safety icon indicating copy to clipboard operation
safety copied to clipboard

Published 20 hours ago verified publisher icon pyupio

Feature request: ignore file

Open adriantorrie opened this issue 2 years ago • 7 comments

Request

  • Add --ignore-file

Detail

Currently there is --ignore which is fine for command line driven interaction, however most CI tools allow ignore files to be passed in so the "ignores" for a project can be managed via pull request/code review (and therefore allowed by exception).

I've raise #350 just now, and because there isn't a fix, this will block our CI pipelince from completing. Our CI pipelines are generic in nature and maintain multiple standardised repos, so it's not an option to go in and change the CI pipeline just for this one repo.

If an ignore file option is available then simply updating the affected repo's ignore file would allow the exception to be reviewed via pull request, and subsequently allow the CI pipeline to succeed.

adriantorrie avatar Aug 18 '21 08:08 adriantorrie

If this gets implemented, it would be great to have comments # ... ignored. This way, we can add some details, context or reference URL to the actual issue, because IDs don't mean much at first glance.

fmigneault avatar Dec 04 '21 01:12 fmigneault

Yes please! Hardcoding them into our build pipelines is nasty :-(

lifenautjoe avatar Jan 05 '22 20:01 lifenautjoe

Agreed! This is on our short term roadmap :)

Jwomers avatar Jan 05 '22 20:01 Jwomers

Below is a workaround that I've implemented using shell commands for a CircleCI pipeline. It's a new commit on our end so I don't have high confidence in it, totally could have obvious bugs, but it's working in testing so far. The pipeline fails if any issue is found in a dependency that isn't listed or is expired in the dependency.ignore file.

export today=$(date "+%Y-%m-%d")

# gather up the -i ignore IDs fro safety check
export ignores=$(
grep -vE "^\s*#" dependency.ignore |  # print out any non-comment line
  grep "[0-9]" |  # filter out any line that doesn't have a number in it
  awk -v "today=${today}" '{ if ($2 > today || $2 == "") print "-i", $1}' | # print any line with end date after today
  xargs echo  # put all the output from previous command on one line 
)
export command="safety check -r requirements.txt --full-report $ignores"

echo "If you need to modify the ignore list for the safety check, edit dependency.ignore"
eval $command

Here is an example dependency.ignore file:

# Any  vulnerability ID numbers listed in this file will be ignored when
# running the safety dependency check. Each line should have the ID number
# and a date. The ID will be ignored by the CI pipeline check unitl the date
# in YYYY-MM-DD format listed for that line.
# If no date is listed, the exception will never expire. (NOT RECOMMENDED)
#
# test
# Example:
# 40104 2022-01-15
#
40105 2022-01-15  # gunicorn

albertcrowley avatar Jan 11 '22 20:01 albertcrowley

I put together a possible fix for this and made pull #362

albertcrowley avatar Jan 12 '22 01:01 albertcrowley

I'm not a safety dev, but right now there's been a flood of possibly-irrelevant CVE's filed against Python libraries. Having an ignore file would make dealing with these much easier, so I'm wondering if people can take a look at this PR and see if it would work.

aisling-om avatar Feb 01 '22 16:02 aisling-om

Hi @aongus thanks for bumping this. We are working on an ignore file support which will be released in the coming weeks. In the meantime though, we aim to have no incorrect CVEs or Vulnerability advisories, can you send us a list of which ones you consider irrelevant? Or open up an issue on this project, and we'll get them looked at immediately!

Jwomers avatar Feb 01 '22 17:02 Jwomers

There is now a supported Safety Policy file, you can read more in the documentation here: https://docs.pyup.io/docs/safety-20-policy-file

In that policy file you can, in addition to other configs, list vulnerabilities to ignore, with a reason and an expiry date.

Closing out this issue.

Jwomers avatar Mar 28 '23 18:03 Jwomers