fix(audit): ignore vulnerabilities listed in ignoreCves (#5752)

close #5734

.changeset/pink-socks-learn.md

@@ -0,0 +1,6 @@
+---
+"@pnpm/plugin-commands-audit": patch
+"pnpm": patch
+---
+
+`pnpm audit --json` should ignore vulnerabilities listed in `auditConfig.ignoreCves` [#5734](https://github.com/pnpm/pnpm/issues/5734).

lockfile/plugin-commands-audit/src/audit.ts

@@ -8,8 +8,9 @@ import { readWantedLockfile } from '@pnpm/lockfile-file'
 import { Registries } from '@pnpm/types'
 import { table } from '@zkochan/table'
 import chalk from 'chalk'
+import difference from 'ramda/src/difference'
 import pick from 'ramda/src/pick'
-import { difference } from 'ramda'
+import pickBy from 'ramda/src/pickBy'
 import renderHelp from 'render-help'
 import { fix } from './fix'
 
@@ -197,6 +198,10 @@ ${JSON.stringify(newOverrides, null, 2)}`,
   const vulnerabilities = auditReport.metadata.vulnerabilities
   const totalVulnerabilityCount = Object.values(vulnerabilities)
     .reduce((sum: number, vulnerabilitiesCount: number) => sum + vulnerabilitiesCount, 0)
+  const ignoreCves = opts.rootProjectManifest?.pnpm?.auditConfig?.ignoreCves
+  if (ignoreCves) {
+    auditReport.advisories = pickBy(({ cves }) => difference(cves, ignoreCves).length > 0, auditReport.advisories)
+  }
   if (opts.json) {
     return {
       exitCode: totalVulnerabilityCount > 0 ? 1 : 0,
@@ -207,10 +212,6 @@ ${JSON.stringify(newOverrides, null, 2)}`,
   let output = ''
   const auditLevel = AUDIT_LEVEL_NUMBER[opts.auditLevel ?? 'low']
   let advisories = Object.values(auditReport.advisories)
-  const ignoreCves = opts.rootProjectManifest?.pnpm?.auditConfig?.ignoreCves
-  if (ignoreCves) {
-    advisories = advisories.filter(({ cves }) => difference(cves, ignoreCves).length > 0)
-  }
   advisories = advisories
     .filter(({ severity }) => AUDIT_LEVEL_NUMBER[severity] >= auditLevel)
     .sort((a1, a2) => AUDIT_LEVEL_NUMBER[a2.severity] - AUDIT_LEVEL_NUMBER[a1.severity])

lockfile/plugin-commands-audit/test/index.ts

@@ -204,3 +204,35 @@ test('audit: CVEs in ignoreCves do not show up', async () => {
   expect(exitCode).toBe(1)
   expect(stripAnsi(output)).toMatchSnapshot()
 })
+
+test('audit: CVEs in ignoreCves do not show up when JSON output is used', async () => {
+  const tmp = f.prepare('has-vulnerabilities')
+
+  nock(registries.default)
+    .post('/-/npm/v1/security/audits')
+    .reply(200, responses.ALL_VULN_RESP)
+
+  const { exitCode, output } = await audit.handler({
+    auditLevel: 'moderate',
+    dir: tmp,
+    json: true,
+    userConfig: {},
+    rawConfig,
+    registries,
+    rootProjectManifest: {
+      pnpm: {
+        auditConfig: {
+          ignoreCves: [
+            'CVE-2019-10742',
+            'CVE-2020-28168',
+            'CVE-2021-3749',
+            'CVE-2020-7598',
+          ],
+        },
+      },
+    },
+  })
+
+  expect(exitCode).toBe(1)
+  expect(stripAnsi(output)).toMatchSnapshot()
+})