feat: don't filter when ignoring all vulns

G-Rath · G-Rath · commit 72b86d8a3c40 · 2026-03-20T09:22:48.000+13:00
diff --git a/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap b/cmd/osv-scanner/scan/source/__snapshots__/command_test.snap
@@ -5894,17 +5894,9 @@ Filtered 2 ignored package/s from the scan.
 <tempdir>/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities
 <tempdir>/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability
 <tempdir>/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities
-CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-Filtered 3 vulnerabilities from output
-<tempdir>/nested-2/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
-<tempdir>/nested-3/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
 
-Total 7 packages affected by 8 known vulnerabilities (0 Critical, 3 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-8 vulnerabilities can be fixed.
+Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+11 vulnerabilities can be fixed.
 
 RubyGems
 
@@ -5918,7 +5910,7 @@ lockfile:<tempdir>/Gemfile.lock: found 1 package with issues
 
 npm
 
-lockfile:<tempdir>/nested-1/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-1/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
     GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
@@ -5928,19 +5920,27 @@ lockfile:<tempdir>/nested-1/package-lock.json: found 2 packages with issues
   ajv@8.0.0 has the following known vulnerabilities:
     GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
       Severity: '5.5'; Minimal Fix Version: '8.18.0';
+  ansi-html@0.0.1 has the following known vulnerabilities:
+    GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
+      Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  3 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
 
-lockfile:<tempdir>/nested-2/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-2/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
 
 lockfile:<tempdir>/nested-3/package-lock.json: found 1 package with issues
 
@@ -6069,8 +6069,6 @@ Package npm/ajv/6.0.0 has been filtered out because: (no reason given)
 Package npm/ajv/8.0.0 has been filtered out because: (no reason given)
 Filtered 2 ignored package/s from the scan.
 <tempdir>/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability
-<tempdir>/nested-3/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
 
 Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
 11 vulnerabilities can be fixed.
@@ -6272,16 +6270,9 @@ Filtered 2 ignored package/s from the scan.
 <tempdir>/nested-2/osv-scanner-test.toml has been updated to ignore 3 vulnerabilities
 <tempdir>/nested-3/osv-scanner-test.toml has been updated to ignore 1 vulnerability
 <tempdir>/osv-scanner-test.toml has been updated to ignore 2 vulnerabilities
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-Filtered 2 vulnerabilities from output
-<tempdir>/nested-2/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
-<tempdir>/nested-3/osv-scanner-test.toml has unused ignores:
- - GHSA-2g4f-4pwh-qvx6
 
-Total 8 packages affected by 9 known vulnerabilities (0 Critical, 4 High, 5 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-9 vulnerabilities can be fixed.
+Total 9 packages affected by 11 known vulnerabilities (0 Critical, 4 High, 7 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+11 vulnerabilities can be fixed.
 
 RubyGems
 
@@ -6311,16 +6302,21 @@ lockfile:<tempdir>/nested-1/package-lock.json: found 3 packages with issues
 
   4 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
 
-lockfile:<tempdir>/nested-2/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-2/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
 
 lockfile:<tempdir>/nested-3/package-lock.json: found 1 package with issues
 
@@ -6453,18 +6449,9 @@ Scanned <tempdir>/nested-2/package-lock.json file and found 3 packages
 Scanned <tempdir>/nested-3/package-lock.json file and found 3 packages
 Scanned <tempdir>/package-lock.json file and found 1 package
 <tempdir>/custom-config.toml has been updated to ignore 4 vulnerabilities
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-GHSA-2g4f-4pwh-qvx6 and 1 alias have been filtered out because: (no reason given)
-Filtered 6 vulnerabilities from output
-<tempdir>/custom-config.toml has unused ignores:
- - CVE-123-456-789
 
-Total 8 packages affected by 8 known vulnerabilities (0 Critical, 4 High, 4 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
-8 vulnerabilities can be fixed.
+Total 11 packages affected by 14 known vulnerabilities (0 Critical, 4 High, 10 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
+14 vulnerabilities can be fixed.
 
