Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignoring multiple vulnerabilities does not work as documented #478

Closed
kurthaegeman opened this issue Jul 29, 2023 · 3 comments
Closed

Ignoring multiple vulnerabilities does not work as documented #478

kurthaegeman opened this issue Jul 29, 2023 · 3 comments
Assignees
@yeisonvargasf
Milestone
3.0.0

Comments

@kurthaegeman
Copy link

  • safety version: 2.3.5
  • Python version: 3.10
  • Operating System: macOS Venture 13.5

Description

README states that ignoring multiple vulnerabilities can be done with

safety check -i 1234,4567,89101

This doesn't seem to work: none of the configured IDs are ignored.

What I Did

If I run a safety check on two insecure packages, I get the expected result:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin
...
Scan was completed. 2 vulnerabilities were found.

We can configure one ignore without issue: it will be ignored by the scan:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758
Scan was completed. 1 vulnerability was found. 1 vulnerability from 1 package was ignored.

Setting the ignores separately (the backward compatibility way) works as expected:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758 -i 58713
Scan was completed. 0 vulnerabilities were found. 2 vulnerabilities from 2 packages were ignored.

However, if we try to add the second package to the ignore list in the documented way, neither of them get ignored:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758,58713
Scan was completed. 2 vulnerabilities were found.

In safety.check(), ignore_vulns becomes {'58758,58713': {'expires': None, 'reason': ''}}, so vulnerability.vulnerability_id not in ignore_vulns will return True for each of the ignored vulnerabilities and both will get added to the report.
@yeisonvargasf yeisonvargasf self-assigned this Aug 4, 2023
@yeisonvargasf
Copy link
Member

Thank you for the report; this may be related to #343 and #477. This will be addressed in Safety 3.0 version coming this month.

@yeisonvargasf yeisonvargasf added this to the 3.0.0 milestone Aug 4, 2023
@rib3 rib3 mentioned this issue Nov 16, 2023
Closed
@dylanpulver
Copy link
Contributor

Hi @kurthaegeman and everyone involved,

Thank you for your patience and for providing a detailed report on this issue.

We are pleased to inform you that the latest version of Safety, 3.0.1, addresses the issue with ignoring multiple vulnerabilities as documented. This version includes improved capabilities and should resolve the problem you encountered.

Please update to Safety version 3.0.1 and test the functionality. If you encounter any further issues or have additional questions, please let us know.

Thank you for your continued support and for helping us improve Safety!

Best Regards,
The Safety Team

@kurthaegeman
Copy link
Author

Solution confirmed, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yeisonvargasf yeisonvargasf

Labels
None yet
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
3 participants
@yeisonvargasf @dylanpulver @kurthaegeman