问题描述
项目根目录:C:\ src \ repos \ test \ abc
例如,这是我要忽略的Snyk issueId。命令运行正常,并且在项目根目录中创建了.snyk YAML文件。
C:\src\repos\test\abc> snyk ignore --id="SNYK-PYTHON-RSA-570831"
然后,我对提供相对路径的requirements.txt文件执行snyk测试,然后检查result1.json确实确认它已成功忽略了此特定的issueID
C:\src\repos\test\abc> snyk test --file='requirements.txt' --severity-threshold="medium" --skip-unresolved --json > results1.json
"filtered": {
"ignore": [
{
"CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L","alternativeIds": [],"creationTime": "2020-06-02T13:50:22.620471Z","credit": [
"UnkNown"
],"cvssscore": 5.6,"description": "## Overview\n[rsa](https://pypi.org/project/rsa/) is a pure-Python RSA implementation.\n\nAffected versions of this package are vulnerable to Access Restriction Bypass. It does not detect `ciphertext` modification during decryption (prepended \"0\" bytes) in `PKCS1_v1_5`.\n## Remediation\nUpgrade `rsa` to version 4.1 or higher.\n## References\n- [GitHub Commit](https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4240e691520f30)\n- [GitHub Issue](https://github.com/sybrenstuvel/python-rsa/issues/146)\n","disclosureTime": "2020-06-02T13:45:26Z","exploit": "Not Defined","fixedIn": [
"4.1"
],"functions": [],"functions_new": [],"id": "SNYK-PYTHON-RSA-570831",但是当我提供文件的绝对路径并且项目根目录中仍然存在.snyk文件时,snyk test命令运行得很好,但是在检查result2.json时,它无法忽略该问题,并且列为漏洞。
C:\src\repos\test\abc> snyk test --file='C:\\src\\repos\\test\\abc\\requirements.txt' --severity-threshold="medium" --skip-unresolved --json > results2.json
"filesystemPolicy": false,"filtered": {
"ignore": [],"patch": []
},有人可以解释为什么这不适用于特定情况吗?
我需要snyk忽略才能处理绝对文件路径,因为这是问题的必要条件。
解决方法
在snyk测试期间使用该标志来指定忽略策略文件是有效的。例如,-policy-path = / path / path / file