Multiple --config args #2205
Description
osv-scanner allows multiple --config args, and as best I can tell the earlier config files are ignored and only the last --config is used.
I have two use cases where our processes would benefit from multiple config files being specified by --config.
We run osv-scanner as part of Rust build steps, using --lockfile Cargo.lock at the top level directory of the workspace. The config for these needs to ignore several RUSTSEC vulns that are unfixable.
The Rust binaries are built using cargo-auditable.
Later in the CI, we also put the Rust binaries on docker images, and extract a SBOM of the image using syft. These SBOMs therefore contain Ubuntu binaries that have CVEs and Rust binaries which have RUSTSEC's. We then run osv-scanner on those SBOMs. It would be useful to have the Ubuntu CVE ignores in a separate config file. There is no sensible way to use subdirectory based multiple osv-scanner.toml files to split them, as both Ubuntu and Rust sets are at the top level of the repo. (no creating a docker/.. wont work, trust me)
The more important use case is we have a repo which builds two images, one is the production base docker image, and the second image is the build image which is the production base docker image + the tools needed to build Rust binaries that are put onto the production base docker image. The CVE ignores for the production base docker image need to be approved by the Engineering Manager , while the CVEs on only the build image are important to track, but do not need approval from the Engineering Manager. As a result,, we currently have two config files, one for prod and the other for build image, and the build image config includes all the entries in the prod config file. This is so that it is clear that touching the prod ignore list results in a different approval process. It would be useful for the build image SBOM check to use two non-overlapping config files: the prod config file and the build image config file.