From 89da9c1e40d68733f152f3ec818c1ea56e5d9d57 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Wed, 8 Jan 2025 13:39:59 +0530 Subject: [PATCH 01/22] Create bandit.yml --- .github/workflows/bandit.yml | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/bandit.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 0000000000..3e3d3b97ae --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,41 @@ +name: Bandit Code Scan + +on: + push: + branches: + - develop + - v1.7.x + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + +jobs: + bandit_scan: + if: github.event.pull_request.draft == false + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Bandit Scan + runs-on: ubuntu-22.04 + timeout-minutes: 15 + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set Report Date + run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV + + - name: Perform Bandit Analysis + uses: PyCQA/bandit-action@v1 + with: + args: -r . -f json -o ${{ env.JSON_REPORT_PATH }} + env: + JSON_REPORT_PATH: ${{ github.workspace }}/${{ env.JSON_REPORT }} + + - name: Upload Bandit Report as Artifact + if: always() + uses: actions/upload-artifact@v4 + with: + name: "bandit-report-summary_${{ env.REPORT_DATE }}" + path: ${{ env.JSON_REPORT_PATH }} From 5086a46d14a65225018a73f9827315db080b9ef0 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Wed, 8 Jan 2025 14:05:59 +0530 Subject: [PATCH 02/22] Update bandit.yml for env --- .github/workflows/bandit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 3e3d3b97ae..9c60cb4afa 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -26,12 +26,13 @@ jobs: - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV + - name: Define JSON Report Path + run: echo "JSON_REPORT_PATH=${{ github.workspace }}/bandit_report.json" >> $GITHUB_ENV + - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: args: -r . -f json -o ${{ env.JSON_REPORT_PATH }} - env: - JSON_REPORT_PATH: ${{ github.workspace }}/${{ env.JSON_REPORT }} - name: Upload Bandit Report as Artifact if: always() From f72c5982bed741d0af5a25afd77a424cd3e84493 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Wed, 8 Jan 2025 14:08:49 +0530 Subject: [PATCH 03/22] Added Json report Env --- .github/workflows/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 9c60cb4afa..2d3b2a9be9 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -27,7 +27,7 @@ jobs: run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV - name: Define JSON Report Path - run: echo "JSON_REPORT_PATH=${{ github.workspace }}/bandit_report.json" >> $GITHUB_ENV + run: echo "JSON_REPORT_PATH=${{ github.workspace }}/bandit_report_${{ env.REPORT_DATE }}.json" >> $GITHUB_ENV - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 From 7db66e0203794cb647588a60114868100c12b8f4 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:14:50 +0530 Subject: [PATCH 04/22] Update bandit.yml --- .github/workflows/bandit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 2d3b2a9be9..cfcc4f3ce2 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -32,8 +32,8 @@ jobs: - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: - args: -r . -f json -o ${{ env.JSON_REPORT_PATH }} - + targets: "." + - name: Upload Bandit Report as Artifact if: always() uses: actions/upload-artifact@v4 From 36d747f976c3e56e765c26d7889dd64d656a79ae Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:20:17 +0530 Subject: [PATCH 05/22] Update bandit.yml --- .github/workflows/bandit.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index cfcc4f3ce2..f2b2965769 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -20,6 +20,7 @@ jobs: timeout-minutes: 15 steps: + steps: - name: Checkout code uses: actions/checkout@v3 @@ -32,8 +33,18 @@ jobs: - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: - targets: "." - + configfile: 'DEFAULT' + profile: 'DEFAULT' + tests: 'DEFAULT' + skips: 'DEFAULT' + severity: 'DEFAULT' + confidence: 'DEFAULT' + exclude: '.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg' + baseline: 'DEFAULT' + ini: 'DEFAULT' + targets: '.' + args: '-r . -f json -o ${{ env.JSON_REPORT_PATH }}' + - name: Upload Bandit Report as Artifact if: always() uses: actions/upload-artifact@v4 From 0dee2bed79f4f23ec787e6c265fdd1177f822ba7 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:22:07 +0530 Subject: [PATCH 06/22] Update bandit.yml --- .github/workflows/bandit.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index f2b2965769..574ae071d3 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -18,9 +18,7 @@ jobs: name: Bandit Scan runs-on: ubuntu-22.04 timeout-minutes: 15 - steps: - steps: - name: Checkout code uses: actions/checkout@v3 From 5c9b1cbc58218a0a3950f90abd4d1365e6427bc7 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:24:27 +0530 Subject: [PATCH 07/22] Update bandit.yml --- .github/workflows/bandit.