Add ignore file and update README

Author: aegilops

README.md

@@ -14,6 +14,7 @@ Search collected SBOMs by PURL, cache them for offline analysis, sync malware se
 - Sync malware security advisories from the GitHub Advisory Database
 - Version-aware matching of SBOM packages vs. malware advisories
 - Optional SARIF 2.1.0 output per repository for malware matches with optional Code Scanning upload
+- YAML ignore file support to suppress specific advisory IDs or PURLs globally or scoped to an org / repo
 - Works with GitHub.com, GitHub Enterprise Server, GitHub Enterprise Managed Users and GitHub Enterprise Cloud with Data Residency (custom base URL)
 - Reason tracing: every search match shows which query matched; every malware match shows which advisory triggered it
 - Interactive REPL for ad‑hoc PURL queries (history, graceful Ctrl+C handling)
@@ -68,6 +69,7 @@ npm run start -- --sync-sboms --enterprise ent --base-url https://github.interna
 | `--match-malware` | Match current SBOM set against cached advisories |
 | `--malware-cache <dir>` | Advisory cache directory (required with malware operations) |
 | `--malware-cutoff <ISO-date>` | Ignore advisories whose publishedAt AND updatedAt are both before this date/time (e.g. `2025-09-29` or full timestamp) |
+| `--ignore-file <path>` | YAML ignore file (advisories / purls / scoped blocks) to filter malware matches before output |
 | `--sarif-dir <dir>` | Write SARIF 2.1.0 files per repository (with malware matches) |
 | `--upload-sarif` | Upload generated SARIF to Code Scanning (requires --match-malware & --sarif-dir and a GitHub token) |
 | `--concurrency <n>` | Parallel SBOM fetches (default 5) |
@@ -145,6 +147,37 @@ npm run start -- --sbom-cache sboms --malware-cache malware-cache --match-malwar
 
 If you also perform a search in the same invocation (add `--purl` or `--purl-file`), the JSON file will contain both `malwareMatches` and `search` top-level keys.
 
+#### Ignoring Matches
+
+Provide a YAML ignore file via `--ignore-file` to suppress specific matches (before SARIF generation / JSON output). Structure:
+
+```yaml
+# Ignore specific advisory IDs everywhere
+advisories:
+  - GHSA-aaaa-bbbb-cccc
+
+# Ignore by PURL (optional semver/range component after @). If version/range omitted, all versions are ignored.
+purls:
+  - pkg:npm/lodash               # any version
+  - pkg:npm/react@>=18.0.0 <18.3.0
+
+# Scoped ignores (org OR org/repo). Applied only within those scopes.
+scoped:
+  - scope: my-org
+    advisories: [GHSA-1111-2222-3333]
+  - scope: my-org/my-repo
+    purls:
+      - pkg:maven/com.example/[email protected]
+```
+
+Rules precedence:
+
+1. Scoped repo block
+2. Scoped org block
+3. Global advisories / purls
+
+The first matching rule suppresses the finding; output logs will show how many were ignored. Ignored items are fully removed from SARIF and JSON/CSV outputs.
+
 #### Advisory Date Cutoff
 
 Use `--malware-cutoff` to exclude older advisories from matching. An advisory will be skipped if **both** its `publishedAt` and `updatedAt` timestamps are strictly earlier than the cutoff.

ignore.example.yml

@@ -0,0 +1,22 @@
+# Example ignore file for github-sbom-toolkit malware matches
+# Copy to e.g. sbom-ignore.yml and pass with --ignore-file sbom-ignore.yml
+
+advisories:
+  # Ignore these advisory IDs globally (all repos)
+  - GHSA-AAAA-BBBB-CCCC
+
+purls:
+  # Ignore any version of lodash
+  - pkg:npm/lodash
+  # Ignore only these React versions (range semantics via semver)
+  - pkg:npm/react@>=18.0.0 <18.3.0
+
+scoped:
+  # Ignore an advisory across an entire org
+  - scope: my-org
+    advisories:
+      - GHSA-1111-2222-3333
+  # Ignore one specific PURL (exact version) in a single repository
+  - scope: my-org/my-repo
+    purls:
+      - pkg:maven/com.example/[email protected]

package-lock.json

@@ -29,6 +29,7 @@
     "p-limit": "^7.1.1",
     "packageurl-js": "^2.0.1",
     "semver": "^7.7.2",
+    "yaml": "^2.8.1",
     "yargs": "^18.0.0"
   },
   "devDependencies": {

package.json

@@ -35,8 +35,9 @@ async function main() {
     .option("purl-file", { type: "string", describe: "Path to file with PURL queries (one per line; supports version ranges & wildcards; # or // for comments)" })
     .option("json", { type: "boolean", describe: "Emit search results as JSON to stdout (suppresses human output unless --cli also provided)" })
     .option("cli", { type: "boolean", describe: "When used with --json, also emit human-readable CLI output" })
-    .option("output-file", { type: "string", describe: "Write search JSON output to this file (implied JSON generation). Required when using --cli with JSON." })
+    .option("output-file", { type: "string", describe: "Write search JSON/CSV output to this file. Required when using --cli with JSON/CSV." })
     .option("csv", { type: "boolean", describe: "Emit results (search + malware matches) as CSV" })
+    .option("ignore-file", { type: "string", describe: "Path to YAML ignore file (advisories, purls, scoped ignores)" })
     .check(args => {
       const syncing = !!args.syncSboms;
       if (syncing) {
@@ -62,6 +63,9 @@ async function main() {
       if (args.uploadSarif && !args.sarifDir) {
         throw new Error("--upload-sarif requires --sarif-dir to write SARIF files prior to upload.");
       }
+      if (args.csv && args.json) {
+        throw new Error("Use one of --json or --csv")
+      }
       return true;
     })
     .help()
@@ -120,6 +124,25 @@ async function main() {
   if (argv["match-malware"]) {
     const { matchMalware, buildSarifPerRepo, writeSarifFiles, uploadSarifPerRepo } = await import("./malwareMatcher.js");
     malwareMatches = matchMalware(mas.getAdvisories(), sboms, { advisoryDateCutoff: argv["malware-cutoff"] as string | undefined });
+    // Apply ignore file if provided
+    if (argv["ignore-file"] && malwareMatches?.length) {
+      try {
+        const { IgnoreMatcher } = await import("./ignore.js");
+        const matcher = IgnoreMatcher.load(argv["ignore-file"] as string, {});
+        if (matcher) {
+          const { kept, ignored } = matcher.filter(malwareMatches);
+          if (!argv.quiet) {
+            console.log(chalk.yellow(`Ignored ${ignored.length} malware match(es) via ignore file; ${kept.length} remaining.`));
+          }
+          malwareMatches = kept;
+          // If writing SARIF we intentionally only report kept matches; optionally we could emit a log of ignored reasons.
+        } else if (!argv.quiet) {
+          console.log(chalk.yellow(`Ignore file '${argv["ignore-file"]}' not found or failed to parse; proceeding without filtering.`));
+        }
+      } catch (e) {
+        console.error(chalk.red(`Failed applying ignore file: ${(e as Error).message}`));
+      }
+    }
     if (!quiet) console.log(chalk.magenta(`Malware matches found: ${malwareMatches?.length ?? 0}`));
     if (malwareMatches) {
       if (!quiet) {
@@ -179,9 +202,8 @@ async function main() {
   const combinedPurlsRaw = [...(argv.purl as string[] ?? []), ...filePurls];
   const combinedPurls = combinedPurlsRaw.map(p => p.startsWith("pkg:") ? p : `pkg:${p}`);
   if (combinedPurls.length) {
-    const needJson = argv.json || argv.outputFile;
     // We'll also consider CSV export after JSON handling
-    if (needJson) {
+    if (argv.json || argv.outputFile) {
       const map = collector.searchByPurlsWithReasons(combinedPurls);
       const jsonSearch = Array.from(map.entries()).map(([repo, entries]) => ({ repo, matches: entries }));
       if (argv.outputFile) {
@@ -200,13 +222,13 @@ async function main() {
           console.error(chalk.red(`Failed to write output file: ${e instanceof Error ? e.message : String(e)}`));
           process.exit(1);
         }
-      } else if (argv.json) {
+      } else {
         const payloadObj: { search: unknown; malwareMatches?: import("./malwareMatcher.js").MalwareMatch[] } = { search: jsonSearch };
         if (malwareMatches) payloadObj.malwareMatches = malwareMatches;
         process.stdout.write(JSON.stringify(payloadObj, null, 2) + "\n");
       }
       // If CLI output requested (either implicit because no --json OR explicit --cli with output-file requirement) then show human form
-      if (!needJson || (argv.cli && needJson)) {
+      if (((!argv.json && !argv.csv) && !argv.outputFile) || (argv.cli && (argv.json || argv.outputFile))) {
         runSearch(combinedPurls);
       } else if (argv.cli) { // This branch only occurs when validation prevented missing output-file
         runSearch(combinedPurls);

