From ef247bc97a78354be3aa3eb89f1c95c430d3486d Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Mon, 19 Aug 2024 11:59:43 +0200 Subject: [PATCH 1/3] safety: make CVE-2024-5569 just a warning We get these packages from Debian, zipp is not used in production, and its only a DoS. --- .safety-policy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.safety-policy.yml b/.safety-policy.yml index 73283975..6324a25f 100644 --- a/.safety-policy.yml +++ b/.safety-policy.yml @@ -26,3 +26,6 @@ security: 70612: reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree. expires: '2026-05-31' + 72132: + reason: We get these packages from Debian, zipp is not used in production, and its only a DoS. + expires: '2026-08-31' From b1084c0b8a66d1279d72ff2094ebee0b42fa8c55 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Thu, 29 Aug 2024 14:31:36 +0200 Subject: [PATCH 2/3] WIP safety: make CVE-2024-6345 just a warning --- .safety-policy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.safety-policy.yml b/.safety-policy.yml index 6324a25f..ac6892dd 100644 --- a/.safety-policy.yml +++ b/.safety-policy.yml @@ -29,3 +29,6 @@ security: 72132: reason: We get these packages from Debian, zipp is not used in production, and its only a DoS. expires: '2026-08-31' + 72236: + reason: setuptools comes from Debian + expires: '2026-08-31' From d9e9618c56ee4a359f87a06f7d2b136920d3445d Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Fri, 30 Aug 2024 12:05:23 +0200 Subject: [PATCH 3/3] gitlab-ci: port to Safety 3.x and move to own job https://docs.safetycli.com/safety-docs/installation/gitlab https://docs.safetycli.com/safety-docs/administration/safety-policy-files --- .gitlab-ci.yml | 33 ++++++++++++++++-- .safety-policy.yml | 85 +++++++++++++++++++++++++++++----------------- 2 files changed, 83 insertions(+), 35 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b5d9a246..9f18ce63 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -213,7 +213,7 @@ gradlew-fdroid: # Run all the various linters and static analysis tools. -lint_format_safety_bandit_checks: +lint_format_bandit_checks: image: debian:bookworm-slim variables: LANG: C.UTF-8 @@ -235,7 +235,7 @@ lint_format_safety_bandit_checks: python3-pip python3-yaml shellcheck - - $pip install --break-system-packages bandit safety + - $pip install --break-system-packages bandit - export EXITVALUE=0 - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; } - ./hooks/pre-commit || set_error @@ -244,7 +244,6 @@ lint_format_safety_bandit_checks: -ii --ini .bandit || set_error - - safety check --full-report || set_error - pylint --output-format=colorized --reports=n fdroid makebuildserver @@ -258,6 +257,34 @@ lint_format_safety_bandit_checks: - exit $EXITVALUE +# Check all the dependencies in Debian to mirror production. CVEs are +# generally fixed in the latest versions in pip/pypi.org, so it isn't +# so important to scan that kind of install in CI. +# https://docs.safetycli.com/safety-docs/installation/gitlab +safety: + only: + changes: + - .gitlab-ci.yml + - .safety-policy.yml + - pyproject.toml + - setup.py + image: debian:bookworm-slim + <<: *apt-template + variables: + LANG: C.UTF-8 + script: + - test -n "$SAFETY_API_KEY" || exit 0 + - apt-get install + fdroidserver + python3-biplist + python3-pip + python3-pycountry + - $pip install --break-system-packages . + + - $pip install --break-system-packages safety + - python3 -m safety --key "$SAFETY_API_KEY" --stage cicd scan + + # Run all the various linters and static analysis tools. locales: image: debian:bookworm-slim diff --git a/.safety-policy.yml b/.safety-policy.yml index ac6892dd..cba25ff0 100644 --- a/.safety-policy.yml +++ b/.safety-policy.yml @@ -1,34 +1,55 @@ --- -security: - ignore-vulnerabilities: - 52495: - reason: setuptools comes from Debian - expires: '2025-01-31' - 60350: - reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267 - expires: '2025-01-31' - 60789: - reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590 - expires: '2025-01-31' - 60841: - reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040 - expires: '2025-01-31' - 62044: - reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/" - expires: '2025-01-31' - 63687: - reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190 - expires: '2026-01-31' - 67599: - reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI. - expires: '2026-05-31' - 70612: - reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree. - expires: '2026-05-31' - 72132: - reason: We get these packages from Debian, zipp is not used in production, and its only a DoS. - expires: '2026-08-31' - 72236: - reason: setuptools comes from Debian - expires: '2026-08-31' +version: '3.0' + +scanning-settings: + max-depth: 6 + exclude: + +report: + dependency-vulnerabilities: + enabled: true + auto-ignore-in-report: + vulnerabilities: + 52495: + reason: setuptools comes from Debian + expires: '2025-01-31' + 60350: + reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267 + expires: '2025-01-31' + 60789: + reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590 + expires: '2025-01-31' + 60841: + reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040 + expires: '2025-01-31' + 62044: + reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/" + expires: '2025-01-31' + 63687: + reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190 + expires: '2026-01-31' + 67599: + reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI. + expires: '2026-05-31' + 70612: + reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree. + expires: '2026-05-31' + 72132: + reason: We get these packages from Debian, zipp is not used in production, and its only a DoS. + expires: '2026-08-31' + 72236: + reason: setuptools comes from Debian + expires: '2026-08-31' + +fail-scan-with-exit-code: + dependency-vulnerabilities: + enabled: true + fail-on-any-of: + cvss-severity: + - critical + - high + - medium + +security-updates: + dependency-vulnerabilities: