Skip to content

[pipaudit] Add option to ignore vulnerabilities #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
antonkri merged 3 commits into from
Oct 30, 2025
Merged

[pipaudit] Add option to ignore vulnerabilities #8

antonkri merged 3 commits into from
Oct 30, 2025

Conversation

@jannowotsch
Copy link
Contributor

@jannowotsch jannowotsch commented Oct 29, 2025

Extend the pipaudit rule, adding an option to ignore vulnerabilities.

Sometimes a vulnerability does not have a fix yet. In such a case, the user must be able to ignore those as there is no other option for third-party libraries.

One such case is the vulnerability https://github.com/advisories/GHSA-4xh5-x5gv-qwph, which is now affecting pip 25.2 as well but there is still no fix for it. Hence, it needs to be tolerated.

@jannowotsch
[pipaudit] Add an option to ignore vulnerabilities
4cb88de 
Extend the pipaudit rule, adding an option to ignore vulnerabilities.

Sometimes a vulnerability does not have a fix yet. In such a case, the
user must be able to ignore those as there is no other option for
third-party libraries.
@jannowotsch
[security] Ignore GHSA-4xh5-x5gv-qwph from pip
9f63a21 
The vulnerability `GHSA-4xh5-x5gv-qwph` is now affecting pip 25.2 as well but
there is still no fix for it. Hence, it needs to be tolerated for now.
@github-actions
Copy link

github-actions bot commented Oct 29, 2025
edited
Loading

License Check Results

🚀 The license check job ran with the Bazel command:

bazel run //:license-check

Status: ⚠️ Needs Review

Click to expand output 
[License Check Output]
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Invocation ID: 0d869168-bf39-4a14-9690-e958fac4b58d
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
Loading: 
Loading: 2 packages loaded
Analyzing: target //:license-check (3 packages loaded, 0 targets configured)
Analyzing: target //:license-check (3 packages loaded, 0 targets configured)

Analyzing: target //:license-check (66 packages loaded, 10 targets configured)

Analyzing: target //:license-check (112 packages loaded, 800 targets configured)

Analyzing: target //:license-check (120 packages loaded, 2317 targets configured)

Analyzing: target //:license-check (124 packages loaded, 2345 targets configured)

Analyzing: target //:license-check (128 packages loaded, 2370 targets configured)

Analyzing: target //:license-check (130 packages loaded, 4379 targets configured)

INFO: Analyzed target //:license-check (132 packages loaded, 4626 targets configured).
[8 / 13] checking cached actions
[10 / 13] checking cached actions
[11 / 13] [Prepa] JavaToolchainCompileBootClasspath external/rules_java~/toolchains/platformclasspath.jar
INFO: Found 1 target...
Target //:license.check.license_check up-to-date:
  bazel-bin/license.check.license_check
  bazel-bin/license.check.license_check.jar
INFO: Elapsed time: 21.371s, Critical Path: 0.77s
INFO: 13 processes: 3 disk cache hit, 9 internal, 1 processwrapper-sandbox.
INFO: Build completed successfully, 13 total actions
INFO: Running command line: bazel-bin/license.check.license_check ./formatted.txt -review -project automotive.score -repo https://github.com/eclipse-score/bazel-tools-python -token
usage: org.eclipse.dash.licenses.cli.Main [-batch <int>] [-cd <url>]
       [-confidence <int>] [-ef <url>] [-excludeSources <sources>] [-help] [-lic
       <url>] [-project <shortname>] [-repo <url>] [-review] [-summary <file>]
       [-timeout <seconds>] [-token <token>]

lucasmuna
lucasmuna reviewed Oct 30, 2025
View reviewed changes
third_party/pip/BUILD Outdated
Comment on lines 56 to 58
ignore_vulnerability = [
"GHSA-4xh5-x5gv-qwph", # Added because there is no fix yet for pip 25.2.
],
Copy link
Contributor

@lucasmuna lucasmuna Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not add it as a fix is already available with pip 25.3

@jannowotsch jannowotsch force-pushed the pip-audit-ignore branch 2 times, most recently from e524551 to 1104004 Compare October 30, 2025 08:33
@antonkri antonkri self-requested a review October 30, 2025 10:25
@antonkri antonkri merged commit a1e9d6c into eclipse-score:main Oct 30, 2025
5 of 7 checks passed
@jannowotsch jannowotsch deleted the pip-audit-ignore branch December 18, 2025 09:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antonkri antonkri antonkri approved these changes

+1 more reviewer

@lucasmuna lucasmuna lucasmuna left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jannowotsch @lucasmuna @antonkri