src/cli.ts

@@ -0,0 +1,158 @@
+import fs from "fs";
+import path from "path";
+import * as semver from "semver";
+import { MalwareMatch } from "./malwareMatcher.js";
+import YAML from "yaml";
+
+/**
+ * Ignore file schema (YAML)
+ *
+ * Example:
+ * ---
+ * # Ignore by advisory id everywhere
+ * advisories:
+ *   - GHSA-xxxx-yyyy-zzzz
+ *
+ * # Ignore by PURL (any version) or version range
+ * purls:
+ *   - pkg:npm/lodash  # ignore any version
+ *   - pkg:npm/react@>=18.0.0 <18.3.0  # ignore a version range
+ *
+ * # Scoped ignores (repo full name or org). If provided, the ignore only applies within those repos/orgs.
+ * scoped:
+ *   - scope: my-org            # applies to every repo in org
+ *     advisories: [GHSA-1111-2222-3333]
+ *   - scope: my-org/my-repo    # applies only to that repository
+ *     purls:
+ *       - pkg:maven/org.example/[email protected]
+ */
+export interface IgnoreFileRoot {
+  advisories?: string[];
+  purls?: string[]; // each may have optional version/range after @
+  scoped?: Array<ScopedIgnoreBlock>;
+}
+
+export interface ScopedIgnoreBlock {
+  scope: string; // org or org/repo
+  advisories?: string[];
+  purls?: string[];
+}
+
+export interface IgnoreMatcherOptions {
+  cwd?: string; // base dir for relative path
+}
+
+interface ParsedPurlIgnore {
+  raw: string;
+  type: string;
+  name: string;
+  versionConstraint?: string; // semver range or exact version
+}
+
+function parsePurlIgnore(raw: string): ParsedPurlIgnore | null {
+  const trimmed = raw.trim();
+  if (!trimmed) return null;
+  const full = trimmed.startsWith("pkg:") ? trimmed.slice(4) : trimmed;
+  const atIdx = full.indexOf("@");
+  const main = atIdx >= 0 ? full.slice(0, atIdx) : full;
+  const ver = atIdx >= 0 ? full.slice(atIdx + 1) : undefined;
+  const slashIdx = main.indexOf("/");
+  if (slashIdx < 0) return null;
+  const type = main.slice(0, slashIdx).toLowerCase();
+  const name = main.slice(slashIdx + 1);
+  if (!type || !name) return null;
+  return { raw: trimmed.startsWith("pkg:") ? trimmed : `pkg:${trimmed}`, type, name, versionConstraint: ver };
+}
+
+export class IgnoreMatcher {
+  private globalAdvisories: Set<string> = new Set();
+  private globalPurls: ParsedPurlIgnore[] = [];
+  private scoped: Array<{ scope: string; isRepo: boolean; advisories: Set<string>; purls: ParsedPurlIgnore[] } > = [];
+
+  static load(filePath: string, opts?: IgnoreMatcherOptions): IgnoreMatcher | undefined {
+    const abs = path.isAbsolute(filePath) ? filePath : path.join(opts?.cwd || process.cwd(), filePath);
+    if (!fs.existsSync(abs)) return undefined;
+    const text = fs.readFileSync(abs, "utf8");
+    let doc: IgnoreFileRoot | undefined;
+    try {
+      const parsed = YAML.parse(text) as unknown;
+      if (parsed && typeof parsed === "object") doc = parsed as IgnoreFileRoot;
+    } catch (e) {
+      console.warn(`Failed to parse ignore file ${abs}: ${(e as Error).message}`);
+      return undefined;
+    }
+    const matcher = new IgnoreMatcher();
+    if (doc?.advisories) for (const a of doc.advisories) matcher.globalAdvisories.add(a.trim());
+    if (doc?.purls) for (const p of doc.purls) { const parsed = parsePurlIgnore(p); if (parsed) matcher.globalPurls.push(parsed); }
+    if (doc?.scoped) {
+      for (const block of doc.scoped) {
+        if (!block.scope) continue;
+        const advisories = new Set<string>();
+        if (block.advisories) for (const a of block.advisories) advisories.add(a.trim());
+        const purls: ParsedPurlIgnore[] = [];
