Respect the new ignore_vulnerabilities field

It'a a list of CVE IDs or GHSA IDs which whould be ignored. In lists we still show them, but at the end and with strike through. For picking the worst for the tooltip button color we ignore them. On the security page, of all are ignored, the package is skipped.
msys2 · Mar 28, 2024 · 02d3a1b · 02d3a1b
1 parent fa0ec2f
commit 02d3a1b
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 11 deletions.
diff --git a/app/appstate.py b/app/appstate.py
@@ -181,10 +181,11 @@ class Vulnerability:
     id: str
     url: str
     severity: Severity
+    ignored: bool = False
 
     @property
-    def sort_key(self) -> tuple[int, str, str]:
-        return (self.severity.sort_key, self.id, self.url)
+    def sort_key(self) -> tuple[bool, int, str, str]:
+        return (not self.ignored, self.severity.sort_key, self.id, self.url)
 
 
 class AppState:
@@ -435,13 +436,23 @@ def _package(self) -> Package:
 
     @property
     def vulnerabilities(self) -> list[Vulnerability]:
-        return sorted(state.vulnerabilities.get(self.name, []), key=lambda v: v.sort_key, reverse=True)
+        """Returns a list of vulnerabilities for the package, sorted by severity
+        Also includes ignored vulnerabilities.
+        """
+        vulnerabilities = state.vulnerabilities.get(self.name, [])
+        for vuln in vulnerabilities:
+            vuln.ignored = vuln.id in self.pkgextra.ignore_vulnerabilities
+        return sorted(vulnerabilities, key=lambda v: v.sort_key, reverse=True)
 
     @property
     def worst_vulnerability(self) -> Vulnerability | None:
-        if not self.vulnerabilities:
+        """Returns the most severe vulnerability for the package, or None if there is none.
+        Ignored vulnerabilities are not considered.
+        """
+        vulnerabilities = [v for v in self.vulnerabilities if not v.ignored]
+        if not vulnerabilities:
             return None
-        return sorted(self.vulnerabilities, key=lambda v: v.severity.sort_key)[-1]
+        return sorted(vulnerabilities, key=lambda v: v.severity.sort_key)[-1]
 
     @property
     def can_have_vulnerabilities(self) -> bool:

diff --git a/app/pkgextra.py b/app/pkgextra.py
@@ -29,6 +29,9 @@ class PkgExtraEntry(BaseModel):
     pgp_keys_url: str | None = Field(default=None)
     """A website containing which keys are used to sign releases"""
 
+    ignore_vulnerabilities: list[str] = Field(default_factory=list)
+    """List of CVEs or GHSAs that are either not relevant or not fixable"""
+
 
 class PkgExtra(BaseModel):
 

diff --git a/app/templates/base.html b/app/templates/base.html
@@ -99,7 +99,7 @@ <h4 class="card-title">Base Package: <a href="{{ s.name }}">{{ s.name }}</a></h4
         {% if s.vulnerabilities %}
         <ul class="list-unstyled">
           {% for vuln in s.vulnerabilities %}
-          <li><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
+          <li {% if vuln.ignored %}style="text-decoration: line-through"{% endif %}><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
           {% endfor %}
         </ul>
         {% elif not s.can_have_vulnerabilities %}

diff --git a/app/templates/outofdate.html b/app/templates/outofdate.html
@@ -70,7 +70,7 @@ <h6 class="card-subtitle mb-2 text-muted">
                 <template class="mytooltip-content">
                     <ul class="list-unstyled">
                         {% for vuln in s.vulnerabilities %}
-                        <li><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
+                        <li {% if vuln.ignored %}style="text-decoration: line-through"{% endif %}><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
                         {% endfor %}
                     </ul>
                 </template>
@@ -92,7 +92,7 @@ <h6>{{ missing|length }} packages not found in other distros:</h6>
             <template class="mytooltip-content">
                 <ul class="list-unstyled">
                     {% for vuln in s.vulnerabilities %}
-                    <li><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
+                    <li {% if vuln.ignored %}style="text-decoration: line-through"{% endif %}><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
                     {% endfor %}
                 </ul>
             </template>

diff --git a/app/templates/package.html b/app/templates/package.html
@@ -84,7 +84,7 @@ <h4 class="card-title">Package: <a href="{{ package_url(p) }}">{{ p.name }}</a><
     <dd class="col-sm-9">
       <ul class="list-unstyled">
         {% for vuln in s.vulnerabilities %}
-        <li><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
+        <li {% if vuln.ignored %}style="text-decoration: line-through"{% endif %}><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
         {% endfor %}
       </ul>
     </dd>

diff --git a/app/templates/security.html b/app/templates/security.html
@@ -40,7 +40,7 @@ <h6 class="card-subtitle mb-2 text-muted">{{ vulnerable|length }} packages with
               <template class="mytooltip-content">
                   <ul class="list-unstyled">
                       {% for vuln in s.vulnerabilities %}
-                      <li><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
+                      <li {% if vuln.ignored %}style="text-decoration: line-through"{% endif %}><a href="{{ vuln.url }}">{{ vuln.id }}</a> <span class="opacity-75 text-{{vulnerability_color(vuln)}}">({{ vuln.severity }})</span></li>
                       {% endfor %}
                   </ul>
               </template>

diff --git a/app/web.py b/app/web.py
@@ -253,7 +253,7 @@ async def security(request: Request, response: Response) -> Response:
 
     return templates.TemplateResponse("security.html", {
         "request": request,
-        "vulnerable": [s for s in state.sources.values() if s.vulnerabilities],
+        "vulnerable": [s for s in state.sources.values() if s.worst_vulnerability is not None],
         "sources": state.sources.values(),
         "known": [s for s in state.sources.values() if s.can_have_vulnerabilities],
         "unknown": [s for s in state.sources.values() if not s.can_have_vulnerabilities],