build: remove safety (#19859)

.travis.yml

@@ -179,7 +179,7 @@ matrix:
         - *install_node_dependencies
 
     - python: 3.7
-      name: 'pre-commit hooks (includes python linting + format check) and dependency scanning'
+      name: 'pre-commit hooks (includes python linting + format check)'
       install:
         # XXX: this must be synced with requirements-dev.txt
         - pip install 'sentry-flake8==0.3.0'
@@ -189,19 +189,6 @@ matrix:
         # XXX: there is a very small chance that it'll expand to exceed Linux's limits
         #      `getconf ARG_MAX` - max # bytes of args + environ for exec()
         - pre-commit run --files $(git diff --diff-filter=d --name-only master)
-        # If pre-commit was good, then we scan dependencies.
-        # Note that this isn't moved to an after_script since that would override what we already have.
-        # XXX: ideally we don't have to install sentry in its entirety just to scan dependencies...
-        # see the note in bin/scan on why this needs to be done for now.
-        # Note that this will mostly noop because we pull in a cached venv from Travis.
-        - SENTRY_LIGHT_BUILD=1 SENTRY_PYTHON3=1 pip install -e .
-        - pip install safety
-        # XXX: fun fact, as of April 2020 travis preinstalls numpy 1.15.4 in their 3.7 environments
-        # and the safety scanner won't like that (safety id 36810)
-        # Previously we had 36810 ignored in bin/scan until it was removed because it was fixed in
-        # travis 2.7. So this is isolated to at least travis 3.7.
-        - pip uninstall -y numpy
-        - bin/scan
 
     - <<: *postgres_default
       name: 'Backend with migrations [Postgres] (1/2)'

bin/scan

@@ -1,58 +0,0 @@
-#!/bin/bash
-
-ignored=(
-    # LOW priority: confluent-kafka
-    # XXX: These issues are in safety's db, but not in synk :\
-    # 1.3.0 upgrades builtin lz4 to 1.9.2 (a heap overflow was fixed) CVE-2019-17543
-    # This affects us, but we've never actually seen this in production.
-    38072
-    # We don't set security.protocol - it defaults to plaintext.
-    # The following two issues are related to ssl and sasl.
-    # 1.1.0 securely clears the private key data from memory after last use.
-    # Doesn't seem to have a CVE assigned to this.
-    37508
-    # 1.4.0 addresses two security issues in the SASL SCRAM protocol handler.
-    38165
-
-    # LOW priority: pyyaml
-    # Arbitrary code execution in full_load/SafeLoader - doesn't apply to us.
-    38100
-
-    # Pipenv is complaining. We don't use it and it comes with travis by default.
-    38334
-
-    # LOW priority: djangorestframework
-    # XXX: This is... unfortunately not present in safety's db right now. It is in synk though:
-    # https://snyk.io/vuln/SNYK-PYTHON-DJANGORESTFRAMEWORK-450194
-    # XSS in the "browsable api" drf < 3.9.1 view templates - doesn't apply to us.
-
-    # LOW priority: Pillow
-    # This doesn't apply to us, these issues are related to decoding of some less popular image
-    # formats (FLI, PCX, TIFF, JPEG 2000, SGI-RLE) which we do not allow to be uploaded anyways.
-    # Additionally, Pillow maintainers do not intend on backporting the fixes to their py2 versions.
-    # https://github.com/python-pillow/Pillow/issues/4750
-    38449
-    38450
-    38451
-    38452
-)
-
-# Take additional ignores from argv.
-# This enables script re-use in getsentry
-if [ $# -ge 1 ]; then
-    for i in "$@"; do
-        ignored+=("$i")
-    done
-fi
-
-args="--full-report"
-for i in ${ignored[@]}; do
-  args="$args --ignore=${i}"
-done
-
-# TODO(joshuarli): massage how getsentry bin/scan calls out to this so that this can work
-# without actually installing sentry in CI
-# HERE="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-# exec safety check -r "${HERE}/../requirements-base.txt" ${args}
-
-exec safety check ${args}