Snyk Open Source supports specifying the detailed dependency path when ignoring vulnerabilities by Snyk vulnerability ID according to these module path rules.
See also: ignoring issues with the .snyk policy file
Using wildcards
Wildcards can be used to specify any package path. For example:
-'* > got':
However, if specifying the package name and a wildcard, the full package name must be specified with @ .
For example, based on this result when running snyk test
:
✗ Open Redirect [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-GOT-2932019]
in got@9.6.0
introduced by cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@6.5.0 > got@9.6.0
This value for the detailed path succeeds:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0 > package-json@6.5.0 > got@*:
And this value fails:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0 > package-json@6.5.0 > got*:
The recommended method of creating the .snyk policy file is to run the snyk ignore command. For example, in the above case, run:
snyk ignore --id=SNYK-JS-GOT-2932019 --path='cordova@11.1.0 > update-notifier@5.1.0 >
latest-version@5.1.0 > package-json@6.5.0 > got@9.6.0'
Using ranges
Version ranges can be used in conjunction with the package name, @ symbol, and version numbering, but cannot filter for specific ranges between two versions.
for example:
-
got@>9.5.1
targets any occurrence of this vulnerability introduced by a version greater than got@9.5.1. -
package-json@>=6.5.0
targets any occurrence of this vulnerability introduced by via package-json@6.5.0 or higher -
package-json@>6.4.1<6.6.0
will not work as it is filtering between versions.
Additional examples
More examples of detailed file path that succeed in ignoring the vulnerability in the above example based on both the --id and --path are:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@* > got@9.6.0:
- cordova@* > update-notifier@* > latest-version@* > package-json@*
> got@*:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@* > got@>9.5.1:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@>=6.5.0 > got@9.6.0:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@>=6 > got@9.6.0:
Here are some examples of what does not work:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@>6.4.1<6.6.0 > got@9.6.0:
- cordova@11.1.0 > update-notifier@5.1.0 > latest-version@5.1.0
> package-json@>=6<6.6.0 > got@9.6.0:
For the above tests, valid package versions are per these references:
https://www.npmjs.com/package/npm/v/6.5.0?activeTab=versions
https://www.npmjs.com/package/got?activeTab=versions