Skip to content

Improve advisory ignore matching and stale ignore warnings#1199

Merged
ericmj merged 2 commits into
mainfrom
audit-ignore-followups
Jul 2, 2026
Merged

Improve advisory ignore matching and stale ignore warnings#1199
ericmj merged 2 commits into
mainfrom
audit-ignore-followups

Conversation

@ericmj

@ericmj ericmj commented Jul 2, 2026

Copy link
Copy Markdown
Member

Follow-ups from review of #1198.

  • Ignore matching now suppresses whole aliased advisory groups. Matching previously ran per raw advisory on its own id/aliases, but the audit displays merged groups, so ignoring the displayed primary ID (e.g. an EEF ID) only suppressed the sibling GHSA/NVD advisories if they cross-referenced that ID in their aliases — otherwise the same vulnerability showed under both Advisories: and Ignored advisories: and the audit still failed. Ignoring any identifier of a display group now suppresses all of its members, in both mix hex.audit and mix deps.get, and the audit partitions advisories in a single pass instead of two.
  • Stale ignore warnings now name where the entry is set (mix.exs, environment variable, or global config), since a globally-set entry would otherwise produce "can be removed" advice in every project, and are separated from the findings sections by a blank line.

@ericmj ericmj marked this pull request as ready for review July 2, 2026 00:55
@ericmj ericmj merged commit ce453a6 into main Jul 2, 2026
30 of 31 checks passed
@ericmj ericmj deleted the audit-ignore-followups branch July 2, 2026 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant