search

pyupio / safety

Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
https://safetycli.com/product/safety-cli
MIT License
1.66k stars 141 forks source link

Not ignoring based on policy file #488

Closed romanzdk closed 3 months ago

romanzdk commented 6 months ago

Description

We have .safety-policy.yml file defined like this:

security:
  ignore-vulnerabilities:
    59901:
      reason: Some reason
      expires: '2024-03-15'
    62044:
      reason: No upstream python images provide updated pip for now
      expires: '2024-01-01'

the safety validate policy_file --path .safety-policy.yml outputs:

The Safety policy file was successfully parsed with the following values:
{
    "security": {
        "ignore-vulnerabilities": {
            "59901": {
                "reason": "Some reason",
                "expires": "2024-03-15 00:00:00"
            },
            "62044": {
                "reason": "No upstream python images provide updated pip for now",
                "expires": "2024-01-01 00:00:00"
            }
        }
    },
    "filename": ".safety-policy.yml"
}

however, when I run the safety check safety check --policy-file .safety-policy.yml I still get the 59901 reported as vulnerability.

nicolassanmar commented 3 months ago

I can confirm that version 3.0.1 of pyup/safety can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.