check --bare still outputs announcements
Opened this issue · 2 comments
- safety version: 2.3.4, 2.3.5
- Python version: 3.9.18
- Operating System: Ubuntu Linux
Description
Running safety check --bare
used to only fail if there was a concrete advisory that need patching.
I could choose to temporarily ignore that advisory with --ignore=<advisory>
But the announcement about the curl vulnerability (https://safetycli.com/research/curl-cve-2023-38545-python) is always shown, even when running with --bare
Adding --ignore=special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
does not make safety exit without output, the announcement is still shown.
This breaks our (and i suspect others') CI pipelines.
I would expect --bare
to work in such a way that its output could be silenced.
Currently, it seems there is no way for safety --bare
to run without output.
What I Did
$ safety check --bare
special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
$ safety check --bare --ignore=special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
$ safety check --bare --ignore=special-advisory # try a variant
special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
As a workaround, we filter out the annoucement with sed
in CI:
python -m safety check --bare | sed 's/special-advisory:-curl-high-severity-vulnerability:-https:\/\/bit.ly\/3feapsm//g'
@khink, thank you for this issue report; we are evaluating the best behavior for announcements under a bare output. The ignore flag doesn't work for announcements, but it's an excellent idea to consider.
As an immediate solution, I asked the team to remove the announcement on Safety 2.x.