-
Notifications
You must be signed in to change notification settings - Fork 64
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Temporary ignoring of vulnerabilities #676
Comments
Hi @KeithWM, thanks for the feature request! Out of curiosity: is your CI/CD pipeline built on GitHub Actions and, if so, are you using pypa/gh-action-pip-audit? The reason why I ask is because this kind of feature might be a better fit for the action, rather than |
Hi Woodruff, No, we are using Bitbucket pipelines. How would you build the feature into the github action? Maybe a similar idea would be possible for Bitbucket pipelines. |
For GitHub Actions, we could probably do something like this: - uses: pypa/gh-action-pip-audit@v1.0.8
with:
ignore-vulns: |
PYSEC-AAAA-BBBB:YYYY-MM-DD
CVE-AAAA-BBBB:YYYY-MM-DD i.e. each ID listed under That being said, I find that pretty clunky, and I'm not a huge fan of adding syntax to the action that isn't also present in the CLI 🙂 Ultimately, this kind of statefulness might be outside of |
I think you're right that it is better for pip-audit to be agnostic of time and date. In Bitbucket pipelines, I think we could do some shell scripting to first populate a list of Maybe a feature that could lie within pip-audit is that you can specify to ignore a vulnerability until a fix is available? |
Yeah, this is possible (although we've had some design concerns in the past about allowing users to ignore vulnerabilities by default). #243 has some more context 🙂 TL;DR there is that users might pass Edit: and #209 is likely still the route we'll want to take there, although I haven't re-evaluated the TOML landscape recently to see if |
Good points. There is a big difference though between a blanket |
Yeah, none of this is ideal 😞 Thinking about it some more, CC @di for thoughts -- I'm pretty ambivalent 🙂 |
First of all, thanks for the great package. It is a very useful tool in keeping our code safe, much appreciated.
My feature request is inspired by the fact that we are using pip-audit in our CI/CD pipeline and this means that if a vulnerability is detected, this has to be dealt with immediately. Sometimes there is no "proper" fix available yet and we resort to simply ignoring the vulnerability with
--ignore-vuln
. This doesn't bother me much, but I would prefer it if this ignore could be made temporary, so that we will be forced to revisit the issue at a later date.Keen to hear your thoughts on this idea. One of our team might even be able to contribute to the implementation, if desired. I could also just be not seeting some existing feature that would solve our problem.
The text was updated successfully, but these errors were encountered: