snyk - 提供绝对文件路径时，Snyk 无法忽略漏洞

Question

项目根目录：C:\src\repos\test\abc

例如，这是我试图忽略的 Snyk issueId。命令运行良好，并且在项目根目录中创建了 .snyk YAML 文件。

C:\src\repos\test\abc> snyk ignore --id="SNYK-PYTHON-RSA-570831"

然后我对提供相对路径的 requirements.txt 文件执行 snyk 测试，然后检查 results1.json 确实确认它成功忽略了这个特定的 issueID

C:\src\repos\test\abc> snyk test --file='requirements.txt' --severity-threshold="medium" --skip-unresolved --json > results1.json

  "filtered": {
    "ignore": [
      {
        "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
        "alternativeIds": [],
        "creationTime": "2020-06-02T13:50:22.620471Z",
        "credit": [
          "Unknown"
        ],
        "cvssScore": 5.6,
        "description": "## Overview\n[rsa](https://pypi.org/project/rsa/) is a pure-Python RSA implementation.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It does not detect `ciphertext` modification during decryption (prepended \"0\" bytes) in `PKCS1_v1_5`.\n## Remediation\nUpgrade `rsa` to version 4.1 or higher.\n## References\n- [GitHub Commit](https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4240e691520f30)\n- [GitHub Issue](https://github.com/sybrenstuvel/python-rsa/issues/146)\n",
        "disclosureTime": "2020-06-02T13:45:26Z",
        "exploit": "Not Defined",
        "fixedIn": [
          "4.1"
        ],
        "functions": [],
        "functions_new": [],
        "id": "SNYK-PYTHON-RSA-570831",

但是当我提供文件的绝对路径，并且 .snyk 文件仍然存在于项目根目录中时，snyk 测试命令运行良好，但在检查 results2.json 时，它无法忽略该问题，它被列为脆弱性。

C:\src\repos\test\abc> snyk test --file='C:\\src\\repos\\test\\abc\\requirements.txt' --severity-threshold="medium" --skip-unresolved --json > results2.json

 "filesystemPolicy": false,
  "filtered": {
    "ignore": [],
    "patch": []
  },

有人可以解释为什么这不适用于给定的案例吗？

我需要 snyk ignore 来处理绝对文件路径，因为这是问题的要求。

score 0 · Accepted Answer

在 snyk 测试时使用标志来指定忽略策略文件有效。例如，--policy-path=/path/path/file

snyk - 提供绝对文件路径时，Snyk 无法忽略漏洞

1 回答 1

Related

Reference