Would it make sense to add an option to ignore packages?

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.

https://safetycli.com/product/safety-cli

MIT License

1.66k stars 141 forks source link

Would it make sense to add an option to ignore packages? #344

Open Midnighter opened 3 years ago

Midnighter commented 3 years ago

There recently was a vulnerability with pip that caused many of my pipelines to break. Those cases are about libraries/packages so pip is not a direct dependency but, of course, present in the environment. Since pip is not a direct dependency and I don't want to control my users' environments, the best option is to ignore checking pip. I know that I could generate a requirements file for my package and check that file but that's cumbersome. Hence my question, just as we can ignore specific vulnerabilities, can't we have an option to ignore checking a package by name, please?

Midnighter commented 3 years ago

I was just thinking, maybe

pip freeze | safety check --stdin --full-report

is a quick solution?

vhoulbreque commented 2 years ago

I have the same problem with pip as @Midnighter and their solution works well for pip.

But I would like to have the alternative to ignore any package (instead of just a vulnerability id).

Something along the lines of:

safety check --ignore pip --ignore 42089

ie. make ignore parse the value given and checks if it's a number (ie a vulnerability id) or a string of chars (ie a package name).

wgordon17 commented 3 months ago

Hitting this with the latest pip version 🙄