 RubyGems
 
@@ -6478,38 +6465,53 @@ lockfile:<tempdir>/Gemfile.lock: found 1 package with issues
 
 npm
 
-lockfile:<tempdir>/nested-1/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-1/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-1/package-lock.json
 
-lockfile:<tempdir>/nested-2/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-2/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-2/package-lock.json
 
-lockfile:<tempdir>/nested-3/package-lock.json: found 2 packages with issues
+lockfile:<tempdir>/nested-3/package-lock.json: found 3 packages with issues
 
   ajv@6.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '6.14.0';
     GHSA-v88g-cgmw-v5xw: Prototype Pollution in Ajv
       Severity: '5.6'; Minimal Fix Version: '6.12.3';
+  ajv@8.0.0 has the following known vulnerabilities:
+    GHSA-2g4f-4pwh-qvx6: ajv has ReDoS when using `$data` option
+      Severity: '5.5'; Minimal Fix Version: '8.18.0';
   ansi-html@0.0.1 has the following known vulnerabilities:
     GHSA-whgm-jr23-g3j9: Uncontrolled Resource Consumption in ansi-html
       Severity: '7.5'; Minimal Fix Version: '0.0.8';
 
-  2 known vulnerabilities found in lockfile:<tempdir>/nested-3/package-lock.json
+  4 known vulnerabilities found in lockfile:<tempdir>/nested-3/package-lock.json
 
 lockfile:<tempdir>/package-lock.json: found 1 package with issues
 
@@ -6610,9 +6612,6 @@ Scanned <tempdir>/Gemfile.lock file and found 1 package
 Scanned <tempdir>/composer.lock file and found 0 packages
 Scanned <tempdir>/package-lock.json file and found 1 package
 <tempdir>/custom-config.toml has been updated to ignore 2 vulnerabilities
-<tempdir>/custom-config.toml has unused ignores:
- - CVE-123-456-789
- - GHSA-2g4f-4pwh-qvx6
 
 Total 2 packages affected by 2 known vulnerabilities (0 Critical, 1 High, 1 Medium, 0 Low, 0 Unknown) from 2 ecosystems.
 2 vulnerabilities can be fixed.
diff --git a/pkg/osvscanner/osvscanner.go b/pkg/osvscanner/osvscanner.go
@@ -391,10 +391,8 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions)
 		vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult)
 	}
 
-	// todo: consider moving this after filtering
-	//  - p: should allow deduplicating some logic
-	//  - p: might be a better UX to present the vulns we're ignoring
-	//  - c: filtering removes vulns from results, so need to account for that
+	// we skip filtering vulns if we're going to ignore everything,
+	// as the output will serve as a list of what actually got ignored
 	if actions.UpdateConfigIgnores == "all" {
 		ignoreEntries, err := addVulnConfigIgnoresAndSave(&vulnerabilityResults, &scanResult.ConfigManager)
 
@@ -407,21 +405,21 @@ func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions)
 		if err != nil {
 			return models.VulnerabilityResults{}, err
 		}
-	}
-
-	filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages)
-	if filtered > 0 {
-		cmdlogger.Infof(
-			"Filtered %d %s from output",
-			filtered,
-			output.Form(filtered, "vulnerability", "vulnerabilities"),
-		)
-	}
+	} else {
+		filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages)
+		if filtered > 0 {
+			cmdlogger.Infof(
+				"Filtered %d %s from output",
+				filtered,
+				output.Form(filtered, "vulnerability", "vulnerabilities"),
+			)
+		}
 
-	err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused")
+		err := handleUnusedIgnoreEntries(&scanResult.ConfigManager, actions.UpdateConfigIgnores == "unused")
 
-	if err != nil {
-		return models.VulnerabilityResults{}, err
+		if err != nil {
+			return models.VulnerabilityResults{}, err
+		}
 	}
 
 	return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns)
