gitlab-ci: port to Safety 3.x and move to own job

https://docs.safetycli.com/safety-docs/installation/gitlab https://docs.safetycli.com/safety-docs/administration/safety-policy-files
2025-11-04 14:30:30 +03:00 · 2024-08-30 12:05:23 +02:00 · 2024-08-30 12:05:23 +02:00 · d9e9618c56
commit d9e9618c56
parent b1084c0b8a
2 changed files with 83 additions and 35 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -213,7 +213,7 @@ gradlew-fdroid:


 # Run all the various linters and static analysis tools.
-lint_format_safety_bandit_checks:
+lint_format_bandit_checks:
  image: debian:bookworm-slim
  variables:
    LANG: C.UTF-8
@ -235,7 +235,7 @@ lint_format_safety_bandit_checks:
          python3-pip
          python3-yaml
          shellcheck
-    - $pip install --break-system-packages bandit safety
+    - $pip install --break-system-packages bandit
    - export EXITVALUE=0
    - function set_error() { export EXITVALUE=1; printf "\x1b[31mERROR `history|tail -2|head -1|cut -b 6-500`\x1b[0m\n"; }
    - ./hooks/pre-commit || set_error
@ -244,7 +244,6 @@ lint_format_safety_bandit_checks:
        -ii
        --ini .bandit
        || set_error
-    - safety check --full-report || set_error
    - pylint --output-format=colorized --reports=n
            fdroid
            makebuildserver
@ -258,6 +257,34 @@ lint_format_safety_bandit_checks:
    - exit $EXITVALUE


+# Check all the dependencies in Debian to mirror production.  CVEs are
+# generally fixed in the latest versions in pip/pypi.org, so it isn't
+# so important to scan that kind of install in CI.
+# https://docs.safetycli.com/safety-docs/installation/gitlab
+safety:
+  only:
+    changes:
+      - .gitlab-ci.yml
+      - .safety-policy.yml
+      - pyproject.toml
+      - setup.py
+  image: debian:bookworm-slim
+  <<: *apt-template
+  variables:
+    LANG: C.UTF-8
+  script:
+    - test -n "$SAFETY_API_KEY" || exit 0
+    - apt-get install
+        fdroidserver
+        python3-biplist
+        python3-pip
+        python3-pycountry
+    - $pip install --break-system-packages .
+
+    - $pip install --break-system-packages safety
+    - python3 -m safety --key "$SAFETY_API_KEY" --stage cicd scan
+
+
 # Run all the various linters and static analysis tools.
 locales:
  image: debian:bookworm-slim
--- a/.safety-policy.yml
+++ b/.safety-policy.yml
@ -1,34 +1,55 @@
 ---

-security:
-  ignore-vulnerabilities:
-    52495:
-      reason: setuptools comes from Debian
-      expires: '2025-01-31'
-    60350:
-      reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267
-      expires: '2025-01-31'
-    60789:
-      reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590
-      expires: '2025-01-31'
-    60841:
-      reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040
-      expires: '2025-01-31'
-    62044:
-      reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/"
-      expires: '2025-01-31'
-    63687:
-      reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190
-      expires: '2026-01-31'
-    67599:
-      reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.
-      expires: '2026-05-31'
-    70612:
-      reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.
-      expires: '2026-05-31'
-    72132:
-      reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
-      expires: '2026-08-31'
-    72236:
-      reason: setuptools comes from Debian
-      expires: '2026-08-31'
+version: '3.0'
+
+scanning-settings:
+  max-depth: 6
+  exclude:
+
+report:
+  dependency-vulnerabilities:
+    enabled: true
+    auto-ignore-in-report:
+      vulnerabilities:
+        52495:
+          reason: setuptools comes from Debian
+          expires: '2025-01-31'
+        60350:
+          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40267
+          expires: '2025-01-31'
+        60789:
+          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-40590
+          expires: '2025-01-31'
+        60841:
+          reason: GitPython comes from Debian https://security-tracker.debian.org/tracker/CVE-2023-41040
+          expires: '2025-01-31'
+        62044:
+          reason: "F-Droid doesn't fetch pip dependencies directly from hg/mercurial repositories: https://data.safetycli.com/v/62044/f17/"
+          expires: '2025-01-31'
+        63687:
+          reason: Only affects Windows https://security-tracker.debian.org/tracker/CVE-2024-22190
+          expires: '2026-01-31'
+        67599:
+          reason: Only affects pip when using --extra-index-url, which is never the case in fdroidserver CI.
+          expires: '2026-05-31'
+        70612:
+          reason: jinja2 is not used by fdroidserver, nor any dependencies I could find via debtree and pipdeptree.
+          expires: '2026-05-31'
+        72132:
+          reason: We get these packages from Debian, zipp is not used in production, and its only a DoS.
+          expires: '2026-08-31'
+        72236:
+          reason: setuptools comes from Debian
+          expires: '2026-08-31'
+
+fail-scan-with-exit-code:
+  dependency-vulnerabilities:
+    enabled: true
+    fail-on-any-of:
+      cvss-severity:
+        - critical
+        - high
+        - medium
+
+security-updates:
+  dependency-vulnerabilities: