gitlab-ci: port to Safety 3.x and move to own job

https://docs.safetycli.com/safety-docs/installation/gitlab
https://docs.safetycli.com/safety-docs/administration/safety-policy-files

.gitlab-ci.yml

@@ -213,7 +213,7 @@ gradlew-fdroid:
 
 
 # Run all the various linters and static analysis tools.
-lint_format_safety_bandit_checks:
+lint_format_bandit_checks:
   image: debian:bookworm-slim
   variables:
     LANG: C.UTF-8
@@ -235,7 +235,7 @@ lint_format_safety_bandit_checks:
           python3-pip
           python3-yaml
           shellcheck
-    - $pip install --break-system-packages bandit safety
+    - $pip install --break-system-packages bandit
     - export EXITVALUE=0
     - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
     - ./hooks/pre-commit || set_error
@@ -244,7 +244,6 @@ lint_format_safety_bandit_checks:
         -ii
         --ini .bandit
         || set_error
-    - safety check --full-report || set_error
     - pylint --output-format=colorized --reports=n
             fdroid
             makebuildserver
@@ -258,6 +257,34 @@ lint_format_safety_bandit_checks:
     - exit $EXITVALUE
 
 
+# Check all the dependencies in Debian to mirror production.  CVEs are
+# generally fixed in the latest versions in pip/pypi.org, so it isn't
+# so important to scan that kind of install in CI.
+# https://docs.safetycli.com/safety-docs/installation/gitlab
+safety:
+  only:
+    changes:
+      - .gitlab-ci.yml
+      - .safety-policy.yml
+      - pyproject.toml
+      - setup.py
+  image: debian:bookworm-slim
+  <<: *apt-template
+  variables:
+    LANG: C.UTF-8
+  script:
+    - test -n "$SAFETY_API_KEY" || exit 0
+    - apt-get install
+        fdroidserver
+        python3-biplist
+        python3-pip
+        python3-pycountry
+    - $pip install --break-system-packages .
+
+    - $pip install --break-system-packages safety
+    - python3 -m safety --key "$SAFETY_API_KEY" --stage cicd scan
+
+
 # Run all the various linters and static analysis tools.
 locales:
   image: debian:bookworm-slim

.safety-policy.yml

@@ -1,34 +1,55 @@
 ---
 
-security:
+version: '3.0'
-  ignore-vulnerabilities:
+
-    52495:
+scanning-settings:
-      reason: setuptools comes from Debian
+  max-depth: 6
-      expires: '2025-01-31'
+  exclude:
-    60350:
+
-      reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267
+report:
-      expires: '2025-01-31'
+  dependency-vulnerabilities:
-    60789:
+    enabled: true
-      reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590
+    auto-ignore-in-report:
-      expires: '2025-01-31'
+      vulnerabilities:
-    60841:
+        52495:
-      reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040
+          reason: setuptools comes from Debian
-      expires: '2025-01-31'
+          expires: '2025-01-31'
-    62044:
+        60350:
-      reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/"
+          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267
-      expires: '2025-01-31'
+          expires: '2025-01-31'
-    63687:
+        60789:
-      reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190
+          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590
-      expires: '2026-01-31'
+          expires: '2025-01-31'
-    67599:
+        60841:
-      reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.
+          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040
-      expires: '2026-05-31'
+          expires: '2025-01-31'
-    70612:
+        62044:
-      reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.
+          reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/"
-      expires: '2026-05-31'
+          expires: '2025-01-31'
-    72132:
+        63687:
-      reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
+          reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190
-      expires: '2026-08-31'
+          expires: '2026-01-31'
-    72236:
+        67599:
-      reason: setuptools comes from Debian
+          reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.
-      expires: '2026-08-31'
+          expires: '2026-05-31'
+        70612:
+          reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.
+          expires: '2026-05-31'
+        72132:
+          reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
+          expires: '2026-08-31'
+        72236:
+          reason: setuptools comes from Debian
+          expires: '2026-08-31'
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - critical
+        - high
+        - medium
+
+security-updates:
+  dependency-vulnerabilities: