Revert changes to .snyk and .safety-poicy.yml: continue suppressing S…

…crapy vulnerability 54672.
cisagov · Feb 17, 2024 · da1056f · da1056f
1 parent 2b4786f
commit da1056f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 7 deletions.
diff --git a/backend/.snyk b/backend/.snyk
@@ -1,8 +1,13 @@
-# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. See https://docs.snyk.io/scan-with-snyk/the-.snyk-file for more information.
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+
 version: v1.22.1
 
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 
 ignore: 
-
+    # ignore scrapy 2.x.x for 6 months.
+    SNYK-PYTHON-SCRAPY-40690: 
+        - '*':
+            reason: No fix available up to version 2.11.0
+            expires: 2024-06-01T00:00:00.000Z
 patch: {}
diff --git a/backend/worker/.safety-policy.yml b/backend/worker/.safety-policy.yml
@@ -4,11 +4,11 @@
 # Otherwise, you can use the flag `safety check --policy-file <path-to-this-file>` to specify a custom location and name for the file.
 # To validate and review your policy file, run the validate command: `safety validate policy_file --path <path-to-this-file>`
 security: # configuration for the `safety check` command
-  ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL
+  ignore-cvss-severity-below: 0 # A severity number between 0 and 10. Some helpful reference points: 9=ignore all vulnerabilities except CRITICAL severity. 7=ignore all vulnerabilities except CRITICAL & HIGH severity. 4=ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity.
   ignore-cvss-unknown-severity: False # True or False. We recommend you set this to False.
   ignore-vulnerabilities: # Here you can list multiple specific vulnerabilities you want to ignore (optionally for a time period)
     # We recommend making use of the optional `reason` and `expires` keys for each vulnerability that you ignore.
-    25853: # Example vulnerability ID
-      reason: we do not use the vulnerable function # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports
-      expires: '2022-10-21' # datetime string - date this ignore will expire, best practice to use this variable
-  continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities
+    54672: # Vulnerability found in scrapy version >= 0.7
+      reason: No fix currently available # optional, for internal note purposes to communicate with your team. This reason will be reported in the Safety reports
+      expires: '2024-06-01' # We will revisit for a fix in 6 months.
+  continue-on-vulnerability-error: False # Suppress non-zero exit codes when vulnerabilities are found. Enable this in pipelines and CI/CD processes if you want to pass builds that have vulnerabilities. We recommend you set this to False.