package-audit 0.5.1 → 0.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3987dbcffb0bef510d5897ad47ec79aa5ba65572c62d1a78003496a44264ca7e
-  data.tar.gz: f2608608cee05dde5a409e9dc6a4c885b208ee7d52cc7d6e745e0d3ccf37d7b7
+  metadata.gz: c4f817af73ba4616da54a934f0f6c4120d921e6026226c20a02c592c6b55e064
+  data.tar.gz: 818282a8f489ba8afd7b9675b78db96c3e2b9b18731415085ff44c25eaf07a77
 SHA512:
-  metadata.gz: baa304f965258c639f7e4bee858da18ddd74bfb83926a66d95ce43367ac5bfcf363e4847dd56c98ed649cda9d7143cbb44bb2015d1c7dc263b73f8942538011e
-  data.tar.gz: a5adfb16e863dacea34dc1d1ca8e4962e76ab984f766d86073f2a5bcfceea9923d2c048ae11487e8a0644d9420025a6dba61f57dede9b6faaf74cd82954f5f52
+  metadata.gz: 46267de0e991aaf0e1fdeb4f8c778cc2a59abf49f7d7a0849ae9731c9fb633ae8c958ac1865bf17aa98d50cd359e8e30d16975031f4dfd4fc1a7c2aacf6868fc
+  data.tar.gz: 65c6acb5e9e224f6736781f1db26eee0ec7772f220c87b8e8da1f2cecc872cfb667f78336314ad4b670000f849c60051087cdc9cda1b9e69ad11d896b717c471

data/lib/package/audit/cli.rb

@@ -1,7 +1,9 @@
 require_relative 'const/file'
 require_relative 'const/time'
+require_relative 'enum/format'
 require_relative 'enum/option'
 require_relative 'services/command_parser'
+require_relative 'util//risk_legend'
 require_relative 'version'
 
 require 'json'
@@ -10,7 +12,7 @@ require 'thor'
 module Package
   module Audit
     class CLI < Thor
-      default_task :report
+      default_task :default
 
       class_option Enum::Option::CONFIG,
                    aliases: '-c', banner: 'FILE',
@@ -24,18 +26,18 @@ module Package
       class_option Enum::Option::INCLUDE_IGNORED,
                    type: :boolean, default: false,
                    desc: 'Include packages ignored by a configuration file'
-      class_option Enum::Option::CSV,
-                   type: :boolean, default: false,
-                   desc: 'Output reports using comma separated values (CSV)'
+      class_option Enum::Option::FORMAT,
+                   aliases: '-f', banner: Enum::Format.all.join('|'), type: :string,
+                   desc: 'Output reports using a different format (e.g. CSV or Markdown)'
       class_option Enum::Option::CSV_EXCLUDE_HEADERS,
                    type: :boolean, default: false,
-                   desc: "Hide headers when using the --#{Enum::Option::CSV} option"
+                   desc: "Hide headers when using the #{Enum::Format::CSV} format"
 
       map '-v' => :version
       map '--version' => :version
 
-      desc 'report [DIR]', 'Show a report of potentially deprecated, outdated or vulnerable packages'
-      def report(dir = Dir.pwd)
+      desc '[DIR]', 'Show a report of potentially deprecated, outdated or vulnerable packages'
+      def default(dir = Dir.pwd)
         within_rescue_block { exit CommandParser.new(dir, options, Enum::Report::ALL).run }
       end
 
@@ -57,7 +59,7 @@ module Package
 
       desc 'risk', 'Print information on how risk is calculated'
       def risk
-        Util::SummaryPrinter.risk
+        Util::RiskLegend.print
       end
 
       desc 'version', 'Print the currently installed version of the package-audit gem'
@@ -70,7 +72,7 @@ module Package
       end
 
       def method_missing(command, *args)
-        invoke :report, [command], args
+        invoke :default, [command], args
       end
 
       def respond_to_missing?

data/lib/package/audit/const/cmd.rb

@@ -3,13 +3,13 @@ module Package
     module Const
       module Cmd
         BUNDLE_AUDIT = 'bundle-audit check --update'
-        BUNDLE_AUDIT_JSON = 'bundle-audit check --update --quiet --format json %s'
+        BUNDLE_AUDIT_JSON = 'bundle-audit check --update --quiet --format json "%s" 2>/dev/null'
 
