From 2b47080425ce7d5a5aac55ded2f743a98eeed6f2 Mon Sep 17 00:00:00 2001 From: Andrew De Torres Date: Fri, 13 May 2022 15:08:29 -0700 Subject: [PATCH 1/2] chore: update readme to add allow list formats --- README.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/README.md b/README.md index 9fe792be..41c91ac2 100644 --- a/README.md +++ b/README.md @@ -65,6 +65,33 @@ Also, it suppresses an advisory of `axios` and a transitive advisory of `react-s } ``` +### Allowlist formats + +To suppress the vulnerability associated with the an advisory. You can simply add the advisory ID to the allowlist. +- For example, Axios denial of service (https://github.com/advisories/GHSA-42xw-2xvc-qx8m) +```jsonc +"allowlist": [ + "GHSA-42xw-2xvc-qx8m", +] +``` + +To suppress advisories for all transitive dependencies of a given package, use this format: `"*|PACKAGE_NAME>*"` +*Note: This may allow legitimate advisories may slip through.* +- For example, `react-scripts` +```jsonc +"allowlist": [ + "*|react-scripts>*" +] +``` + +To suppress an advisory related to a transitive dependency of a given package, use the following format: `"ADVISORY_ID|PACKAGE_NAME>PACKAGE_A>PACKAGE_B"` +- For example, `nth-check` in `react-scripts` +```jsonc +"allowlist": [ + "GHSA-rp65-9cf3-cjxr|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check" +] +``` + ### GitHub Actions ```yml From 924768cfa59216474c756634e4f8a2c42cb134c2 Mon Sep 17 00:00:00 2001 From: Andrew De Torres Date: Fri, 13 May 2022 15:13:51 -0700 Subject: [PATCH 2/2] chore: fix readme typo --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 41c91ac2..96afcebe 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,9 @@ Also, it suppresses an advisory of `axios` and a transitive advisory of `react-s ### Allowlist formats To suppress the vulnerability associated with the an advisory. You can simply add the advisory ID to the allowlist. + - For example, Axios denial of service (https://github.com/advisories/GHSA-42xw-2xvc-qx8m) + ```jsonc "allowlist": [ "GHSA-42xw-2xvc-qx8m", @@ -76,8 +78,10 @@ To suppress the vulnerability associated with the an advisory. You can simply ad ``` To suppress advisories for all transitive dependencies of a given package, use this format: `"*|PACKAGE_NAME>*"` -*Note: This may allow legitimate advisories may slip through.* +_Note: This may allow legitimate advisories to slip through._ + - For example, `react-scripts` + ```jsonc "allowlist": [ "*|react-scripts>*" @@ -85,7 +89,9 @@ To suppress advisories for all transitive dependencies of a given package, use t ``` To suppress an advisory related to a transitive dependency of a given package, use the following format: `"ADVISORY_ID|PACKAGE_NAME>PACKAGE_A>PACKAGE_B"` + - For example, `nth-check` in `react-scripts` + ```jsonc "allowlist": [ "GHSA-rp65-9cf3-cjxr|react-scripts>@svgr/webpack>@svgr/plugin-svgo>svgo>css-select>nth-check"