Changed safety approach to distinguish between install and development

Details: * Split the safety runs between requirements file for installation and minimum-constraints file for development. The safety run for installation must succeed, while the safety run for development shows its issues, but is allowed to fail. Signed-off-by: Anil Kumar Dakarapu <anil.kumar.dakarapu@ibm.com>
zhmcclient · Feb 22, 2024 · 8bf058d · 8bf058d
1 parent e27ccce
commit 8bf058d
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 9 deletions.
diff --git a/.safety-policy.yml → .safety-policy-all.yml b/.safety-policy.yml → .safety-policy-all.yml
diff --git a/.safety-policy-install.yml b/.safety-policy-install.yml
@@ -0,0 +1,29 @@
+# Safety policy file for packages needed for installation
+# For documentation, see https://docs.pyup.io/docs/safety-20-policy-file
+
+# Configuration for the 'safety check' command
+security:
+
+    # Ignore certain severities.
+    # A number between 0 and 10, with the following significant values:
+    # - 9: ignore all vulnerabilities except CRITICAL severity
+    # - 7: ignore all vulnerabilities except CRITICAL & HIGH severity
+    # - 4: ignore all vulnerabilities except CRITICAL, HIGH & MEDIUM severity
+    ignore-cvss-severity-below: 0
+
+    # Ignore unknown severities.
+    # Should be set to False.
+    ignore-cvss-unknown-severity: False
+
+    # List of specific vulnerabilities to ignore.
+    # {id}:                 # vulnerability ID
+    #     reason: {text}    # optional: Reason for ignoring it. Will be reported in the Safety reports
+    #     expires: {date}   # optional: Date when this ignore will expire
+    ignore-vulnerabilities:
+        39611:
+            reason: PyYAML full_load method or FullLoader is not used
+        43975:
+            reason: Fixed Urllib3 versions are excluded by requests
+
+    # Continue with exit code 0 when vulnerabilities are found.
+    continue-on-vulnerability-error: False
diff --git a/Makefile b/Makefile
@@ -122,8 +122,9 @@ sanity_dir := tmp_sanity/collections/ansible_collections/ibm/ibm_zhmc
 sanity_dir1 := tmp_sanity
 sanity_tar_file := tmp_sanity.tar
 
-# Safety policy file
-safety_policy_file := .safety-policy.yml
+#Safety policy file (for packages needed for installation)
+safety_install_policy_file := .safety-policy-install.yml
+safety_all_policy_file := .safety-policy-all.yml
 
 # Packages whose dependencies are checked using pip-missing-reqs
 # Sphinx and ansible-doc-extractor are run only on Python>=3.6
@@ -291,7 +292,7 @@ check: _check_version $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done
 	@echo '$@ done.'
 
 .PHONY: safety
-safety: $(done_dir)/safety_$(pymn)_$(PACKAGE_LEVEL).done
+safety: $(done_dir)/safety_all_$(pymn)_$(PACKAGE_LEVEL).done $(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done
 	@echo "Makefile: $@ done."
 
 # Boolean variable indicating that the Ansible sanity test should be run in the current Python environment
@@ -470,21 +471,36 @@ $(done_dir)/install_pip_$(pymn)_$(PACKAGE_LEVEL).done: Makefile
 	$(PYTHON_CMD) -m pip install $(pip_level_opts) pip setuptools wheel
 	echo "done" >$@
 
-$(done_dir)/safety_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_policy_file) minimum-constraints.txt
+$(done_dir)/safety_all_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_all_policy_file) minimum-constraints.txt
 ifeq ($(python_major_version),2)
-	@echo "Makefile: Warning: Skipping Safety on Python $(python_version)" >&2
+	@echo "Makefile: Warning: Skipping Safety for all packages on Python $(python_version)" >&2
 else
 ifeq ($(python_m_n_version),3.5)
-	@echo "Makefile: Warning: Skipping Safety on Python $(python_version)" >&2
+	@echo "Makefile: Warning: Skipping Safety for all packages on Python $(python_version)" >&2
 else
-	@echo "Makefile: Running Safety"
+	@echo "Makefile: Running Safety for all packages"
 	-$(call RM_FUNC,$@)
-	safety check --policy-file $(safety_policy_file) -r minimum-constraints.txt --full-report
+	-safety check --policy-file $(safety_all_policy_file) -r minimum-constraints.txt --full-report
 	echo "done" >$@
 	@echo "Makefile: Done running Safety"
 endif
 endif
 
+$(done_dir)/safety_install_$(pymn)_$(PACKAGE_LEVEL).done: $(done_dir)/develop_$(pymn)_$(PACKAGE_LEVEL).done Makefile $(safety_install_policy_file) requirements.txt
+ifeq ($(python_major_version),2)
+	@echo "Makefile: Warning: Skipping Safety for install packages on Python $(python_version)" >&2
+else
+ifeq ($(python_m_n_version),3.5)
+	@echo "Makefile: Warning: Skipping Safety for install packages on Python $(python_version)" >&2
+else
+	@echo "Makefile: Running Safety for install packages"
+	-$(call RM_FUNC,$@)
+	safety check --policy-file $(safety_install_policy_file) -r requirements.txt --full-report
+	echo "done" >$@
+	@echo "Makefile: Done running Safety for install packages"
+endif
+endif
+
 $(dist_file): $(done_dir)/install_deps_$(pymn)_$(PACKAGE_LEVEL).done $(dist_dependent_files) galaxy.yml
 	mkdir -p $(dist_dir)
 	ansible-galaxy collection build --output-path=$(dist_dir) --force .

diff --git a/galaxy.yml b/galaxy.yml
@@ -81,7 +81,8 @@ build_ignore:
   - .flake8  # only in older branches
   - .travis.yml
   - .whitesource
-  - .safety-policy.yml
+  - .safety-policy-all.yml
+  - .safety-policy-install.yml
   - CODE_OF_CONDUCT.md
   - CONTRIBUTING.rst  # only in older branches
   - DCO1.1.txt  # only in older branches