Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability not ignored when added to .safety-policy.yml #480

Open
widal001 opened this issue Aug 3, 2023 · 4 comments
Open

Vulnerability not ignored when added to .safety-policy.yml #480

widal001 opened this issue Aug 3, 2023 · 4 comments
Assignees
@yeisonvargasf
Milestone
3.0.0

Comments

@widal001
Copy link

widal001 commented Aug 3, 2023

  • safety version: 2.4.0b1
  • Python version: 3.11.4
  • Operating System: macOS Ventura 13.0

Description

Running safety check raises a vulnerability and fails the check even though the corresponding vulnerability id is added to ignore-vulnerabilities: in the safety-policy.yml file. The checks pass when the vulnerability id is passed explicitly to safety check --ignore=51457

What I Did

Running safety check

Running the safety check as is produces the following result

safety check
Screenshot 2023-08-03 at 3 12 33 PM

Note that the command does seem to be picking up the security policy file:

Safety v2.4.0b1 is scanning for Vulnerabilities...
Scan configuration using a security policy file .safety-policy.yml
Scanning dependencies in your files:

-> requirements.txt

Additionally the .safety-policy.yml file does explicitly list 51457 in the ignore-vulnerabilities section:

Screenshot 2023-08-03 at 3 58 45 PM

Running safety check --ignore

When the vulnerability id is explicitly passed as part of the safety check command, the vulnerability is successfully ignored:

safety check --ignore=51457
Screenshot 2023-08-03 at 4 01 21 PM
@yeisonvargasf yeisonvargasf self-assigned this Aug 4, 2023
@yeisonvargasf
Copy link
Member

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

@yeisonvargasf yeisonvargasf added this to the 3.0.0 milestone Aug 4, 2023
bgervan added a commit to websideproject/paddle-billing-client that referenced this issue Aug 20, 2023
@bgervan
Ignore safety until pyupio/safety#480 fixed
035a0b8
@InvisibleMan1306
Copy link

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

Is there any update on this fix?

felnne added a commit to antarctica/ops-data-store that referenced this issue Oct 31, 2023
@felnne
Direclty ignoring Safety vulnerabilities
f2d99df 
Due to pyupio/safety#480
@rib3
Copy link

rib3 commented Nov 16, 2023

I see that 2.4.0b2 was released, but it appears to still have this problem.

We have been told 3.0 was imminent since at least August.
#447 (comment)
#478 (comment)
#480 (comment)

Is the pyup/safetey team able to provide a fix for this while we wait for 3.0 to come out?
Or provide feedback to #477?

@nicolassanmar
Copy link

nicolassanmar commented Mar 18, 2024
edited

I can confirm that version 3.0.1 of pyup/safety can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yeisonvargasf yeisonvargasf

Labels
None yet
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
5 participants
@InvisibleMan1306 @rib3 @yeisonvargasf @widal001 @nicolassanmar