search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Feature: Support for PEP 496 environment markers #461

Open andy-maier opened 1 year ago

andy-maier commented 1 year ago

Description

If a library package supports a wide range of Python versions, there are cases where a vulnerability reported by safety can be fixed only for a subset of the supported Python versions. In that case, the requirements file of the package typically contains PEP 496 markers to distinguish the different versions by some condition, most notably the Python version, e.g.:

xyz==1.0; python_version <= '3.5'
xyz==2.0; python_version >= '3.6'

Assuming that xyz 2.0 fixes vulnerability 12345 but requires Python>=3.6, then the package owner can be as willing as they want, but they cannot get that fixed completely (other than abandoning support for the old Python version which may not be possible).

In such a case, the user with today's safety functionality needs to specify the vulnerability to be ignored even though it was partly addressed. That lets the safety report look worse than it actually is.

I propose to add support for PEP 496 environment markers that allow specifying a condition under which the vulnerability is ignored. That would be used to specify the condition where the issue could not be fixed for some reason. In the example above, the policy file might specify that as:

    ignore-vulnerabilities:
        12345:
            reason: xyz 2.0 requires Python >=3.6
            condition: python_version <= '3.5'

The condition should also be surfaced in the report.