+        if (block.purls) for (const p of block.purls) { const parsed = parsePurlIgnore(p); if (parsed) purls.push(parsed); }
+        const isRepo = block.scope.includes("/");
+        matcher.scoped.push({ scope: block.scope.toLowerCase(), isRepo, advisories, purls });
+      }
+    }
+    return matcher;
+  }
+
+  private purlMatches(ignore: ParsedPurlIgnore, candidate: { purl: string; ecosystem: string; packageName: string; version: string | null }): boolean {
+    const { purl, version } = candidate;
+    // quick name match: we only stored type+name; ensure purl contains that coordination after pkg:
+    const body = purl.startsWith("pkg:") ? purl.slice(4) : purl;
+    const atIdx = body.indexOf("@");
+    const main = atIdx >= 0 ? body.slice(0, atIdx) : body;
+    const nameStart = main.indexOf("/");
+    if (nameStart < 0) return false;
+    const type = main.slice(0, nameStart).toLowerCase();
+    const name = main.slice(nameStart + 1);
+    if (ignore.type !== type) return false;
+    if (ignore.name.toLowerCase() !== name.toLowerCase()) return false;
+    if (!ignore.versionConstraint) return true; // any version
+    if (!version) return false;
+    const range = ignore.versionConstraint.trim();
+    try {
+      if (semver.validRange(range)) {
+        const coerced = semver.coerce(version)?.version || version;
+        if (coerced && semver.satisfies(coerced, range, { includePrerelease: true })) return true;
+      } else if (/^[0-9A-Za-z._-]+$/.test(range)) {
+        return version === range;
+      }
+    } catch { /* ignore */ }
+    return false;
+  }
+
+  /** Determine whether the given match should be ignored. */
+  shouldIgnore(match: MalwareMatch): { ignored: boolean; reason?: string } {
+    // Global advisory
+    if (this.globalAdvisories.has(match.advisoryGhsaId)) return { ignored: true, reason: `advisory:${match.advisoryGhsaId}` };
+    // Global purl (with optional range)
+    for (const p of this.globalPurls) {
+      if (this.purlMatches(p, match)) return { ignored: true, reason: `purl:${p.raw}` };
+    }
+    // Scoped
+    for (const block of this.scoped) {
+      if (block.isRepo) {
+        if (match.repo.toLowerCase() !== block.scope) continue;
+      } else {
+        // org scope
+        if (!match.repo.toLowerCase().startsWith(block.scope + "/")) continue;
+      }
+      if (block.advisories.has(match.advisoryGhsaId)) return { ignored: true, reason: `scoped-advisory:${block.scope}:${match.advisoryGhsaId}` };
+      for (const p of block.purls) if (this.purlMatches(p, match)) return { ignored: true, reason: `scoped-purl:${block.scope}:${p.raw}` };
+    }
+    return { ignored: false };
+  }
+
+  filter(matches: MalwareMatch[]): { kept: MalwareMatch[]; ignored: Array<MalwareMatch & { ignoreReason: string }> } {
+    const kept: MalwareMatch[] = [];
+    const ignored: Array<MalwareMatch & { ignoreReason: string }> = [];
+    for (const m of matches) {
+      const res = this.shouldIgnore(m);
+      if (res.ignored) ignored.push({ ...m, ignoreReason: res.reason || "unknown" }); else kept.push(m);
+    }
+    return { kept, ignored };
+  }
+}

src/ignore.ts

@@ -0,0 +1,8 @@
+// Minimal module declarations for external packages lacking bundled types at build time in this environment.
+declare module 'yaml' {
+  // Export a parse function returning unknown (caller narrows).
+  export function parse(src: string): unknown;
+  export function stringify(obj: unknown): string;
+  const _default: { parse: typeof parse; stringify: typeof stringify };
+  export default _default;
+}