Ignoring multiple vulnerabilities does not work as documented

[kurthaegeman]

• safety version: 2.3.5
• Python version: 3.10
• Operating System: macOS Venture 13.5

Description

README states that ignoring multiple vulnerabilities can be done with

safety check -i 1234,4567,89101

This doesn't seem to work: none of the configured IDs are ignored.

What I Did

If I run a safety check on two insecure packages, I get the expected result:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin
...
Scan was completed. 2 vulnerabilities were found.

We can configure one ignore without issue: it will be ignored by the scan:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758
Scan was completed. 1 vulnerability was found. 1 vulnerability from 1 package was ignored.

Setting the ignores separately (the backward compatibility way) works as expected:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758 -i 58713
Scan was completed. 0 vulnerabilities were found. 2 vulnerabilities from 2 packages were ignored.

However, if we try to add the second package to the ignore list in the documented way, neither of them get ignored:

echo -e "insecure-package==0.1\nstarlette==0.26.1" | safety check --stdin -i 58758,58713
Scan was completed. 2 vulnerabilities were found.

In safety.check(), ignore_vulns becomes {'58758,58713': {'expires': None, 'reason': ''}}, so vulnerability.vulnerability_id not in ignore_vulns will return True for each of the ignored vulnerabilities and both will get added to the report.

[yeisonvargasf]

Thank you for the report; this may be related to #343 and #477. This will be addressed in Safety 3.0 version coming this month.