[FEATURE] Ability to filter vulnerabilities based on score

[sgilhooly]

• What are you trying to do?

  • I would like the ability to tell the plugin to ignore OSS audit vulnerability findings that are below a certain "score" severity threshold

• What feature or behavior is this required for?

  • For some projects, or especially in ci/cd scenarios, it is useful to focus only on higher priority vulnerabilities. It might be desirable, for example, to only fail a build if there are high or critical vulnerabilities discovered.

• How could we solve this issue? (Not knowing is okay!)

  • Adding a minimumScore field to the OSS Audit extension which allows users to indicate what score a vulnerability must surpass before it is included in the results. This could work as part of the vulnerability filtering to exclude vulnerabilities which have a score lower than the configured value.

• Anything else?

  • I have a possible implementation of this in my fork but I am not familiar with Nexus IQ so I don't know how this feature would interact with that. I also have not been able to get integration tests to work (even without my change) so not sure what validation I might be missing out on.
  • As a related note I also would find it useful to be able to allow the build task to succeed even if vulnerabilities are discovered. This would allow me to use the output of the scan to perform additional analysis of the report and decide for myself if the build should be failed or not. Having that ability would mostly make the "minimum score" feature unnecessary (for me anyway). So if that is generally useful, I could create a separate issue/PR for that.

cc @bhamail / @DarthHater / @guillermo-varela / @shaikhu

[github-actions]

Hi!

First of all, thank you for opening your first issue. Elementary, we appreciate all feedback that helps us continue improving this plugin.

As this is a community project we can't commit to official due dates for reviews and developing, but we're definitely committed to delivering services, integrations and plugins of top quality.

So please be patient, we will review your issue and get back to you as soon as we can!

Regards,
Sherlock Trunks 🐘

[guillermo-varela]

Hi @sgilhooly!

I have a possible implementation of this in my fork but I am not familiar with Nexus IQ so I don't know how this feature would interact with that.

When using ossIndexAudit there is no interaction with Nexus IQ Server. Instead it uses the free service OSS Index.

As a related note I also would find it useful to be able to allow the build task to succeed even if vulnerabilities are discovered. This would allow me to use the output of the scan to perform additional analysis of the report and decide for myself if the build should be failed or not. Having that ability would mostly make the "minimum score" feature unnecessary (for me anyway). So if that is generally useful, I could create a separate issue/PR for that.

I like that idea!
It would keep logic simple in the plugin and each one could decide in their pipeline how to process the output.
Also, you wouldn't need to parse plain text but instead could save the results in the CycloneDX 1.4 JSON format for easier interpretation.

I also have not been able to get integration tests to work (even without my change) so not sure what validation I might be missing out on.

You can submit your pull-request and we'll do our best to provide asistance 😄

Contributions from community are more than welcome 🎉

[guillermo-varela]

Hi @sgilhooly!

Your contribution is now available on version 2.8.2:
https://github.com/sonatype-nexus-community/scan-gradle-plugin/releases/tag/2.8.2

Please let us know if this works for you and thank you for taking the time to develop this new feature 😄

[sgilhooly]

Thank you so much for considering it, reviewing it, and merging it! Looking forward to making good use of this plugin!