ci: update safety check workflow

Safety "check" has been superseded by "scan": https://docs.safetycli.com/safety-docs/safety-cli-3/migrating-from-safety-cli-2.x-to-safety-cli-3.x#switching-to-the-new-scan-command Ignore disputed CVE-2018-20225. pip (intentioanlly) pulls the latest version of a module from PyPI, if an older version is available in "extra" indexes added via "extra-index-url" config/arg. If the module does not exist on PyPI at all, an attacker could upload one with the same name, injecting an unintended module into the user's project. This is of course naturally true when installing one module with multiple indexes, same as when installing an APT package with multiple APT repositories present. "extra"-index-url is not meant to override, but extend the indexes. To enforce a different index, and mitigate this potential risk for modules not uploaded to PyPI, use "index-url" arg/config instead. Remove obsolete workaround. Signed-off-by: MichaIng <micha@dietpi.com>
motioneye-project · May 14, 2024 · 875e0a9 · 875e0a9
1 parent 1e85996
commit 875e0a9
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/.github/workflows/python_safety.yml b/.github/workflows/python_safety.yml
@@ -24,5 +24,7 @@ jobs:
           check-latest: true
       - run: pip install --upgrade pip setuptools
       - run: pip install safety .
-      - run: rm -Rfv /opt/hostedtoolcache/Python/3.12.1/x64/lib/python3.12/site-packages/pip-23.2.1.dist-info  # Workaround: https://github.com/motioneye-project/motioneye/pull/2883
-      - run: safety check
+      # Ignore CVE-2018-20225, which is IMO reasonably disputed: https://data.safetycli.com/v/67599/97c/
+      # "extra"-index-url means an index to "additionally" look for newer versions, pre-compiled wheels, or similar, not to force this index being used.
+      # There is "index-url" to enforce a different index: https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-i
+      - run: safety scan --ignore 67599