         NPM_AUDIT = 'npm audit'
         NPM_AUDIT_JSON = 'npm audit --json'
 
         YARN_AUDIT = 'yarn audit'
-        YARN_AUDIT_JSON = 'yarn audit --json --cwd %s'
+        YARN_AUDIT_JSON = 'yarn audit --json --cwd "%s"'
       end
     end
   end

data/lib/package/audit/enum/format.rb

@@ -0,0 +1,14 @@
+module Package
+  module Audit
+    module Enum
+      module Format
+        CSV = 'csv'
+        MARKDOWN = 'md'
+
+        def self.all
+          constants.map { |key| const_get(key) }.sort
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/enum/option.rb

@@ -3,7 +3,7 @@ module Package
     module Enum
       module Option
         CONFIG = 'config'
-        CSV = 'csv'
+        FORMAT = 'format'
         CSV_EXCLUDE_HEADERS = 'exclude-headers'
         GROUP = 'group'
         INCLUDE_IGNORED = 'include-ignored'

data/lib/package/audit/enum/technology.rb

@@ -6,7 +6,7 @@ module Package
         RUBY = 'ruby'
 
         def self.all
-          constants.map { |key| Enum::Technology.const_get(key) }.sort
+          constants.map { |key| const_get(key) }.sort
         end
       end
     end

data/lib/package/audit/models/package.rb

@@ -25,7 +25,7 @@ module Package
       end
 
       def update(**attr)
-        attr.each { |key, value| instance_variable_set("@#{key}", value) }
+        attr.each { |key, value| instance_variable_set(:"@#{key}", value) }
       end
 
       def risk
@@ -41,7 +41,7 @@ module Package
       end
 
       def group_list
-        @groups.join('|')
+        @groups.join(' ')
       end
 
       def vulnerabilities_grouped

data/lib/package/audit/npm/node_collection.rb

@@ -58,9 +58,26 @@ module Package
           package_json = JSON.parse(File.read("#{@dir}/#{Const::File::PACKAGE_JSON}"), symbolize_names: true)
           default_deps = package_json[:dependencies] || {}
           dev_deps = package_json[:devDependencies] || {}
+
+          # Filter out local dependencies before processing
+          default_deps = filter_local_dependencies(default_deps)
+          dev_deps = filter_local_dependencies(dev_deps)
+
           [default_deps, dev_deps]
         end
 
+        def filter_local_dependencies(dependencies)
+          dependencies.reject { |_name, version| local_dependency?(version) }
+        end
+
+        def local_dependency?(version)
+          # Check for local file paths
+          version.to_s.start_with?('file:', 'link:', './', '../') ||
+            version.to_s.include?('file:') ||
+            # Check for git repositories with local paths
+            (version.to_s.start_with?('git+') && version.to_s.include?('file:'))
+        end
+
         def fetch_from_lock_file
           default_deps, dev_deps = fetch_from_package_json
           if File.exist?("#{@dir}/#{Const::File::YARN_LOCK}")

data/lib/package/audit/npm/npm_meta_data.rb

@@ -1,5 +1,6 @@
 require 'json'
 require 'net/http'
+require 'socket'
 
 module Package
   module Audit
@@ -11,7 +12,7 @@ module Package
           @packages = packages
         end
 
-        def fetch # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        def fetch # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength
           threads = @packages.map do |package|
             Thread.new do
               response = Net::HTTP.get_response(URI.parse("#{REGISTRY_URL}/#{package.name}"))
@@ -20,14 +21,35 @@ module Package
 
               json_package = JSON.parse(response.body, symbolize_names: true)
               update_meta_data(package, json_package)
+            rescue Net::TimeoutError, Net::OpenTimeout, Net::ReadTimeout => e
+              warn "Warning: Network timeout while fetching metadata for #{package.name}: #{e.message}"
+              Thread.current[:exception] = e
+            rescue SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e
+              warn "Warning: Network error while fetching metadata for #{package.name}: #{e.message}"
+              Thread.current[:exception] = e
             rescue StandardError => e
               Thread.current[:exception] = e
             end
           end
+
+          network_errors = []
           threads.each do |thread|
             thread.join
-            raise thread[:exception] if thread[:exception]
+            next unless thread[:exception]
+
+            case thread[:exception]
+            when Net::TimeoutError, Net::OpenTimeout, Net::ReadTimeout, SocketError, Errno::ECONNREFUSED, Errno::EHOSTUNREACH # rubocop:disable Layout/LineLength
+              network_errors << thread[:exception]
+            else
+              raise thread[:exception]
+            end
+          end
+
+          unless network_errors.empty?
+            warn "Warning: #{network_errors.size} network error(s) occurred while fetching package metadata."
+            warn 'Some packages may not show complete version information.'
           end
+
           @packages
         end
 

data/lib/package/audit/npm/vulnerability_finder.rb

@@ -1,3 +1,5 @@
+require 'open3'
+
 require_relative '../const/cmd'
 require_relative '../enum/vulnerability_type'
 
@@ -14,7 +16,11 @@ module Package
         end
 
         def run
-          json_string_lines = `#{format(Const::Cmd::YARN_AUDIT_JSON, @dir)}`
+          # Suppress Node.js url.parse deprecation warnings from yarn audit command
+          command = format(Const::Cmd::YARN_AUDIT_JSON, @dir)
+          env_vars = { 'NODE_NO_WARNINGS' => '1' }
+
+          json_string_lines, = Open3.capture3(env_vars, command)
           array = json_string_lines.scan(AUDIT_ADVISORY_REGEX)
 
           vulnerability_json_array = JSON.parse("[#{array.join(',')}]", symbolize_names: true)

data/lib/package/audit/ruby/bundler_specs.rb

@@ -9,15 +9,17 @@ module Package
     module Ruby
       class BundlerSpecs
         def self.all(dir)
-          Bundler.with_unbundled_env do
+          specs = Bundler.with_unbundled_env do
             ENV['BUNDLE_GEMFILE'] = "#{dir}/Gemfile"
             Bundler.ui.silence { Bundler.definition.resolve }
           end
+          filter_local_dependencies(specs)
         end
 
         def self.gemfile(dir)
           current_dependencies = Bundler.with_unbundled_env do
             ENV['BUNDLE_GEMFILE'] = "#{dir}/Gemfile"
+            Bundler.ui.level = 'error'
             Bundler.reset!
             Bundler.ui.silence do
               Bundler.load.dependencies.to_h { |dep| [dep.name, dep] }
@@ -29,6 +31,19 @@ module Package
           end
           gemfile_specs
         end
+
+        def self.filter_local_dependencies(specs)
+          specs.reject { |spec| local_dependency?(spec) }
+        end
+
+        def self.local_dependency?(spec)
+          # Check if the gem has a local source (path or git with local path)
+          source = spec.source
+          return true if source.is_a?(Bundler::Source::Path)
+          return true if source.is_a?(Bundler::Source::Git) && source.uri.start_with?('file:', './', '../')
+
+          false
+        end
       end
     end
   end

data/lib/package/audit/services/command_parser.rb

@@ -6,6 +6,7 @@ require_relative '../technology/detector'
 require_relative '../technology/validator'
 require_relative '../util/spinner'
 require_relative '../util/summary_printer'
+require_relative 'config_cleaner'
 require_relative 'package_finder'
 require_relative 'package_printer'
 
@@ -13,20 +14,36 @@ require 'yaml'
 
 module Package
   module Audit
-    class CommandParser
+    class CommandParser # rubocop:disable Metrics/ClassLength
       def initialize(dir, options, report)
         @dir = dir
         @options = options
         @report = report
-        @config = parse_config_file
+        @config = parse_config_file!
         @groups = @options[Enum::Option::GROUP]
-        @technologies = parse_technologies
-        @spinner = Util::Spinner.new('Evaluating packages and their dependencies...')
+        @technologies = parse_technologies!
+        validate_format!
+        @spinner = Util::Spinner.new("Evaluating packages and their dependencies for #{human_readable_technologies}...")
       end
 
-      def run # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
+      def run
+        if File.file? @dir.to_s
+          raise "\"#{@dir}\" is a file instead of directory"
+        elsif !File.directory? @dir.to_s
+          raise "\"#{@dir}\" is not a valid directory"
+        elsif @technologies.empty?
+          raise 'No supported technologies found in this directory'
+        else
+          process_technologies
+        end
+      end
+
+      private
+
+      def process_technologies # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity
         mutex = Mutex.new
         cumulative_pkgs = []
+        all_packages_for_config = []
         thread_index = 0
 
