feat: don't filter when ignoring all vulns

Author: G-Rath

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -5895,17 +5895,9 @@ Filtered 2 ignored package/s from the scan.
 <tempdir>/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities
 <tempdir>/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability
 <tempdir>/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities
-CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-Filtered 3 vulnerabilities from output
-<tempdir>/nested-2/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
-<tempdir>/nested-3/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
 
-Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-8 vulnerabilities can be fixed.
+Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+11 vulnerabilities can be fixed.
 
 RubyGems
 
@@ -5919,7 +5911,7 @@ lockfile:<tempdir>/Gemfile.lock: found 1 package with issues
 
 npm
 
-lockfile:<tempdir>/nested-1/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-1/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
     GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
@@ -5929,19 +5921,27 @@ lockfile:<tempdir>/nested-1/package-lock.json: found 2 packages with issues
   ajv@8.0.0 has the following known vulnerabilities:
     GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
       Severity: '5.5'; Minimal Fix Version: '8.18.0';
+  ansi-html@0.0.1 has the following known vulnerabilities:
+    GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
+      Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  3 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
 
-lockfile:<tempdir>/nested-2/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-2/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
 
 lockfile:<tempdir>/nested-3/package-lock.json: found 1 package with issues
 
@@ -6072,8 +6072,6 @@ Package npm/ajv/6.0.0 has been filtered out because: (no reason given)
 Package npm/ajv/8.0.0 has been filtered out because: (no reason given)
 Filtered 2 ignored package/s from the scan.
 <tempdir>/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability
-<tempdir>/nested-3/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
 
 Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
 11 vulnerabilities can be fixed.
@@ -6277,16 +6275,9 @@ Filtered 2 ignored package/s from the scan.
 <tempdir>/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities
 <tempdir>/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability
 <tempdir>/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-Filtered 2 vulnerabilities from output
-<tempdir>/nested-2/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
-<tempdir>/nested-3/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
 
-Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-9 vulnerabilities can be fixed.
+Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+11 vulnerabilities can be fixed.
 
 RubyGems
 
@@ -6316,16 +6307,21 @@ lockfile:<tempdir>/nested-1/package-lock.json: found 3 packages with issues
 
   4 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
 
-lockfile:<tempdir>/nested-2/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-2/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
 
 lockfile:<tempdir>/nested-3/package-lock.json: found 1 package with issues
 
@@ -6460,18 +6456,9 @@ Scanned <tempdir>/nested-3/package-lock.json file and found 3 packages
 Scanned <tempdir>/package-lock.json file and found 1 package
 Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 <tempdir>/custom-config.toml has been updated to ignore 4 vulnerabilities
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-Filtered 6 vulnerabilities from output
-<tempdir>/custom-config.toml has unused ignores:
- - CVE-123-456-789
 
-Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-8 vulnerabilities can be fixed.
+Total 11 packages affected by 14 known vulnerabilities (0 Critical, 4 High, 10 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+14 vulnerabilities can be fixed.
 
 RubyGems
 
@@ -6485,38 +6472,53 @@ lockfile:<tempdir>/Gemfile.lock: found 1 package with issues
 
 npm
 
-lockfile:<tempdir>/nested-1/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-1/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
 
-lockfile:<tempdir>/nested-2/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-2/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
 
-lockfile:<tempdir>/nested-3/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-3/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-3/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-3/package-lock.json
 
 lockfile:<tempdir>/package-lock.json: found 1 package with issues
 
@@ -6619,9 +6621,6 @@ Scanned <tempdir>/composer.lock file and found 0 packages
 Scanned <tempdir>/package-lock.json file and found 1 package
 Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 <tempdir>/custom-config.toml has been updated to ignore 2 vulnerabilities
-<tempdir>/custom-config.toml has unused ignores:
- - CVE-123-456-789
- - GHSA-2g4f-4pwh-qvx6
 
 Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
 2 vulnerabilities can be fixed.
@@ -8170,7 +8169,6 @@ Scanned <tempdir>/composer.lock file and found 1 package
 Warning: plugin transitivedependency/pomxml can be risky when run on untrusted artifacts. Please ensure you trust the source code and artifacts before proceeding.
 Loaded filter from: <tempdir>/osv-scanner-test.toml
 No issues found
-
 ---
 
 [TestCommand_WithDetector_OnLinux/ssh_version_is_before_first_vuln_version - 2]

pkg/osvscanner/osvscanner.go

@@ -391,10 +391,8 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions)
 		vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult)
 	}
 
-	// todo: consider moving this after filtering
-	//  - p: should allow deduplicating some logic
-	//  - p: might be a better UX to present the vulns we're ignoring
-	//  - c: filtering removes vulns from results, so need to account for that
+	// we skip filtering vulns if we're going to ignore everything,
+	// as the output will serve as a list of what actually got ignored
 	if actions.UpdateConfigIgnores == "all" {
 		ignoreEntries, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager)
 
@@ -407,21 +405,21 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions)
 		if err != nil {
 			return models.VulnerabilityResults{}, err
 		}
-	}
-
-	filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages)
-	if filtered > 0 {
-		cmdlogger.Infof(
-			"Filtered %d %s from output",
-			filtered,
-			output.Form(filtered, "vulnerability", "vulnerabilities"),
-		)
-	}
+	} else {
+		filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages)
+		if filtered > 0 {
+			cmdlogger.Infof(
+				"Filtered %d %s from output",
+				filtered,
+				output.Form(filtered, "vulnerability", "vulnerabilities"),
+			)
+		}
 
-	err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused")
+		err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused")
 
-	if err != nil {
-		return models.VulnerabilityResults{}, err
+		if err != nil {
+			return models.VulnerabilityResults{}, err
+		}
 	}
 
 	return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns)