Explicitly ignore certain PYSECs #245
Labels
Comments
|
Thanks for the issue! See also #209. This may be a better approach than just ignoring entire projects. |
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 10, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a PYSEC id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple PYSEC ids. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 10, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a PYSEC id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple PYSEC ids. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 10, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a PYSEC id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple PYSEC ids. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 10, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a vulnerability id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple vulnerabilities. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 10, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a vulnerability id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple vulnerabilities. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 12, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a vulnerability id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple vulnerabilities. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 12, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a vulnerability id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple vulnerabilities. Closes pypa#245
Elkasitu
pushed a commit
to Elkasitu/pip-audit
that referenced
this issue
May 12, 2022
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a vulnerability id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple vulnerabilities. Closes pypa#245
woodruffw
added a commit
that referenced
this issue
May 12, 2022
* pip_audit: provide has_any_id API for VulnerabilityResult This API allows developers to query whether a VulnerabilityResult contains at least one of the vulnerability IDs passed in as argument either as its ID or as one of the aliases. This method will return True if the vulnerability IDs passed in as argument intersect with the VulnerabilityResult's aliases + ID, False otherwise. * cli: allow ignoring specific vulnerability IDs This commit introduces a new flag to pip-audit's CLI (--ignore-vuln) that takes a string representing a vulnerability id, if any of the packages scanned detect said vulnerability, it will be ignored in the final report. This allows users of pip-audit to ignore certain vulnerabilities that they may deem not exploitable for whatever reason. The flag can be used multiple times to ignore multiple vulnerabilities. Closes #245 Co-authored-by: William Woodruff <william@trailofbits.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Certain libraries have unfixed PYSECs that are acknowledged yet not a problem in certain scenarios.
For example, there is PYSEC-2017-49 for the kerberos library, however the function impacted by said PYSEC is already documented to be dangerous by the lib maintainers, and essentially if your application doesn't use said function it's not impacted.
Describe the solution you'd like
A flag like
--ignoreand/or a config file wherein PYSECs to be ignored can be defined, akin to how pylint and flake8 do it, this would allow people to more easily integrate the tool with CI/CD pipelines as any detected vulnerability currently triggers a non-zero exit-codeDescribe alternatives you've considered
None
Additional context
None
The text was updated successfully, but these errors were encountered: