Vulnerability not ignored when added to .safety-policy.yml
Opened this issue · 4 comments
- safety version: 2.4.0b1
- Python version: 3.11.4
- Operating System: macOS Ventura 13.0
Description
Running safety check
raises a vulnerability and fails the check even though the corresponding vulnerability id is added to ignore-vulnerabilities:
in the safety-policy.yml
file. The checks pass when the vulnerability id is passed explicitly to safety check --ignore=51457
What I Did
Running safety check
Running the safety check as is produces the following result
safety check
![Screenshot 2023-08-03 at 3 12 33 PM](https://private-user-images.githubusercontent.com/21350331/258213208-71fbc1a5-db4a-413c-b826-34db332e614f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2Nzg2MjgsIm5iZiI6MTcyMDY3ODMyOCwicGF0aCI6Ii8yMTM1MDMzMS8yNTgyMTMyMDgtNzFmYmMxYTUtZGI0YS00MTNjLWI4MjYtMzRkYjMzMmU2MTRmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzExVDA2MTIwOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTU2YmE3ZWJiOWMxZTgyMTc3MzZjNTM4ZTcyZjkxOGI3NmRjMzc4M2U3MmFmY2Y1OGFjNjhhYjE4YzMyNmQ1MzgmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.wIo8x69XqSIbPpn6f-Fq7zw4kMCQulLsAxmnFdgvUbA)
Note that the command does seem to be picking up the security policy file:
Safety v2.4.0b1 is scanning for Vulnerabilities...
Scan configuration using a security policy file .safety-policy.yml
Scanning dependencies in your files:
-> requirements.txt
Additionally the .safety-policy.yml
file does explicitly list 51457
in the ignore-vulnerabilities
section:
![Screenshot 2023-08-03 at 3 58 45 PM](https://private-user-images.githubusercontent.com/21350331/258222518-fa215448-d532-42e3-9b43-4f17598fb5fe.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2Nzg2MjgsIm5iZiI6MTcyMDY3ODMyOCwicGF0aCI6Ii8yMTM1MDMzMS8yNTgyMjI1MTgtZmEyMTU0NDgtZDUzMi00MmUzLTliNDMtNGYxNzU5OGZiNWZlLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzExVDA2MTIwOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPThiMjNkZjYxMjhmMWIwMDRlMTM1MzZiYjJiZGZiYzg2MDQ3NTVmZmVlMGE3Mzk2NWMwNWU2NjRhNWU3NTRlZmMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.n7byivZWZcWw2tX8ZXNWOH0hcJTK11G4zzJIbSwcd30)
Running safety check --ignore
When the vulnerability id is explicitly passed as part of the safety check
command, the vulnerability is successfully ignored:
safety check --ignore=51457
![Screenshot 2023-08-03 at 4 01 21 PM](https://private-user-images.githubusercontent.com/21350331/258223052-209dafb9-9030-43be-912f-7e026a5c2849.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2Nzg2MjgsIm5iZiI6MTcyMDY3ODMyOCwicGF0aCI6Ii8yMTM1MDMzMS8yNTgyMjMwNTItMjA5ZGFmYjktOTAzMC00M2JlLTkxMmYtN2UwMjZhNWMyODQ5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzExVDA2MTIwOFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWRmODliODBiYjg1NmZmNDAzNjFiOGI3M2FlYmU0M2QxYWM1ZWQ4NmQxN2ZiZDY0NDlkN2M3MjQ2YTc1Y2M1NDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.JnfwmsIT7DBmjsPUZ0JJmzXzrLykx54N14sWZm2r1ok)
@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.
Safety 3.0 is going to be released this month.
@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.
Safety 3.0 is going to be released this month.
Is there any update on this fix?
I see that 2.4.0b2 was released, but it appears to still have this problem.
We have been told 3.0 was imminent since at least August.
#447 (comment)
#478 (comment)
#480 (comment)
Is the pyup/safetey team able to provide a fix for this while we wait for 3.0 to come out?
Or provide feedback to #477?
I can confirm that version 3.0.1 of pyup/safety
can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.