complete consolidation of Safety ignore-lists

[cfm]

Witness what's been needed to ignore Safety 61601 (urllib3 CVE-2023-43804) to date:

• Ignore urllib3 CVE-2023-43804 fpf-misc-resources#22
• chore: ignore urllib3 CVE-2023-43804 securedrop#7068
• chore: ignore urllib3 CVE-2023-43804 securedrop-client#1670
• Plus dismissing the alert in GitHub's UI

[legoktm]

Now that we have fpf-misc-resources is there value in the having per-repository safety jobs? My initial impression is that there isn't - the only thing it would catch is if we were adding a new library that happened to have a security vuln, but there's no guarantee it would get caught because CI uses the free safety repo that is up to a month behind, while the fpf-misc-resources job uses the up-to-date version.

[zenmonkeykstop]

I do think we should pick one - but I'm not sure this is the one that I would pick. In much the same way as we're looking at moving debian/s back into their respective repos to reduce overhead, these ignore lists relate to dependency manage within individual projects and are probably going to be easier to manage there. But for sure, the ~month delay is a pain.

[legoktm]

We could also keep the per-repo safety jobs but use the ignore list from the fpf-misc-resources repository (just checkout the repo during the test run and make sure safety uses it for the exclude list instead of all of our --ignore lines.

---

In the meantime I've been using this script for a while now:

#!/usr/bin/env python3

import json
from pathlib import Path

data = json.loads(Path("projectfiles/securedrop.json").read_text())
for id in sorted(data["variables"]["SAFETY_IGNORE_IDS"]):
    print(f"		--ignore {id} \\")

to generate the Makefile listing.