From 8bf058d8fa38fcaef6555b36ac1f526663144a72 Mon Sep 17 00:00:00 2001 From: Anil Kumar Dakarapu Date: Wed, 21 Feb 2024 10:08:30 +0530 Subject: [PATCH] Changed safety approach to distinguish between install and development Details: * Split the safety runs between requirements file for installation and minimum-constraints file for development. The safety run for installation must succeed, while the safety run for development shows its issues, but is allowed to fail. Signed-off-by: Anil Kumar Dakarapu --- .safety-policy.yml => .safety-policy-all.yml | 0 .safety-policy-install.yml | 29 ++++++++++++++++++ Makefile | 32 +++++++++++++++----- galaxy.yml | 3 +- 4 files changed, 55 insertions(+), 9 deletions(-) rename .safety-policy.yml => .safety-policy-all.yml (100%) create mode 100644 .safety-policy-install.yml diff --git a/.safety-policy.yml b/.safety-policy-all.yml similarity index 100% rename from .safety-policy.yml rename to .safety-policy-all.yml diff --git a/.safety-policy-install.yml b/.safety-policy-install.yml new file mode 100644 index 000000000..d74b6c12e --- /dev/null +++ b/.safety-policy-install.yml @@ -0,0 +1,29 @@ +# Safety policy file for packages needed for installation +# For documentation, see https://docs.pyup.io/docs/safety-20-policy-file + +# Configuration for the 'safety check' command +security: + + # Ignore certain severities. + # A number between 0 and 10, with the following significant values: + # - 9: ignore all vulnerabilities except CRITICAL severity + # - 7: ignore all vulnerabilities except CRITICAL & HIGH severity + # - 4: ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity + ignore-cvss-severity-below: 0 + + # Ignore unknown severities. + # Should be set to False. + ignore-cvss-unknown-severity: False + + # List of specific vulnerabilities to ignore. + # {id}: # vulnerability ID + # reason: {text} # optional: Reason for ignoring it. Will be reported in the Safety reports + # expires: {date} # optional: Date when this ignore will expire + ignore-vulnerabilities: + 39611: + reason: PyYAML full_load method or FullLoader is not used + 43975: + reason: Fixed Urllib3 versions are excluded by requests + + # Continue with exit code 0 when vulnerabilities are found. + continue-on-vulnerability-error: False \ No newline at end of file diff --git a/Makefile b/Makefile index 5a16ae536..2d77e4121 100644 --- a/Makefile +++ b/Makefile @@ -122,8 +122,9 @@ sanity_dir := tmp_sanity/collections/ansible_collections/ibm/ibm_zhmc sanity_dir1 := tmp_sanity sanity_tar_file := tmp_sanity.tar -# Safety policy file -safety_policy_file := .safety-policy.yml +#Safety policy file (for packages needed for installation) +safety_install_policy_file := .safety-policy-install.yml +safety_all_policy_file := .safety-policy-all.yml # Packages whose dependencies are checked using pip-missing-reqs # Sphinx and ansible-doc-extractor are run only on Python>=3.6 @@ -291,7 +292,7 @@ check: _check_version $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done @echo '$@ done.' .PHONY: safety -safety: $(done_dir)/safety_$(pymn)_$(PACKAGE_LEVEL).done +safety: $(done_dir)/safety_all_$(pymn)_$(PACKAGE_LEVEL).done $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done @echo "Makefile: $@ done." # Boolean variable indicating that the Ansible sanity test should be run in the current Python environment @@ -470,21 +471,36 @@ $(done_dir)/install_pip_$(pymn)_$(PACKAGE_LEVEL).done: Makefile $(PYTHON_CMD) -m pip install $(pip_level_opts) pip setuptools wheel echo "done" >$@ -$(done_dir)/safety_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_policy_file) minimum-constraints.txt +$(done_dir)/safety_all_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_all_policy_file) minimum-constraints.txt ifeq ($(python_major_version),2) - @echo "Makefile: Warning: Skipping Safety on Python $(python_version)" >&2 + @echo "Makefile: Warning: Skipping Safety for all packages on Python $(python_version)" >&2 else ifeq ($(python_m_n_version),3.5) - @echo "Makefile: Warning: Skipping Safety on Python $(python_version)" >&2 + @echo "Makefile: Warning: Skipping Safety for all packages on Python $(python_version)" >&2 else - @echo "Makefile: Running Safety" + @echo "Makefile: Running Safety for all packages" -$(call RM_FUNC,$@) - safety check --policy-file $(safety_policy_file) -r minimum-constraints.txt --full-report + -safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report echo "done" >$@ @echo "Makefile: Done running Safety" endif endif +$(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_install_policy_file) requirements.txt +ifeq ($(python_major_version),2) + @echo "Makefile: Warning: Skipping Safety for install packages on Python $(python_version)" >&2 +else +ifeq ($(python_m_n_version),3.5) + @echo "Makefile: Warning: Skipping Safety for install packages on Python $(python_version)" >&2 +else + @echo "Makefile: Running Safety for install packages" + -$(call RM_FUNC,$@) + safety check --policy-file $(safety_install_policy_file) -r requirements.txt --full-report + echo "done" >$@ + @echo "Makefile: Done running Safety for install packages" +endif +endif + $(dist_file): $(done_dir)/install_deps_$(pymn)_$(PACKAGE_LEVEL).done $(dist_dependent_files) galaxy.yml mkdir -p $(dist_dir) ansible-galaxy collection build --output-path=$(dist_dir) --force . diff --git a/galaxy.yml b/galaxy.yml index 36b391adb..4be0270da 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -81,7 +81,8 @@ build_ignore: - .flake8 # only in older branches - .travis.yml - .whitesource - - .safety-policy.yml + - .safety-policy-all.yml + - .safety-policy-install.yml - CODE_OF_CONDUCT.md - CONTRIBUTING.rst # only in older branches - DCO1.1.txt # only in older branches