safety icon indicating copy to clipboard operation
safety copied to clipboard

Published 20 hours ago verified publisher icon pyupio

Vulnerability not ignored when added to .safety-policy.yml

Open widal001 opened this issue 1 year ago • 5 comments

  • safety version: 2.4.0b1
  • Python version: 3.11.4
  • Operating System: macOS Ventura 13.0

Description

Running safety check raises a vulnerability and fails the check even though the corresponding vulnerability id is added to ignore-vulnerabilities: in the safety-policy.yml file. The checks pass when the vulnerability id is passed explicitly to safety check --ignore=51457

What I Did

Running safety check

Running the safety check as is produces the following result

safety check
Screenshot 2023-08-03 at 3 12 33 PM

Note that the command does seem to be picking up the security policy file:

Safety v2.4.0b1 is scanning for Vulnerabilities...
Scan configuration using a security policy file .safety-policy.yml
Scanning dependencies in your files:

-> requirements.txt

Additionally the .safety-policy.yml file does explicitly list 51457 in the ignore-vulnerabilities section:

Screenshot 2023-08-03 at 3 58 45 PM

Running safety check --ignore

When the vulnerability id is explicitly passed as part of the safety check command, the vulnerability is successfully ignored:

safety check --ignore=51457
Screenshot 2023-08-03 at 4 01 21 PM

widal001 avatar Aug 03 '23 20:08 widal001

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

yeisonvargasf avatar Aug 04 '23 14:08 yeisonvargasf

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

Is there any update on this fix?

InvisibleMan1306 avatar Oct 12 '23 18:10 InvisibleMan1306

I see that 2.4.0b2 was released, but it appears to still have this problem.

We have been told 3.0 was imminent since at least August. https://github.com/pyupio/safety/issues/447#issuecomment-1665766714 https://github.com/pyupio/safety/issues/478#issuecomment-1665744067 https://github.com/pyupio/safety/issues/480#issuecomment-1665739709

Is the pyup/safetey team able to provide a fix for this while we wait for 3.0 to come out? Or provide feedback to #477?

rib3 avatar Nov 16 '23 15:11 rib3

I can confirm that version 3.0.1 of pyup/safety can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.

nicolassanmar avatar Mar 18 '24 13:03 nicolassanmar

Hi @widal001 and everyone involved,

Thank you for your patience and for providing a detailed report on this issue.

We are pleased to inform you that the latest version of Safety, 3.0.1, addresses the issue with ignoring vulnerabilities listed in the .safety-policy.yml file. This version includes improved capabilities and should resolve the problem you encountered.

Please update to Safety version 3.0.1 and use the safety scan command to ensure that your specified vulnerabilities are correctly ignored according to your policy file.

If you encounter any further issues or have additional questions, please let us know.

Thank you for your continued support and for helping us improve Safety!

Best Regards, The Safety Team

dylanpulver avatar Aug 07 '24 21:08 dylanpulver