check --bare still outputs announcements

Question

check --bare still outputs announcements

khink opened this issue a year ago · 3 comments

safety version: 2.3.4, 2.3.5
Python version: 3.9.18
Operating System: Ubuntu Linux

Description

Running safety check --bare used to only fail if there was a concrete advisory that need patching.
I could choose to temporarily ignore that advisory with --ignore=<advisory>

But the announcement about the curl vulnerability (https://safetycli.com/research/curl-cve-2023-38545-python) is always shown, even when running with --bare
Adding --ignore=special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm does not make safety exit without output, the announcement is still shown.
This breaks our (and i suspect others') CI pipelines.

I would expect --bare to work in such a way that its output could be silenced.

Currently, it seems there is no way for safety --bare to run without output.

What I Did

$ safety check --bare
special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
$ safety check --bare --ignore=special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm
$ safety check --bare --ignore=special-advisory # try a variant
special-advisory:-curl-high-severity-vulnerability:-https://bit.ly/3feapsm

Answer 1 · 2023-10-16T09:36:41.000Z

As a workaround, we filter out the annoucement with sed in CI:

python -m safety check --bare | sed 's/special-advisory:-curl-high-severity-vulnerability:-https:\/\/bit.ly\/3feapsm//g'

Answer 2 · 2023-10-16T13:41:05.000Z

@khink, thank you for this issue report; we are evaluating the best behavior for announcements under a bare output. The ignore flag doesn't work for announcements, but it's an excellent idea to consider.

As an immediate solution, I asked the team to remove the announcement on Safety 2.x.

Answer 3 · 2024-07-24T15:49:37.000Z

Hi @khink,

Thank you for bringing this issue to our attention and for your detailed report.

After careful consideration, we've decided to move this issue to the "wontfix" category. We'd like to provide some context for our decision:

Safety Scan Command: We have transitioned to recommending the safety scan command, which we believe offers a more robust and flexible solution for vulnerability checks. Significant feature development is focused on safety scan, and we encourage users to adopt this new command for their workflows.
Announcements in Bare Output: We understand the impact of announcements on CI pipelines and appreciate the workaround you shared. The --ignore flag not working for announcements is a known limitation, and while it's a great idea, it is not currently feasible within the safety check command.

We appreciate your understanding and encourage you to try the safety scan command, which is designed to address many of these concerns more effectively. Thank you for your contributions and continued support. If you have any further suggestions or reports, we'd love to hear from you!

Best Regards,
The Safety Team