         @spinner.start
@@ -34,11 +51,14 @@ module Package
           Thread.new do
             all_pkgs, ignored_pkgs = PackageFinder.new(@config, @dir, @report, @groups).run(technology)
             ignored_pkgs = [] if @options[Enum::Option::INCLUDE_IGNORED]
-            cumulative_pkgs += all_pkgs || []
+            active_pkgs = (all_pkgs || []) - (ignored_pkgs || [])
+            cumulative_pkgs += active_pkgs
+            mutex.synchronize { all_packages_for_config += all_pkgs || [] }
+
             sleep 0.1 while technology_index != thread_index # print each technology in order
             mutex.synchronize do
               @spinner.stop
-              print_results(technology, (all_pkgs || []) - (ignored_pkgs || []), ignored_pkgs || [])
+              print_results(technology, active_pkgs, ignored_pkgs || [])
               thread_index += 1
               @spinner.start
             end
@@ -50,22 +70,24 @@ module Package
           thread.join
           raise thread[:exception] if thread[:exception]
         end
+
+        @spinner.stop # Stop spinner before cleaning config to ensure clean output
+        clean_config(all_packages_for_config)
+
         cumulative_pkgs.any? ? 1 : 0
       ensure
         @spinner.stop
       end
 
-      private
-
       def print_results(technology, pkgs, ignored_pkgs)
         PackagePrinter.new(@options, pkgs).print(Const::Fields::DEFAULT)
-        print_summary(technology, pkgs, ignored_pkgs) unless @options[Enum::Option::CSV]
-        print_disclaimer(technology) unless @options[Enum::Option::CSV] || pkgs.empty?
+        print_summary(technology, pkgs, ignored_pkgs) unless @options[Enum::Option::FORMAT] == Enum::Format::CSV
+        print_disclaimer(technology) unless @options[Enum::Option::FORMAT] || pkgs.empty?
       end
 
       def print_summary(technology, pkgs, ignored_pkgs)
         if @report == Enum::Report::ALL
-          Util::SummaryPrinter.statistics(technology, @report, pkgs, ignored_pkgs)
+          Util::SummaryPrinter.statistics(@options[Enum::Option::FORMAT], technology, @report, pkgs, ignored_pkgs)
         else
           Util::SummaryPrinter.total(technology, @report, pkgs, ignored_pkgs)
         end
@@ -91,7 +113,7 @@ module Package
         end
       end
 
-      def parse_config_file
+      def parse_config_file!
         if @options[Enum::Option::CONFIG].nil?
           YAML.load_file("#{@dir}/#{Const::File::CONFIG}") if File.exist? "#{@dir}/#{Const::File::CONFIG}"
         elsif File.exist? @options[Enum::Option::CONFIG]
@@ -101,10 +123,29 @@ module Package
         end
       end
 
-      def parse_technologies
+      def validate_format!
+        format = @options[Enum::Option::FORMAT]
+        raise ArgumentError, "Invalid format: #{format}, should be one of [#{Enum::Format.all.join('|')}]" unless
+          @options[Enum::Option::FORMAT].nil? || Enum::Format.all.include?(format)
+      end
+
+      def parse_technologies!
         technology_validator = Technology::Validator.new(@dir)
         @options[Enum::Option::TECHNOLOGY]&.each { |technology| technology_validator.validate! technology }
-        @options[Enum::Option::TECHNOLOGY] || Technology::Detector.new(@dir).detect
+        (@options[Enum::Option::TECHNOLOGY] || Technology::Detector.new(@dir).detect).sort
+      end
+
+      def clean_config(all_packages)
+        ConfigCleaner.new(@dir, @config, all_packages, @options).run
+      end
+
+      def human_readable_technologies
+        array = @technologies.map(&:capitalize)
+        return '' if array.nil?
+        return array.join if array.size <= 1
+        return array.join(' and ') if array.size == 2
+
+        "#{array[0..-2].join(', ')}, and #{array.last}"
       end
     end
   end

