Vulnerability not ignored when added to .safety-policy.yml

[widal001]

• safety version: 2.4.0b1
• Python version: 3.11.4
• Operating System: macOS Ventura 13.0

Description

Running safety check raises a vulnerability and fails the check even though the corresponding vulnerability id is added to ignore-vulnerabilities: in the safety-policy.yml file. The checks pass when the vulnerability id is passed explicitly to safety check --ignore=51457

What I Did

Running safety check

Running the safety check as is produces the following result

safety check

Note that the command does seem to be picking up the security policy file:

Safety v2.4.0b1 is scanning for Vulnerabilities...
Scan configuration using a security policy file .safety-policy.yml
Scanning dependencies in your files:

-> requirements.txt

Additionally the .safety-policy.yml file does explicitly list 51457 in the ignore-vulnerabilities section:

Running safety check --ignore

When the vulnerability id is explicitly passed as part of the safety check command, the vulnerability is successfully ignored:

safety check --ignore=51457

[yeisonvargasf]

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

[InvisibleMan1306]

@widal001, thank you for the detailed issue report; there is a proposed solution on #477; we will release a 3.0 Safety version with improved capabilities and a fix for this; however, we still need to address if we'll release a new beta version with these fixes only.

Safety 3.0 is going to be released this month.

Is there any update on this fix?

[rib3]

I see that 2.4.0b2 was released, but it appears to still have this problem.

We have been told 3.0 was imminent since at least August.
#447 (comment)
#478 (comment)
#480 (comment)

Is the pyup/safetey team able to provide a fix for this while we wait for 3.0 to come out?
Or provide feedback to #477?

[nicolassanmar]

I can confirm that version 3.0.1 of pyup/safety can now ignore vulnerabilities based on the policy_file, while versions 2.X did not work as expected.

[dylanpulver]

Hi @widal001 and everyone involved,

Thank you for your patience and for providing a detailed report on this issue.

We are pleased to inform you that the latest version of Safety, 3.0.1, addresses the issue with ignoring vulnerabilities listed in the .safety-policy.yml file. This version includes improved capabilities and should resolve the problem you encountered.

Please update to Safety version 3.0.1 and use the safety scan command to ensure that your specified vulnerabilities are correctly ignored according to your policy file.

If you encounter any further issues or have additional questions, please let us know.

Thank you for your continued support and for helping us improve Safety!

Best Regards,
The Safety Team