Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cli: allow ignoring specific vulnerability IDs #275

Merged
merged 3 commits into from May 12, 2022
Merged

cli: allow ignoring specific vulnerability IDs #275

merged 3 commits into from May 12, 2022

Conversation

Elkasitu
Copy link
Contributor

@Elkasitu Elkasitu commented May 10, 2022
edited

This commit introduces a new flag to pip-audit's CLI (--ignore-vuln)
that takes a string representing a vulnerability id, if any of the
packages scanned detect said vulnerability, it will be ignored in the
final report.

This allows users of pip-audit to ignore certain vulnerabilities that
they may deem not exploitable for whatever reason.

The flag can be used multiple times to ignore multiple vulnerabilities.

Closes #245

woodruffw
woodruffw reviewed May 10, 2022
View reviewed changes
pip_audit/_cli.py Outdated Show resolved Hide resolved
woodruffw
woodruffw reviewed May 10, 2022
View reviewed changes
pip_audit/_cli.py
@@ -442,7 +455,8 @@ def audit() -> None:
if vuln_count > 0:
summary_msg = (
f"Found {vuln_count} known "
f"{'vulnerability' if vuln_count == 1 else 'vulnerabilities'} "
f"{'vulnerability' if vuln_count == 1 else 'vulnerabilities'}"
f"{(vuln_ignore_count and ', ignored %d ' % vuln_ignore_count) or ' '}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty hard to read. IMO it's okay if we render , ignored 0 by default, but cc @di for opinions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, if , ignored 0 is ok then I'm all up for it

woodruffw
woodruffw reviewed May 10, 2022
View reviewed changes
CHANGELOG.md Outdated Show resolved Hide resolved
@CLAassistant
Copy link

CLAassistant commented May 10, 2022
edited

CLA assistant check
All committers have signed the CLA.

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

woodruffw
woodruffw reviewed May 10, 2022
View reviewed changes
pip_audit/_cli.py Outdated Show resolved Hide resolved
@Elkasitu Elkasitu changed the title cli: allow ignoring specific PYSEC ids cli: allow ignoring specific vulnerability IDs May 10, 2022
woodruffw
woodruffw reviewed May 10, 2022
View reviewed changes
pip_audit/_cli.py Outdated Show resolved Hide resolved
@woodruffw woodruffw requested a review from di May 12, 2022 18:09
di
di reviewed May 12, 2022
View reviewed changes
pip_audit/_cli.py Outdated Show resolved Hide resolved
@Elkasitu Elkasitu force-pushed the ignore-specific-vulns branch 2 times, most recently from 4690869 to d1e1782 Compare May 12, 2022 20:23
Adrian Torres added 2 commits May 12, 2022 22:24
pip_audit: provide has_any_id API for VulnerabilityResult
698b5fd 
This API allows developers to query whether a VulnerabilityResult
contains at least one of the vulnerability IDs passed in as argument
either as its ID or as one of the aliases.

This method will return True if the vulnerability IDs passed in as
argument intersect with the VulnerabilityResult's aliases + ID, False
otherwise.
cli: allow ignoring specific vulnerability IDs
38ef697 
This commit introduces a new flag to pip-audit's CLI (--ignore-vuln)
that takes a string representing a vulnerability id, if any of the
packages scanned detect said vulnerability, it will be ignored in the
final report.

This allows users of pip-audit to ignore certain vulnerabilities that
they may deem not exploitable for whatever reason.

The flag can be used multiple times to ignore multiple vulnerabilities.

Closes pypa#245
woodruffw
woodruffw approved these changes May 12, 2022
View reviewed changes
Copy link
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I'll give @di another chance to review but otherwise I can merge tonight 🙂

@woodruffw woodruffw merged commit 1e03403 into pypa:main May 12, 2022
@woodruffw
Copy link
Member

Thanks a ton @Elkasitu!

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this pull request May 28, 2022
py-pip-audit: update to 2.3.0.
30b1387 
## [2.3.0] - 2022-05-18

### Added

* CLI: The `--ignore-vuln` option has been added, allowing users to
  specify vulnerability IDs to ignore during the final report
  ([#275](pypa/pip-audit#275))

* CLI: The `--no-deps` flag has been added, allowing users to skip dependency
  resolution entirely when `pip-audit` is used in requirements mode
  ([#255](pypa/pip-audit#255))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@di di di approved these changes

@woodruffw woodruffw woodruffw approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Explicitly ignore certain PYSECs
4 participants
@Elkasitu @CLAassistant @woodruffw @di