data/lib/package/audit/services/config_cleaner.rb

@@ -0,0 +1,221 @@
+require_relative '../const/file'
+require_relative '../const/yaml'
+require_relative '../enum/option'
+require_relative '../enum/technology'
+
+require 'yaml'
+require 'json'
+
+module Package
+  module Audit
+    class ConfigCleaner # rubocop:disable Metrics/ClassLength
+      def initialize(dir, config, all_packages, options)
+        @dir = dir
+        @config = config
+        @all_packages = all_packages
+        @options = options
+        @config_file_path = determine_config_file_path
+        @removed_packages = []
+      end
+
+      def run
+        return unless @config && File.exist?(@config_file_path)
+
+        cleaned_config = clean_config
+
+        return unless config_changed?(cleaned_config)
+
+        write_config_file(cleaned_config)
+        print_summary unless @options[Enum::Option::FORMAT]
+      end
+
+      attr_reader :removed_packages
+
+      private
+
+      def determine_config_file_path
+        if @options[Enum::Option::CONFIG].nil?
+          "#{@dir}/#{Const::File::CONFIG}"
+        else
+          @options[Enum::Option::CONFIG]
+        end
+      end
+
+      def clean_config
+        return {} unless @config
+
+        cleaned = {}
+
+        if @config[Const::YAML::TECHNOLOGY]
+          cleaned[Const::YAML::TECHNOLOGY] = {}
+
+          # Sort technologies alphabetically to ensure consistent ordering
+          @config[Const::YAML::TECHNOLOGY].sort.each do |technology, packages|
+            cleaned_packages = clean_packages_for_technology(technology, packages)
+            cleaned[Const::YAML::TECHNOLOGY][technology] = cleaned_packages unless cleaned_packages.empty?
+          end
+
+          # Remove the technology key if no technologies have any packages
+          cleaned.delete(Const::YAML::TECHNOLOGY) if cleaned[Const::YAML::TECHNOLOGY].empty?
+        end
+
+        cleaned
+      end
+
+      def clean_packages_for_technology(technology, packages)
+        return {} unless packages.is_a?(Hash)
+
+        current_packages = current_packages_for_technology(technology)
+        cleaned_packages = {}
+
+        packages.each do |package_name, package_config|
+          next unless package_config.is_a?(Hash)
+
+          if should_keep_package?(package_name, package_config, current_packages)
+            cleaned_packages[package_name] = sort_package_config(package_config)
+          else
+            track_removed_package(technology, package_name, package_config)
+          end
+        end
+
+        # Sort package names alphabetically
+        cleaned_packages.sort.to_h
+      end
+
+      def current_packages_for_technology(technology)
+        @all_packages.select { |pkg| pkg.technology == technology }
+                     .to_h { |pkg| [pkg.name, pkg.version] }
+      end
+
+      def should_keep_package?(package_name, package_config, current_packages)
+        config_version = package_config[Const::YAML::VERSION]
+        current_version = current_packages[package_name]
+
+        # Keep the package if it exists and the version matches
+        current_version && config_version == current_version
+      end
+
+      def sort_package_config(package_config)
+        sorted_config = {}
+
+        # Add version first if it exists
+        if package_config[Const::YAML::VERSION]
+          sorted_config[Const::YAML::VERSION] =
+            package_config[Const::YAML::VERSION]
+        end
+
+        # Add other keys in alphabetical order
+        other_keys = (package_config.keys - [Const::YAML::VERSION]).sort
+        other_keys.each do |key|
+          sorted_config[key] = package_config[key]
+        end
+
+        sorted_config
+      end
+
+      def track_removed_package(technology, package_name, package_config)
+        @removed_packages << {
+          technology: technology,
+          name: package_name,
+          version: package_config[Const::YAML::VERSION],
+          reason: determine_removal_reason(package_name, package_config)
+        }
+      end
+
+      def determine_removal_reason(package_name, package_config)
+        technology = find_technology_for_package(package_name)
+        return 'unknown reason' unless technology
+
+        current_packages = current_packages_for_technology(technology)
+        config_version = package_config[Const::YAML::VERSION]
+        current_version = current_packages[package_name]
+
+        determine_reason_based_on_versions(package_name, technology, config_version, current_version)
+      end
+
+      def find_technology_for_package(package_name)
+        @config[Const::YAML::TECHNOLOGY].each do |tech, packages|
+          return tech if packages.key?(package_name)
+        end
+        nil
+      end
+
+      def determine_reason_based_on_versions(package_name, technology, config_version, current_version)
+        if current_version.nil?
+          determine_reason_for_missing_package(package_name, technology)
+        elsif config_version != current_version
+          "version changed from #{config_version} to #{current_version}"
+        else
+          'unknown reason'
+        end
+      end
+
+      def determine_reason_for_missing_package(package_name, technology)
+        if package_exists_in_project_files?(package_name, technology)
+          'package version has changed'
+        else
+          'package no longer exists'
+        end
+      end
+
+      def package_exists_in_project_files?(package_name, technology)
+        case technology
+        when Enum::Technology::RUBY
+          package_exists_in_gemfile?(package_name)
+        when Enum::Technology::NODE
+          package_exists_in_package_json?(package_name)
+        else
+          false
+        end
+      end
+
+      def package_exists_in_gemfile?(package_name)
+        gemfile_path = "#{@dir}/#{Const::File::GEMFILE}"
+        return false unless File.exist?(gemfile_path)
+
+        gemfile_content = File.read(gemfile_path)
+        # Check for gem declarations with single or double quotes
+        gemfile_content.match?(/^\s*gem\s+['"]#{Regexp.escape(package_name)}['"]/)
+      end
+
+      def package_exists_in_package_json?(package_name)
+        package_json_path = "#{@dir}/#{Const::File::PACKAGE_JSON}"
+        return false unless File.exist?(package_json_path)
+
+        begin
+          package_json = JSON.parse(File.read(package_json_path))
+          dependencies = package_json['dependencies'] || {}
+          dev_dependencies = package_json['devDependencies'] || {}
+
+          dependencies.key?(package_name) || dev_dependencies.key?(package_name)
+        rescue JSON::ParserError
+          false
+        end
+      end
+
+      def config_changed?(cleaned_config)
+        # Compare YAML representations to detect key reordering
+        cleaned_config.to_yaml != @config.to_yaml
+      end
+
+      def write_config_file(cleaned_config)
+        File.write(@config_file_path, cleaned_config.to_yaml)
+      end
+
+      def print_summary
+        return if @removed_packages.empty?
+
+        puts
+        puts "Cleaned up #{@removed_packages.count} package(s) from #{File.basename(@config_file_path)}:"
+
+        # Sort by technology then by name for consistent output
+        @removed_packages.sort_by { |pkg| [pkg[:technology], pkg[:name]] }.each do |removed_package|
+          package_info = "#{removed_package[:name]}@#{removed_package[:version]}"
+          tech_info = "(#{removed_package[:technology]})"
+          reason = removed_package[:reason]
+          puts "  - #{package_info} #{tech_info}: #{reason}"
+        end
+      end
+    end
+  end
+end

