fix(config): properly track if an ignore entry has been used

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -1048,8 +1048,6 @@ Package Packagist/sentry/sdk/2.0.4 has been filtered out because: (no reason giv
 Filtered 1 ignored package/s from the scan.
 GHSA-whgm-jr23-g3j9 and 1 alias have been filtered out because: (no reason given)
 Filtered 1 vulnerability from output
-./testdata/osv-scanner-reasonless-ignores-config.toml has unused ignores:
- - GHSA-whgm-jr23-g3j9
 No issues found
 
 ---
@@ -1209,8 +1207,6 @@ Scanned <rootdir>/testdata/locks-test-ignore/package-lock.json file and found 1
 Loaded filter from: <rootdir>/testdata/locks-test-ignore/osv-scanner-test.toml
 CVE-2021-23424 and 1 alias have been filtered out because: Test manifest file (package-lock.json)
 Filtered 1 vulnerability from output
-<rootdir>/testdata/locks-test-ignore/osv-scanner-test.toml has unused ignores:
- - CVE-2021-23424
 No issues found
 
 ---
@@ -1854,8 +1850,6 @@ CVE-2025-26519 and 1 alias have been filtered out because: (no reason given)
 CVE-2018-25032 and 1 alias have been filtered out because: (no reason given)
 Filtered 2 vulnerabilities from output
 testdata/osv-scanner-partial-ignores-config.toml has unused ignores:
- - CVE-2025-26519
- - CVE-2018-25032
  - GO-2022-0274
  - CVE-2019-5188
  - CVE-2022-1304
@@ -1892,11 +1886,7 @@ CVE-2025-26519 and 1 alias have been filtered out because: (no reason given)
 CVE-2018-25032 and 1 alias have been filtered out because: (no reason given)
 Filtered 8 vulnerabilities from output
 testdata/osv-scanner-partial-ignores-config.toml has unused ignores:
- - CVE-2025-26519
- - CVE-2018-25032
- - GO-2022-0274
  - CVE-2019-5188
- - CVE-2022-1304
 Total 24 packages affected by 159 known vulnerabilities (20 Critical, 67 High, 48 Medium, 1 Low, 23 Unknown) from 4 ecosystems.
 10 vulnerabilities can be fixed.
 
@@ -2110,11 +2100,7 @@ CVE-2022-1304 and 2 aliases have been filtered out because: (no reason given)
 GO-2022-0274 and 2 aliases have been filtered out because: (no reason given)
 Filtered 6 vulnerabilities from output
 testdata/osv-scanner-partial-ignores-config.toml has unused ignores:
- - CVE-2025-26519
- - CVE-2018-25032
- - GO-2022-0274
  - CVE-2019-5188
- - CVE-2022-1304
 Total 22 packages affected by 157 known vulnerabilities (18 Critical, 67 High, 48 Medium, 1 Low, 23 Unknown) from 3 ecosystems.
 10 vulnerabilities can be fixed.
 

internal/config/config.go

@@ -27,16 +27,16 @@ type Manager struct {
 }
 
 type Config struct {
-	IgnoredVulns      []IgnoreEntry          `toml:"IgnoredVulns"`
+	IgnoredVulns      []*IgnoreEntry         `toml:"IgnoredVulns"`
 	PackageOverrides  []PackageOverrideEntry `toml:"PackageOverrides"`
 	GoVersionOverride string                 `toml:"GoVersionOverride"`
 	// The path to config file that this config was loaded from,
 	// set by the scanner after having successfully parsed the file
 	LoadPath string `toml:"-"`
 }
 
-func (c *Config) UnusedIgnoredVulns() []IgnoreEntry {
-	unused := make([]IgnoreEntry, 0, len(c.IgnoredVulns))
+func (c *Config) UnusedIgnoredVulns() []*IgnoreEntry {
+	unused := make([]*IgnoreEntry, 0, len(c.IgnoredVulns))
 
 	for _, entry := range c.IgnoredVulns {
 		if !entry.Used {
@@ -101,10 +101,10 @@ type License struct {
 	Ignore   bool     `toml:"ignore"`
 }
 
-func (c *Config) ShouldIgnore(vulnID string) (bool, IgnoreEntry) {
-	index := slices.IndexFunc(c.IgnoredVulns, func(e IgnoreEntry) bool { return e.ID == vulnID })
+func (c *Config) ShouldIgnore(vulnID string) (bool, *IgnoreEntry) {
+	index := slices.IndexFunc(c.IgnoredVulns, func(e *IgnoreEntry) bool { return e.ID == vulnID })
 	if index == -1 {
-		return false, IgnoreEntry{}
+		return false, &IgnoreEntry{}
 	}
 	ignoredLine := c.IgnoredVulns[index]
 
