Closed adriantorrie closed 1 year ago
fmigneault
commented
2 years ago If this gets implemented, it would be great to have comments # ... ignored.
This way, we can add some details, context or reference URL to the actual issue, because IDs don't mean much at first glance.
lifenautjoe
commented
2 years ago Yes please! Hardcoding them into our build pipelines is nasty :-(
Jwomers
commented
2 years ago Agreed! This is on our short term roadmap :)
albertcrowley
commented
2 years ago Below is a workaround that I've implemented using shell commands for a CircleCI pipeline. It's a new commit on our end so I don't have high confidence in it, totally could have obvious bugs, but it's working in testing so far. The pipeline fails if any issue is found in a dependency that isn't listed or is expired in the dependency.ignore file.
export today=$(date "+%Y-%m-%d")
# gather up the -i ignore IDs fro safety check
export ignores=$(
grep -vE "^\s*#" dependency.ignore | # print out any non-comment line
grep "[0-9]" | # filter out any line that doesn't have a number in it
awk -v "today=${today}" '{ if ($2 > today || $2 == "") print "-i", $1}' | # print any line with end date after today
xargs echo # put all the output from previous command on one line
)
export command="safety check -r requirements.txt --full-report $ignores"
echo "If you need to modify the ignore list for the safety check, edit dependency.ignore"
eval $commandHere is an example dependency.ignore file:
# Any vulnerability ID numbers listed in this file will be ignored when
# running the safety dependency check. Each line should have the ID number
# and a date. The ID will be ignored by the CI pipeline check unitl the date
# in YYYY-MM-DD format listed for that line.
# If no date is listed, the exception will never expire. (NOT RECOMMENDED)
#
# test
# Example:
# 40104 2022-01-15
#
40105 2022-01-15 # gunicornI put together a possible fix for this and made pull #362
aisling-om
commented
2 years ago I'm not a safety dev, but right now there's been a flood of possibly-irrelevant CVE's filed against Python libraries. Having an ignore file would make dealing with these much easier, so I'm wondering if people can take a look at this PR and see if it would work.
Jwomers
commented
2 years ago Hi @aongus thanks for bumping this. We are working on an ignore file support which will be released in the coming weeks. In the meantime though, we aim to have no incorrect CVEs or Vulnerability advisories, can you send us a list of which ones you consider irrelevant? Or open up an issue on this project, and we'll get them looked at immediately!
Jwomers
commented
1 year ago There is now a supported Safety Policy file, you can read more in the documentation here: https://docs.pyup.io/docs/safety-20-policy-file
In that policy file you can, in addition to other configs, list vulnerabilities to ignore, with a reason and an expiry date.
Closing out this issue.
Request
--ignore-fileDetail
Currently there is
--ignorewhich is fine for command line driven interaction, however most CI tools allow ignore files to be passed in so the "ignores" for a project can be managed via pull request/code review (and therefore allowed by exception).I've raise #350 just now, and because there isn't a fix, this will block our CI pipelince from completing. Our CI pipelines are generic in nature and maintain multiple standardised repos, so it's not an option to go in and change the CI pipeline just for this one repo.
If an ignore file option is available then simply updating the affected repo's ignore file would allow the exception to be reviewed via pull request, and subsequently allow the CI pipeline to succeed.