search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Vulnerability not ignored when added to .safety-policy.yml #480

Open widal001 opened 11 months ago

widal001 commented 11 months ago

Description

Running safety check raises a vulnerability and fails the check even though the corresponding vulnerability id is added to ignore-vulnerabilities: in the safety-policy.yml file. The checks pass when the vulnerability id is passed explicitly to safety check --ignore=51457

What I Did

Running safety check

Running the safety check as is produces the following result

safety check
Screenshot 2023-08-03 at 3 12 33 PM

Note that the command does seem to be picking up the security policy file:

Safety v2.4.0b1 is scanning for Vulnerabilities...
Scan configuration using a security policy file .safety-policy.yml
Scanning dependencies in your files:

-> requirements.txt

Additionally the .safety-policy.yml file does explicitly list 51457 in the ignore-vulnerabilities section:

Screenshot 2023-08-03 at 3 58 45 PM

Running safety check --ignore

When the vulnerability id is explicitly passed as part of the safety check command, the vulnerability is successfully ignored:

safety check --ignore=51457
Screenshot 2023-08-03 at 4 01 21 PM
yeisonvargasf commented 11 months ago

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

InvisibleMan1306 commented 8 months ago

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

Is there any update on this fix?

rib3 commented 7 months ago

I see that 2.4.0b2 was released, but it appears to still have this problem.

We have been told 3.0 was imminent since at least August. https://github.com/pyupio/safety/issues/447#issuecomment-1665766714 https://github.com/pyupio/safety/issues/478#issuecomment-1665744067 https://github.com/pyupio/safety/issues/480#issuecomment-1665739709

Is the pyup/safetey team able to provide a fix for this while we wait for 3.0 to come out? Or provide feedback to #477?

nicolassanmar commented 3 months ago

I can confirm that version 3.0.1 of pyup/safety can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.