Split safety runs into all & install

* Split safety runs into one for checking all requirements (against minimum-constraints.txt) which may fail and one for checking the install requirements (against requirements.txt) which must succeed. * Added the option 'ignore-unpinned-requirements: False' to the policy files because with safety 3.0, the default is to ignore unpinned requirements. * Because the new option s not tolerated by safety 2.x, made safety 3.0 the new minimum version, and also running it only on Python >=3.7 because that is its minimum supported Python version. Signed-off-by: Andreas Maier <[email protected]>
zhmcclient · Feb 18, 2024 · e4f3c92 · e4f3c92
1 parent 570e91b
commit e4f3c92
Show file tree

Hide file tree

Showing 7 changed files with 77 additions and 16 deletions.
diff --git a/.safety-policy.yml → .safety-policy-all.yml b/.safety-policy.yml → .safety-policy-all.yml
@@ -15,6 +15,10 @@ security:
     # Should be set to False.
     ignore-cvss-unknown-severity: False
 
+    # Ignore unpinned requirements.
+    # Should be set to False.
+    ignore-unpinned-requirements: False
+
     # List of specific vulnerabilities to ignore.
     # {id}:                 # vulnerability ID
     #     reason: {text}    # optional: Reason for ignoring it. Will be reported in the Safety reports

diff --git a/.safety-policy-install.yml b/.safety-policy-install.yml
@@ -0,0 +1,37 @@
+# Safety policy file
+# For documentation, see https://docs.pyup.io/docs/safety-20-policy-file
+
+# Configuration for the 'safety check' command
+security:
+
+    # Ignore certain severities.
+    # A number between 0 and 10, with the following significant values:
+    # - 9: ignore all vulnerabilities except CRITICAL severity
+    # - 7: ignore all vulnerabilities except CRITICAL & HIGH severity
+    # - 4: ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity
+    ignore-cvss-severity-below: 0
+
+    # Ignore unknown severities.
+    # Should be set to False.
+    ignore-cvss-unknown-severity: False
+
+    # Ignore unpinned requirements.
+    # Should be set to False.
+    ignore-unpinned-requirements: False
+
+    # List of specific vulnerabilities to ignore.
+    # {id}:                 # vulnerability ID
+    #     reason: {text}    # optional: Reason for ignoring it. Will be reported in the Safety reports
+    #     expires: {date}   # optional: Date when this ignore will expire
+    ignore-vulnerabilities:
+        39611:
+            reason: Fixed PyYAML versions 5.4 to 6.0.0 do not work with Cython 3, and the full_load method or FullLoader is not used
+        61601:
+            reason: Fixed urllib3 version 2.0.5 is excluded by requests on Python 3.6
+        61893:
+            reason: Fixed urllib3 version 2.0.7 is excluded by requests on Python 3.6
+        64227:
+            reason: Fixed Jinja2 version 3.1.3 requires Python>=3.7 and is used there
+
+    # Continue with exit code 0 when vulnerabilities are found.
+    continue-on-vulnerability-error: False
diff --git a/Makefile b/Makefile
@@ -137,14 +137,15 @@ ifeq ($(python_version),3.6)
   check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 pylint twine
 else
 ifeq ($(python_version),3.7)
-  check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 pylint twine
+  check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 pylint twine safety
 else
-  check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 pylint twine sphinx
+  check_reqs_packages := pip_check_reqs pipdeptree build pytest coverage coveralls flake8 pylint twine safety sphinx
 endif
 endif
 
 # Safety policy file
-safety_policy_file := .safety-policy.yml
+safety_install_policy_file := .safety-policy-install.yml
+safety_all_policy_file := .safety-policy-all.yml
 
 pytest_cov_opts := --cov $(package_name) --cov-config .coveragerc --cov-append --cov-report=html:htmlcov
 pytest_cov_files := .coveragerc
@@ -239,7 +240,7 @@ pylint: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done
 	@echo "Makefile: $@ done."
 
