From 875e0a99f703215aefef16ab0b58d51f25e70028 Mon Sep 17 00:00:00 2001 From: MichaIng Date: Tue, 14 May 2024 22:59:28 +0200 Subject: [PATCH] ci: update safety check workflow Safety "check" has been superseded by "scan": https://docs.safetycli.com/safety-docs/safety-cli-3/migrating-from-safety-cli-2.x-to-safety-cli-3.x#switching-to-the-new-scan-command Ignore disputed CVE-2018-20225. pip (intentioanlly) pulls the latest version of a module from PyPI, if an older version is available in "extra" indexes added via "extra-index-url" config/arg. If the module does not exist on PyPI at all, an attacker could upload one with the same name, injecting an unintended module into the user's project. This is of course naturally true when installing one module with multiple indexes, same as when installing an APT package with multiple APT repositories present. "extra"-index-url is not meant to override, but extend the indexes. To enforce a different index, and mitigate this potential risk for modules not uploaded to PyPI, use "index-url" arg/config instead. Remove obsolete workaround. Signed-off-by: MichaIng --- .github/workflows/python_safety.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/python_safety.yml b/.github/workflows/python_safety.yml index ec02ef0fe..b19fce7f2 100644 --- a/.github/workflows/python_safety.yml +++ b/.github/workflows/python_safety.yml @@ -24,5 +24,7 @@ jobs: check-latest: true - run: pip install --upgrade pip setuptools - run: pip install safety . - - run: rm -Rfv /opt/hostedtoolcache/Python/3.12.1/x64/lib/python3.12/site-packages/pip-23.2.1.dist-info # Workaround: https://github.com/motioneye-project/motioneye/pull/2883 - - run: safety check + # Ignore CVE-2018-20225, which is IMO reasonably disputed: https://data.safetycli.com/v/67599/97c/ + # "extra"-index-url means an index to "additionally" look for newer versions, pre-compiled wheels, or similar, not to force this index being used. + # There is "index-url" to enforce a different index: https://pip.pypa.io/en/stable/cli/pip_install/#cmdoption-i + - run: safety scan --ignore 67599