pyupio/safety

Vulnerability not ignored when added to .safety-policy.yml

Opened this issue · 4 comments

widal001 commented
  • safety version: 2.4.0b1
  • Python version: 3.11.4
  • Operating System: macOS Ventura 13.0

Description

Running safety check raises a vulnerability and fails the check even though the corresponding vulnerability id is added to ignore-vulnerabilities: in the safety-policy.yml file. The checks pass when the vulnerability id is passed explicitly to safety check --ignore=51457

What I Did

Running safety check

Running the safety check as is produces the following result

safety check
Screenshot 2023-08-03 at 3 12 33 PM

Note that the command does seem to be picking up the security policy file:

Safety v2.4.0b1 is scanning for Vulnerabilities...
Scan configuration using a security policy file .safety-policy.yml
Scanning dependencies in your files:

-> requirements.txt

Additionally the .safety-policy.yml file does explicitly list 51457 in the ignore-vulnerabilities section:

Screenshot 2023-08-03 at 3 58 45 PM

Running safety check --ignore

When the vulnerability id is explicitly passed as part of the safety check command, the vulnerability is successfully ignored:

safety check --ignore=51457
Screenshot 2023-08-03 at 4 01 21 PM
yeisonvargasf commented

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

InvisibleMan1306 commented

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

Is there any update on this fix?

rib3 commented

I see that 2.4.0b2 was released, but it appears to still have this problem.

We have been told 3.0 was imminent since at least August.
#447 (comment)
#478 (comment)
#480 (comment)

Is the pyup/safetey team able to provide a fix for this while we wait for 3.0 to come out?
Or provide feedback to #477?

  • 👍1
nicolassanmar commented

I can confirm that version 3.0.1 of pyup/safety can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.