google · michaelkedar · Mar 20, 2023 · Mar 15, 2023 · Mar 15, 2023 · Mar 15, 2023
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -27,3 +27,5 @@ id = "GO-2022-1059"
 # ignoreUntil = 2022-11-09 # Optional exception expiry date
 reason = "No external http servers are written in Go lang."
 ```
+
+Ignoring a vulnerability will also ignore vulnerabilities that are considered aliases of that vulnerability.
diff --git a/internal/testutility/utility.go b/internal/testutility/utility.go
@@ -49,7 +49,7 @@ func AssertMatchFixtureJSON[V any](t *testing.T, path string, val V) {
 // can be used with AssertMatchFixtureJSON to compare against future values.
 func CreateJSONFixture[V any](t *testing.T, path string, val V) {
 	t.Helper()
-	file, err := os.Open(path)
+	file, err := os.Create(path)
 	if err != nil {
 		t.Fatalf("Failed to open file to write: %s", err)
 	}

diff --git a/pkg/osvscanner/fixtures/filter/.gitignore b/pkg/osvscanner/fixtures/filter/.gitignore
@@ -0,0 +1 @@
+out.json
diff --git a/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/a/osv-scanner.toml
@@ -0,0 +1,21 @@
+# An entry for every vulnerability (including aliases)
+
+[[IgnoredVulns]]
+id = "GHSA-mc8h-8q98-g5hr"
+reason = "Ignore 1"
+# Alias of RUSTSEC-2023-0018
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2023-0018"
+reason = "Redundant Ignore 1"
+# Redundant ignore statement - Alias of GHSA-mc8h-8q98-g5hr
+
+[[IgnoredVulns]]
+id = "GHSA-wcg3-cvx6-7396"
+reason = "Ignore 2"
+# Alias of RUSTSEC-2020-0071
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2020-0071"
+reason = "Redundant Ignore 2"
+# Redundant ignore statement - Alias of GHSA-wcg3-cvx6-7396
diff --git a/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/b/osv-scanner.toml
@@ -0,0 +1,16 @@
+# One entry for each vulnerability group
+
+[[IgnoredVulns]]
+id = "GHSA-fxg5-wq6x-vr4w"
+reason = "Ignore 1"
+# Alias of GO-2023-1495
+
+[[IgnoredVulns]]
+id = "GO-2022-1144"
+reason = "Ignore 2"
+# Alias of GHSA-xrjj-mj9h-534m
+
+[[IgnoredVulns]]
+id = "GO-2023-1571"
+reason = "Ignore 3"
+# Alias of GHSA-vvpx-j8f3-3w6h
diff --git a/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/all/configs/c/osv-scanner.toml
@@ -0,0 +1,21 @@
+# One entry for each vulnerability group
+
+[[IgnoredVulns]]
+id = "GHSA-mc8h-8q98-g5hr"
+reason = "Ignore 1"
+# Alias of RUSTSEC-2023-0018
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2020-0071"
+reason = "Ignore 2"
+# Alias of GHSA-wcg3-cvx6-7396
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2023-0015"
+reason = "Ignore 3"
+# No aliases
+
+[[IgnoredVulns]]
+id = "GHSA-mrrw-grhq-86gf"
+reason = "Ignore 4"
+# No aliases
diff --git a/pkg/osvscanner/fixtures/filter/all/input.json b/pkg/osvscanner/fixtures/filter/all/input.json
diff --git a/pkg/osvscanner/fixtures/filter/all/want.json b/pkg/osvscanner/fixtures/filter/all/want.json
@@ -0,0 +1,3 @@
+{
+  "results": []
+}
diff --git a/pkg/osvscanner/fixtures/filter/none/configs/a/no_config b/pkg/osvscanner/fixtures/filter/none/configs/a/no_config
diff --git a/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/none/configs/b/osv-scanner.toml
@@ -0,0 +1 @@
+# An empty config file
diff --git a/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/none/configs/c/osv-scanner.toml
@@ -0,0 +1,13 @@
+# These vulnerabilities do not appear in this 'source'
+
+[[IgnoredVulns]]
+id = "GHSA-fxg5-wq6x-vr4w"
+reason = "Ignore 1"
+
+[[IgnoredVulns]]
+id = "GO-2022-1144"
+reason = "Ignore 2"
+
+[[IgnoredVulns]]
+id = "GO-2023-1571"
+reason = "Ignore 3"
diff --git a/pkg/osvscanner/fixtures/filter/none/input.json b/pkg/osvscanner/fixtures/filter/none/input.json
diff --git a/pkg/osvscanner/fixtures/filter/none/want.json b/pkg/osvscanner/fixtures/filter/none/want.json
diff --git a/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/a/osv-scanner.toml
@@ -0,0 +1,11 @@
+# Every vulnerability in this source is ignored. Should not show up at all after filtering.
+
+[[IgnoredVulns]]
+id = "GHSA-mc8h-8q98-g5hr"
+reason = "Ignore 1"
+# Alias of RUSTSEC-2023-0018
+
+[[IgnoredVulns]]
+id = "RUSTSEC-2020-0071"
+reason = "Ignore 2"
+# Alias of GHSA-wcg3-cvx6-7396
diff --git a/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/b/osv-scanner.toml
@@ -0,0 +1,14 @@
+# golang.org/x/net is the only vulnerable package, but has multiple unique vulnerabilities.
+# Ignore some vulnerabilities while keeping others. Package should remain in filtered output.
+
+[[IgnoredVulns]]
+id = "GHSA-fxg5-wq6x-vr4w"
+reason = "Ignore 1"
+# Alias of GO-2023-1495
+
+[[IgnoredVulns]]
+id = "GO-2022-1144"
+reason = "Ignore 2"
+# No aliases
+
+# GHSA-vvpx-j8f3-3w6h (and alias GO-2023-1571) should remain unfiltered.
diff --git a/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml b/pkg/osvscanner/fixtures/filter/some/configs/c/osv-scanner.toml
@@ -0,0 +1,18 @@
+# Ignore all vulnerabilities from one package (remove_dir_all), one from one package (ascii), none from other (time).
+# remove_dir_all should be removed from filtered output, other two packages should remain with filtered vulns.
+
+# remove_dir_all:
+[[IgnoredVulns]]
+id = "GHSA-mc8h-8q98-g5hr"
+reason = "Ignore 1"
+# Alias of RUSTSEC-2023-0018
+
+# ascii:
+[[IgnoredVulns]]
+id = "RUSTSEC-2023-0015"
+reason = "Ignore 2"
+# No Aliases
+
+# Remaining packages/vulns:
+# ascii - GHSA-mrrw-grhq-86gf (no aliases)
+# time - GHSA-wcg3-cvx6-7396 (& alias RUSTSEC-2020-0071)