again. All versions with those issues I always want to have be resolved.

For an internal package, there will not be CVE issues, but license issues, pre/post-install script, no repo maybe.

It is not the biggest deal. I can always write my own script to add them to the resolve file on my own for those internal packages, but thought it could be useful feature for others. But it is a good point not to encourage people to just set them for all versions. I don't want to do that for anything other than internal packages that get update much more frequently than all the others.

[gabidobo]

Thank you @bluthen, that makes sense.

I've created #94 to add this functionality. I'll circle back with news once it's deployed.

[gabidobo]

Done in v1.36.0 #100