x/vuln: add support for suppressing vulnerabilities by ID

[bentcoder]

What version of Go are you using (go version)?

$ go version
go version go1.20.2 darwin/amd64

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
MacOS amd64 darwin

Hi,

Requesting to introduce a config file (ideally) or a flag that allows users to explicitly exclude some vulnerabilities? Maybe until they resolve them, they can be suppressed in CI so on.

Thanks

Config file

$ govulncheck -config vuln.yaml ./...

# vuln.yaml
vulnerability:
    exclude:
        - GO-2023-1704
        - GO-2023-1705

Flag

$ govulncheck \
    -exclude GO-2023-1704 \
    -exclude GO-2023-1705 \
    ./...

[tianon]

In my case, I'm wanting this because govulncheck is now reporting GO-2023-1840 (https://pkg.go.dev/vuln/GO-2023-1840) on my binaries, but I've already got my own mitigation code for setuid bits being set, so the vulnerability doesn't really apply (which is the whole reason I love govulncheck - it normally is very good at filtering out things that don't apply, but in this case it really can't know ❤️). 😞 😅

[paveljanda]

We would love to support this solution. 👍

In our case, our pipelines are set to fail if govulncheck fails. That being said, not all govulncheck errors are necessarily related to our production code use-cases.

Is kind of an industry standard to make false-positives ignored in vulnarability checks, static code analysis tools etc.

Thx. 👍