search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Ignoring multiple vulnerabilities does not work as documented #478

Open kurthaegeman opened 11 months ago

kurthaegeman commented 11 months ago

Description

README states that ignoring multiple vulnerabilities can be done with

safety check -i 1234,4567,89101

This doesn't seem to work: none of the configured IDs are ignored.

What I Did

If I run a safety check on two insecure packages, I get the expected result:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin
...
Scan was completed. 2 vulnerabilities were found.

We can configure one ignore without issue: it will be ignored by the scan:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758
Scan was completed. 1 vulnerability was found. 1 vulnerability from 1 package was ignored.

Setting the ignores separately (the backward compatibility way) works as expected:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758 -i 58713
Scan was completed. 0 vulnerabilities were found. 2 vulnerabilities from 2 packages were ignored.

However, if we try to add the second package to the ignore list in the documented way, neither of them get ignored:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758,58713
Scan was completed. 2 vulnerabilities were found.

In safety.check(), ignore_vulns becomes {'58758,58713': {'expires': None, 'reason': ''}}, so vulnerability.vulnerability_id not in ignore_vulns will return True for each of the ignored vulnerabilities and both will get added to the report.

yeisonvargasf commented 11 months ago

Thank you for the report; this may be related to #343 and #477. This will be addressed in Safety 3.0 version coming this month.