 .PHONY: safety
-safety: $(done_dir)/safety_$(pymn)_$(PACKAGE_LEVEL).done
+safety: $(done_dir)/safety_all_$(pymn)_$(PACKAGE_LEVEL).done $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done
 	@echo "Makefile: $@ done."
 
 .PHONY: check_reqs
@@ -258,12 +259,27 @@ else
 endif
 	@echo "Makefile: $@ done."
 
-$(done_dir)/safety_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_policy_file) minimum-constraints.txt
-	@echo "Makefile: Running Safety"
+$(done_dir)/safety_all_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_all_policy_file) minimum-constraints.txt
+ifeq ($(python_mn_version),3.6)
+	@echo "Makefile: Warning: Skipping Safety for all packages on Python $(python_version)" >&2
+else
+	@echo "Makefile: Running Safety for all packages"
+	-$(call RM_FUNC,$@)
+	-safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report
+	echo "done" >$@
+	@echo "Makefile: Done running Safety for all packages"
+endif
+
+$(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_install_policy_file) requirements.txt
+ifeq ($(python_mn_version),3.6)
+	@echo "Makefile: Warning: Skipping Safety for all packages on Python $(python_version)" >&2
+else
+	@echo "Makefile: Running Safety for install packages"
 	-$(call RM_FUNC,$@)
-	safety check --policy-file $(safety_policy_file) -r minimum-constraints.txt --full-report
+	safety check --policy-file $(safety_install_policy_file) -r requirements.txt --full-report
 	echo "done" >$@
-	@echo "Makefile: Done running Safety"
+	@echo "Makefile: Done running Safety for install packages"
+endif
 
 .PHONY: test
 test: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done $(pytest_cov_files)

diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -14,12 +14,9 @@ build>=0.5.0
 pep517>=0.9.1
 
 # Safety CI by pyup.io
-# Safety is run only on Python >=3.6
-# Safety 2.3.5 (running only on Python >=3.6) requires packaging<22.0,>=21.0, but safety 2.3.4 does not
-#   and safety 2.4.0 will also no longer pin it (see https://github.com/pyupio/safety/issues/455).
-safety>=2.2.0,!=2.3.5; python_version >= '3.6'
-dparse>=0.6.2; python_version >= '3.6'
-ruamel.yaml>=0.17.21,<0.17.22; python_version == '3.6'
+# Safety is run only on Python >=3.7
+safety>=3.0.1; python_version >= '3.7'
+dparse>=0.6.4; python_version >= '3.7'
 ruamel.yaml>=0.17.21; python_version >= '3.7'
 
 # Unit test (imports into testcases):

diff --git a/docs/changes.rst b/docs/changes.rst
@@ -40,6 +40,9 @@ Released: not yet
 
 **Enhancements:**
 
+* Split safety runs into one against all requirements that may fail and one
+  against the install requirements that must succeed. (issue #441)
+
 **Cleanup:**
 
 * Increased versions of GitHub Actions plugins to increase node.js runtime

diff --git a/minimum-constraints.txt b/minimum-constraints.txt
@@ -85,7 +85,11 @@ build==0.5.0
 pep517==0.9.1
 
 # Safety CI by pyup.io
-# Safety is run only on Python >=3.6
+# Safety is run only on Python >=3.7
+safety==3.0.1; python_version >= '3.7'
+dparse==0.6.4; python_version >= '3.7'
+ruamel.yaml==0.17.21; python_version >= '3.7'
+
 safety==2.2.0
 dparse==0.6.2
 ruamel.yaml==0.17.21

diff --git a/requirements.txt b/requirements.txt
@@ -14,7 +14,7 @@ zhmcclient>=1.9.1
 prometheus-client>=0.17.1; python_version <= '3.7'
 prometheus-client>=0.19.0; python_version >= '3.8'
 
-urllib3>=1.25.18
+urllib3>=1.26.18
 jsonschema>=3.2.0
 Jinja2>=3.0.3; python_version == '3.6'
 Jinja2>=3.1.3; python_version >= '3.7'