feat: support updating config ignores (#248)

* feat: support updating config ignores

* feat: use 2 spaces for YAML indenting

* docs: add section about new flag

* test: add case for updating configs with nested configs

* fix: ensure that config updating output is consistently ordered

* feat: account for existing ignores in configs

* fix: color config file paths consistently

* test: don't fail if we can't clean up test config files

* test: add case when there are a lot of different files and a single config

Author: G-Rath

.gitignore

@@ -32,3 +32,11 @@ pids
 
 # Dependency directories (remove the comment below to include it)
 vendor/
+
+# These files are generated during tests
+fixtures/locks-insecure-nested/.osv-detector.yml
+fixtures/locks-insecure-nested/nested/.osv-detector.yml
+fixtures/locks-insecure-many/.osv-detector.yml
+fixtures/existing-config-with-ignored-ignores.yml
+fixtures/existing-config-with-ignores.yml
+fixtures/existing-config.yml

README.md

@@ -241,8 +241,12 @@ osv-detector --ignore GHSA-896r-f27r-55mw --ignore GHSA-74fj-2j2h-c42q package-l
 Ignores provided via the flag will be combined with any ignores specified in the
 loaded config file.
 
-You can use `jq` to generate a list of OSV ids if you want to ignore all current
-known vulnerabilities found by the detector:
+You can use `--update-config-ignores` to have the detector update configs being
+used for lockfiles to ignore any vulnerabilities that were found; it will also
+remove ignores for vulnerabilities that are no longer present.
+
+Alternatively, you can use `jq` to generate a list of OSV ids if you want to
+ignore all current known vulnerabilities found by the detector:
 
 ```shell
 osv-detector --json . | jq -r  '[.results[].packages | map("- " + .vulnerabilities[].id)] | flatten | unique | sort | .[]'

fixtures/locks-insecure-many/my-package-lock.json

@@ -0,0 +1,94 @@
+{
+  "_readme": [
+    "This file locks the dependencies of your project to a known state",
+    "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
+    "This file is @generated automatically"
+  ],
+  "content-hash": "36f1605a5dac03350d3c7d40eafc8477",
+  "packages": [
+    {
+      "name": "guzzlehttp/psr7",
+      "version": "1.8.2",
+      "source": {
+        "type": "git",
+        "url": "https://github.com/guzzle/psr7.git",
+        "reference": "dc960a912984efb74d0a90222870c72c87f10c91"
+      },
+      "dist": {
+        "type": "zip",
+        "url": "https://api.github.com/repos/guzzle/psr7/zipball/dc960a912984efb74d0a90222870c72c87f10c91",
+        "reference": "dc960a912984efb74d0a90222870c72c87f10c91",
+        "shasum": ""
+      },
+      "require": {
+        "php": ">=5.4.0",
+        "psr/http-message": "~1.0",
+        "ralouphie/getallheaders": "^2.0.5 || ^3.0.0"
+      },
+      "provide": {
+        "psr/http-message-implementation": "1.0"
+      },
+      "require-dev": {
+        "ext-zlib": "*",
+        "phpunit/phpunit": "~4.8.36 || ^5.7.27 || ^6.5.14 || ^7.5.20 || ^8.5.8 || ^9.3.10"
+      },
+      "suggest": {
+        "laminas/laminas-httphandlerrunner": "Emit PSR-7 responses"
+      },
+      "type": "library",
+      "extra": {
+        "branch-alias": {
+          "dev-master": "1.7-dev"
+        }
+      },
+      "autoload": {
+        "psr-4": {
+          "GuzzleHttp\\Psr7\\": "src/"
+        },
+        "files": ["src/functions_include.php"]
+      },
+      "notification-url": "https://packagist.org/downloads/",
+      "license": ["MIT"],
+      "authors": [
