feat: warn when a config has ignored vulns that were not found during scanning (#2216)

Resolves #2206

---------

Co-authored-by: Rex P <[email protected]>

Author: G-Rath

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -327,6 +327,34 @@ func TestCommand(t *testing.T) {
 	}
 }
 
+func TestCommand_Config_UnusedIgnores(t *testing.T) {
+	t.Parallel()
+
+	tests := []testcmd.Case{
+		{
+			Name: "unused_ignores_are_reported_with_specific_config_and_file",
+			Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure/alpine.cdx.xml"},
+			Exit: 1,
+		},
+		{
+			Name: "unused_ignores_are_reported_with_specific_config_and_multiple_files",
+			Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure/alpine.cdx.xml", "testdata/sbom-insecure/postgres-stretch.cdx.xml"},
+			Exit: 1,
+		},
+		{
+			Name: "unused_ignores_are_reported_with_specific_config_and_file",
+			Args: []string{"", "source", "--config", "testdata/osv-scanner-partial-ignores-config.toml", "testdata/sbom-insecure"},
+			Exit: 1,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+			testcmd.RunAndMatchSnapshots(t, tt)
+		})
+	}
+}
+
 func TestCommand_JavareachArchive(t *testing.T) {
 	t.Parallel()
 

cmd/osv-scanner/scan/source/command_test.go

@@ -0,0 +1,16 @@
+[[IgnoredVulns]]
+id = "CVE-2025-26519" # in alpine.cdx.xml
+
+[[IgnoredVulns]]
+id = "CVE-2018-25032" # in alpine.cdx.xml
+
+[[IgnoredVulns]]
+id = "GO-2022-0274" # in postgres-stretch.cdx.xml
+
+[[IgnoredVulns]]
+id = "CVE-2019-5188"
+ignoreUntil = 2020-01-01
+
+[[IgnoredVulns]]
+id = "CVE-2022-1304"
+ignoreUntil = 2100-01-01

cmd/osv-scanner/scan/source/testdata/osv-scanner-partial-ignores-config.toml

@@ -35,10 +35,28 @@ type Config struct {
 	LoadPath string `toml:"-"`
 }
 
+func (c *Config) UnusedIgnoredVulns() []IgnoreEntry {
+	unused := make([]IgnoreEntry, 0, len(c.IgnoredVulns))
+
+	for _, entry := range c.IgnoredVulns {
+		if !entry.Used {
+			unused = append(unused, entry)
+		}
+	}
+
+	return unused
+}
+
 type IgnoreEntry struct {
 	ID          string    `toml:"id"`
 	IgnoreUntil time.Time `toml:"ignoreUntil"`
 	Reason      string    `toml:"reason"`
+
+	Used bool `toml:"-"`
+}
+
+func (ie *IgnoreEntry) MarkAsUsed() {
+	ie.Used = true
 }
 
 type PackageOverrideEntry struct {
@@ -185,6 +203,28 @@ func (c *Manager) Get(targetPath string) Config {
 	return config
 }
 
+func (c *Manager) GetUnusedIgnoreEntries() map[string][]IgnoreEntry {
+	m := make(map[string][]IgnoreEntry)
+
+	for _, config := range c.ConfigMap {
+		unusedEntries := config.UnusedIgnoredVulns()
+
+		if len(unusedEntries) > 0 {
+			m[config.LoadPath] = unusedEntries
+		}
+	}
+
+	if c.OverrideConfig != nil {
+		unusedEntries := c.OverrideConfig.UnusedIgnoredVulns()
+
+		if len(unusedEntries) > 0 {
+			m[c.OverrideConfig.LoadPath] = unusedEntries
+		}
+	}
+
+	return m
+}
+
 // Finds the containing folder of `target`, then appends osvScannerConfigName
 func normalizeConfigLoadPath(target string) (string, error) {
 	stat, err := os.Stat(target)

internal/config/config.go

@@ -153,6 +153,8 @@ func filterPackageVulns(pkgVulns models.PackageVulns, configToUse config.Config)
 					cmdlogger.Infof("%s and %d aliases have been filtered out because: %s", ignoreLine.ID, len(group.Aliases)-1, reason)
 				}
 
+				ignoreLine.MarkAsUsed()
+
 				break
 			}
 		}

pkg/osvscanner/filter.go

@@ -259,22 +259,7 @@ func DoScan(actions ScannerActions) (models.VulnerabilityResults, error) {
 		}
 	}
 
-	vulnerabilityResults := buildVulnerabilityResults(actions, &scanResult)
-
-	if actions.ScanLicensesSummary {
-		vulnerabilityResults.LicenseSummary = buildLicenseSummary(&scanResult)
-	}
-
-	filtered := filterResults(&vulnerabilityResults, &scanResult.ConfigManager, actions.ShowAllPackages)
-	if filtered > 0 {
-		cmdlogger.Infof(
-			"Filtered %d %s from output",
-			filtered,
-			output.Form(filtered, "vulnerability", "vulnerabilities"),
-		)
-	}
-
-	return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns)
+	return finalizeScanResult(scanResult, actions)
 }
 
 func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error) {
@@ -420,6 +405,10 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error
 
 	scanResult.GenericFindings = scalibrSR.Inventory.GenericFindings
 
+	return finalizeScanResult(scanResult, actions)
+}
+
+func finalizeScanResult(scanResult results.ScanResults, actions ScannerActions) (models.VulnerabilityResults, error) {
 	vulnerabilityResults := buildVulnerabilityResults(actions, &scanResult)
 
 	if actions.ScanLicensesSummary {
@@ -435,6 +424,19 @@ func DoContainerScan(actions ScannerActions) (models.VulnerabilityResults, error
 		)
 	}
 
+	if unusedIgnoredEntries := scanResult.ConfigManager.GetUnusedIgnoreEntries(); len(unusedIgnoredEntries) != 0 {
+		configFiles := slices.Collect(maps.Keys(unusedIgnoredEntries))
+		slices.Sort(configFiles)
+
+		for _, configFile := range configFiles {
+			cmdlogger.Warnf("%s has unused ignores:", configFile)
+
+			for _, iv := range unusedIgnoredEntries[configFile] {
+				cmdlogger.Warnf(" - %s", iv.ID)
+			}
+		}
+	}
+
 	return vulnerabilityResults, determineReturnErr(vulnerabilityResults, actions.ShowAllVulns)
 }