Exclude by package

[zendern]

• What are you trying to do?
  After a conversation on gitter with @islippers a nice to have feature would be to add the ability to exclude a full package. Use case here would be if you know that a package is only used in tests and you dont care about any CVE that pop up for it.

This is really a stop gap until go mod contains a good way to separate the difference between prod and test packages.

• What feature or behavior is this required for?
  Easily exclude test packages from nancy scanning.

• How could we solve this issue? (Not knowing is okay!)
  Update exclusion logic to along with CVE, OSS Index ID to support package name/path as well.

• Anything else?

cc @bhamail / @DarthHater

[DarthHater]

This is interesting. It'd almost be wiser to kinda go and check with the golang team and see if we could do a RFP or something to mark test deps as just that. Maybe it's a Golang 2.0 thing, but I think it'd be a really good addition.

CVEs seem to MOSTLY be 1:1 with a package, so I think excluding a specific CVE is generally ok, it'd be nice to know for sure if that's the case before we do this, because what we have right now might actually be enough!

If we were to do this, we'd probably want it to exclude by purl, so that the exclusion is for a specific version too. I'd hate for it to be just on the name, because moving between versions would be a bit of a black hole at that point.

As well, thinking a bit more about it, we'd need to be careful here (and I still think we want to go the RFP route on golang), because if a dependency were marked as excluded, but a real use of it came up in your code (say you were only using golang/x/crypto in tests, but then you add a real use of it in your regular code), that would sneak up on you real quick.