+        {
+          "name": "Michael Dowling",
+          "email": "[email protected]",
+          "homepage": "https://github.com/mtdowling"
+        },
+        {
+          "name": "Tobias Schultze",
+          "homepage": "https://github.com/Tobion"
+        }
+      ],
+      "description": "PSR-7 message implementation that also provides common utility methods",
+      "keywords": [
+        "http",
+        "message",
+        "psr-7",
+        "request",
+        "response",
+        "stream",
+        "uri",
+        "url"
+      ],
+      "time": "2021-04-26T09:17:50+00:00"
+    }
+  ],
+  "packages-dev": [],
+  "aliases": [],
+  "minimum-stability": "dev",
+  "stability-flags": {
+    "cwp/cwp-recipe-cms": 0,
+    "cwp/cwp-recipe-core": 0,
+    "innoweb/silverstripe-mailchimp-signup": 20,
+    "silverstripe/recipe-blog": 0,
+    "silverstripe/redirectedurls": 20
+  },
+  "prefer-stable": true,
+  "prefer-lowest": false,
+  "platform": {
+    "php": ">=7.4.0"
+  },
+  "platform-dev": [],
+  "plugin-api-version": "1.1.0"
+}

fixtures/locks-insecure-nested/my-package-lock.json

@@ -14,16 +14,16 @@ import (
 )
 
 type rawDatabaseConfig struct {
-	Name             string `yaml:"name"`
-	Type             string `yaml:"type"`
 	URL              string `yaml:"url"`
-	WorkingDirectory string `yaml:"working-directory"`
+	Name             string `yaml:"name,omitempty"`
+	Type             string `yaml:"type,omitempty"`
+	WorkingDirectory string `yaml:"working-directory,omitempty"`
 }
 
 type rawConfig struct {
 	FilePath  string              `yaml:"-"`
 	Ignore    []string            `yaml:"ignore"`
-	Databases []rawDatabaseConfig `yaml:"extra-databases"`
+	Databases []rawDatabaseConfig `yaml:"extra-databases,omitempty"`
 }
 
 type Config struct {
@@ -130,7 +130,7 @@ func Find(r *reporter.Reporter, pathToDirectory string) (Config, error) {
 	return Config{}, nil
 }
 
-func Load(r *reporter.Reporter, pathToConfig string) (Config, error) {
+func load(pathToConfig string) (rawConfig, error) {
 	var raw rawConfig
 
 	pathToConfig = filepath.Clean(pathToConfig)
@@ -140,13 +140,23 @@ func Load(r *reporter.Reporter, pathToConfig string) (Config, error) {
 	configContents, err := os.ReadFile(pathToConfig)
 
 	if err != nil {
-		return Config{FilePath: pathToConfig}, fmt.Errorf("could not read %s: %w", pathToConfig, err)
+		return raw, fmt.Errorf("could not read %s: %w", pathToConfig, err)
 	}
 
 	err = yaml.Unmarshal(configContents, &raw)
 
 	if err != nil {
-		return Config{FilePath: pathToConfig}, fmt.Errorf("could not read %s: %w", pathToConfig, err)
+		return raw, fmt.Errorf("could not read %s: %w", pathToConfig, err)
+	}
+
+	return raw, nil
+}
+
+func Load(r *reporter.Reporter, pathToConfig string) (Config, error) {
+	raw, err := load(pathToConfig)
+
+	if err != nil {
+		return Config{FilePath: raw.FilePath}, err
 	}
 
 	return newConfig(r, raw)

fixtures/locks-insecure-nested/nested/my-composer-lock.json

@@ -0,0 +1,34 @@
+package configer
+
+import (
+	"fmt"
+	"os"
+
+	"gopkg.in/yaml.v3"
+)
+
+func UpdateWithIgnores(pathToConfig string, ignores []string) error {
+	raw, err := load(pathToConfig)
+
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	raw.Ignore = ignores
+
+	f, err := os.OpenFile(pathToConfig, os.O_TRUNC|os.O_WRONLY, os.ModePerm)
+
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	encoder := yaml.NewEncoder(f)
+	encoder.SetIndent(2)
+	err = encoder.Encode(raw)
+
+	if err != nil {
+		return fmt.Errorf("%w", err)
+	}
+
+	return nil
+}