@@ -203,8 +203,8 @@ func (c *Manager) Get(targetPath string) Config {
 	return config
 }
 
-func (c *Manager) GetUnusedIgnoreEntries() map[string][]IgnoreEntry {
-	m := make(map[string][]IgnoreEntry)
+func (c *Manager) GetUnusedIgnoreEntries() map[string][]*IgnoreEntry {
+	m := make(map[string][]*IgnoreEntry)
 
 	for _, config := range c.ConfigMap {
 		unusedEntries := config.UnusedIgnoredVulns()

internal/config/config_internal_test.go

@@ -131,7 +131,7 @@ func Test_tryLoadConfig(t *testing.T) {
 			},
 			want: Config{
 				LoadPath: "./testdata/testdatainner/osv-scanner.toml",
-				IgnoredVulns: []IgnoreEntry{
+				IgnoredVulns: []*IgnoreEntry{
 					{
 						ID: "GO-2022-0968",
 					},
@@ -255,13 +255,13 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 		config    Config
 		args      args
 		wantOk    bool
-		wantEntry IgnoreEntry
+		wantEntry *IgnoreEntry
 	}{
 		// entry exists
 		{
 			name: "",
 			config: Config{
-				IgnoredVulns: []IgnoreEntry{
+				IgnoredVulns: []*IgnoreEntry{
 					{
 						ID:          "GHSA-123",
 						IgnoreUntil: time.Time{},
@@ -273,7 +273,7 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 				vulnID: "GHSA-123",
 			},
 			wantOk: true,
-			wantEntry: IgnoreEntry{
+			wantEntry: &IgnoreEntry{
 				ID:          "GHSA-123",
 				IgnoreUntil: time.Time{},
 				Reason:      "",
@@ -283,7 +283,7 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 		{
 			name: "",
 			config: Config{
-				IgnoredVulns: []IgnoreEntry{
+				IgnoredVulns: []*IgnoreEntry{
 					{
 						ID:          "GHSA-123",
 						IgnoreUntil: time.Time{},
@@ -295,13 +295,13 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 				vulnID: "nonexistent",
 			},
 			wantOk:    false,
-			wantEntry: IgnoreEntry{},
+			wantEntry: &IgnoreEntry{},
 		},
 		// ignored until a time in the past
 		{
 			name: "",
 			config: Config{
-				IgnoredVulns: []IgnoreEntry{
+				IgnoredVulns: []*IgnoreEntry{
 					{
 						ID:          "GHSA-123",
 						IgnoreUntil: time.Now().Add(-time.Hour).Round(time.Second),
@@ -313,7 +313,7 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 				vulnID: "GHSA-123",
 			},
 			wantOk: false,
-			wantEntry: IgnoreEntry{
+			wantEntry: &IgnoreEntry{
 				ID:          "GHSA-123",
 				IgnoreUntil: time.Now().Add(-time.Hour).Round(time.Second),
 				Reason:      "",
@@ -323,7 +323,7 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 		{
 			name: "",
 			config: Config{
-				IgnoredVulns: []IgnoreEntry{
+				IgnoredVulns: []*IgnoreEntry{
 					{
 						ID:          "GHSA-123",
 						IgnoreUntil: time.Now().Add(time.Hour).Round(time.Second),
@@ -335,7 +335,7 @@ func TestConfig_ShouldIgnore(t *testing.T) {
 				vulnID: "GHSA-123",
 			},
 			wantOk: true,
-			wantEntry: IgnoreEntry{
+			wantEntry: &IgnoreEntry{
 				ID:          "GHSA-123",
 				IgnoreUntil: time.Now().Add(time.Hour).Round(time.Second),
 				Reason:      "",

pkg/osvscanner/filter.go

@@ -143,7 +143,7 @@ func filterPackageVulns(pkgVulns models.PackageVulns, configToUse config.Config)
 	for _, group := range pkgVulns.Groups {
 		ignore := false
 		for _, id := range group.Aliases {
-			var ignoreLine config.IgnoreEntry
+			var ignoreLine *config.IgnoreEntry
 			if ignore, ignoreLine = configToUse.ShouldIgnore(id); ignore {
 				for _, id := range group.Aliases {
 					ignoredVulns[id] = struct{}{}