data/lib/package/audit/services/package_filter.rb

@@ -9,7 +9,8 @@ require 'yaml'
 module Package
   module Audit
     class PackageFilter
-      def initialize(config)
+      def initialize(report, config)
+        @report = report
         @config = config
       end
 
@@ -30,9 +31,28 @@ module Package
       end
 
       def ignore_package?(pkg, yaml)
-        (!pkg.deprecated? || yaml&.dig(Const::YAML::DEPRECATED) == false) &&
-          (!pkg.outdated? || yaml&.dig(Const::YAML::OUTDATED) == false) &&
-          (!pkg.vulnerable? || yaml&.dig(Const::YAML::VULNERABLE) == false)
+        case @report
+        when Enum::Report::DEPRECATED
+          ignore_deprecated?(pkg, yaml)
+        when Enum::Report::OUTDATED
+          ignore_outdated?(pkg, yaml)
+        when Enum::Report::VULNERABLE
+          ignore_vulnerable?(pkg, yaml)
+        else
+          ignore_deprecated?(pkg, yaml) && ignore_outdated?(pkg, yaml) && ignore_vulnerable?(pkg, yaml)
+        end
+      end
+
+      def ignore_deprecated?(pkg, yaml)
+        !pkg.deprecated? || yaml&.dig(Const::YAML::DEPRECATED) == false
+      end
+
+      def ignore_outdated?(pkg, yaml)
+        !pkg.outdated? || yaml&.dig(Const::YAML::OUTDATED) == false
+      end
+
+      def ignore_vulnerable?(pkg, yaml)
+        !pkg.vulnerable? || yaml&.dig(Const::YAML::VULNERABLE) == false
       end
     end
   end