Documentation on valid settings?

[git-hub-user]

Is there a complete description of the settings? I am trying to tweak the settings to my needs, but haven't succeeded, so far.

I get:

error : 1 vulnerabilities found for jQuery @ 3.6.3
error : OSS Index ID: sonatype-2019-0115 : 1 non-CVE vulnerability found.

(see also sonatype-2019-0115 reported for jQuery @ 3.6.3, but not on ossindex.sonatype.org)

I've tried a few settings under "ErrorSettings":

• "WarnOnly": true does not stop the build from generating errors.
• "IgnoredCvEs": [ "sonatype-2019-0115" ] doesn't seem to be the correct way to exclude sonatype-2019-0115. Is this because it is listed as a non-CVE vulnerability? Is my syntax correct?
• "ErrorSeverityThreshold": "high" doesn't seem to set a high threshold. What are valid values here, and what do they refer to.
• "Cvss3Threshold": 100, or any other number I tried, doesn't make a difference. What are valid values here, and what do they refer to.

Things that worked:

• "IgnoredPackages": [ { "Id": "jQuery" } ] does remove the build errors for jQuery.

However, these settings are to permissive for my liking.

[digitalcoyote]

It looks like this is a bug for ignoring non-CVE vulnerabilities. I'm not sure if OSSIndex changed their data structure or if something about how NuGetDefense handles these is incorrect.

[git-hub-user]

Thank you. Are referring to the report bug? I added this discussion, because I didn't succeed in ignoring the specific vulnerability sonatype-2019-0115 by tweaking the settings. More extensive documentation on the settings might be useful.

[digitalcoyote]

I'll hopefully be expanding the documentation over that today.

[digitalcoyote]

I just pushed it up, so it will take a bit to break publish, but new documentation for configuration has been added at https://digitalcoyote.github.io/NuGetDefense/docs/configuration

[daytondep]

Has this issue been addressed or a workaround been found? I am trying to use this but am having similar issues, "ErrorSeverityThreshold" and "Cvss3Threshold" don't make a difference for me in v4.0.4.

[digitalcoyote]

There's an issue I haven't had time to track down (or do much of anything else recently). At work we are ignoring the only package causing us issues completely and they are relying on a secondary tool their team uses.

I don't have a complete list of which ignore settings aren't working currently, but ignoring the entire package (not a great workaround) is what we have been doing.

When this is fixed, the ignore settings need a unit test added. I'd welcome a PR for that if anyone is willing to add one. Otherwise I'll get to it eventually.