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 574ae071d3..7d8679bef7 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -25,8 +25,8 @@ jobs: - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV - - name: Define JSON Report Path - run: echo "JSON_REPORT_PATH=${{ github.workspace }}/bandit_report_${{ env.REPORT_DATE }}.json" >> $GITHUB_ENV + - name: Define SARIF Report Path + run: echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 @@ -41,11 +41,15 @@ jobs: baseline: 'DEFAULT' ini: 'DEFAULT' targets: '.' - args: '-r . -f json -o ${{ env.JSON_REPORT_PATH }}' - - name: Upload Bandit Report as Artifact + - name: Upload Bandit SARIF Report as Artifact if: always() uses: actions/upload-artifact@v4 with: name: "bandit-report-summary_${{ env.REPORT_DATE }}" - path: ${{ env.JSON_REPORT_PATH }} + path: ${{ env.SARIF_REPORT_PATH }} + + - name: Upload SARIF file to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ env.SARIF_REPORT_PATH }} From 91fd049722af51ba3d9696c3e6d3d9128b6ab90f Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:41:39 +0530 Subject: [PATCH 08/22] Update bandit.yml --- .github/workflows/bandit.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 7d8679bef7..bc920bfdb4 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -25,10 +25,12 @@ jobs: - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV - - name: Define SARIF Report Path - run: echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV + - name: Define Report Paths + run: | + echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV + echo "HTML_REPORT_PATH=${{ github.workspace }}/results.html" >> $GITHUB_ENV - - name: Perform Bandit Analysis + - name: Perform Bandit Analysis (SARIF) uses: PyCQA/bandit-action@v1 with: configfile: 'DEFAULT' @@ -42,6 +44,12 @@ jobs: ini: 'DEFAULT' targets: '.' + - name: Install SARIF Tools + run: pip install sarif-tools + + - name: Convert SARIF to HTML + run: sarif-tools html ${{ env.SARIF_REPORT_PATH }} -o ${{ env.HTML_REPORT_PATH }} + - name: Upload Bandit SARIF Report as Artifact if: always() uses: actions/upload-artifact@v4 @@ -49,7 +57,9 @@ jobs: name: "bandit-report-summary_${{ env.REPORT_DATE }}" path: ${{ env.SARIF_REPORT_PATH }} - - name: Upload SARIF file to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 + - name: Upload Bandit HTML Report as Artifact + if: always() + uses: actions/upload-artifact@v4 with: - sarif_file: ${{ env.SARIF_REPORT_PATH }} + name: "bandit-html-report_${{ env.REPORT_DATE }}" + path: ${{ env.HTML_REPORT_PATH }} From ac9f270b11acfd2c3eeec8fdbff0598fe7c25fda Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:43:40 +0530 Subject: [PATCH 09/22] Update bandit.yml --- .github/workflows/bandit.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index bc920bfdb4..a3f41a73d7 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -46,9 +46,9 @@ jobs: - name: Install SARIF Tools run: pip install sarif-tools - + - name: Convert SARIF to HTML - run: sarif-tools html ${{ env.SARIF_REPORT_PATH }} -o ${{ env.HTML_REPORT_PATH }} + run: python -m sarif_tools.html ${{ env.SARIF_REPORT_PATH }} -o ${{ env.HTML_REPORT_PATH }} - name: Upload Bandit SARIF Report as Artifact if: always() @@ -63,3 +63,8 @@ jobs: with: name: "bandit-html-report_${{ env.REPORT_DATE }}" path: ${{ env.HTML_REPORT_PATH }} + + - name: Upload SARIF file to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ env.SARIF_REPORT_PATH }} From a68cba040f2f76bed0867bb19e8e3306e7911c12 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:46:40 +0530 Subject: [PATCH 10/22] Update bandit.yml --- .github/workflows/bandit.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index a3f41a73d7..ed006c556f 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 - + - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV @@ -44,11 +44,11 @@ jobs: ini: 'DEFAULT' targets: '.' - - name: Install SARIF Tools - run: pip install sarif-tools - + - name: Install SARIF to HTML Converter + run: npm install -g @microsoft/sarif-multitool + - name: Convert SARIF to HTML - run: python -m sarif_tools.html ${{ env.SARIF_REPORT_PATH }} -o ${{ env.HTML_REPORT_PATH }} + run: sarif-multitool transform ${{ env.SARIF_REPORT_PATH }} --output ${{ env.HTML_REPORT_PATH }} - name: Upload Bandit SARIF Report as Artifact if: always() From 613ff78251b7a1fccd25b1c92beb32fea4e8249b Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:50:05 +0530 Subject: [PATCH 11/22] Update bandit.yml --- .github/workflows/bandit.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index ed006c556f..7d3ec70639 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -48,7 +48,7 @@ jobs: run: npm install -g @microsoft/sarif-multitool - name: Convert SARIF to HTML - run: sarif-multitool transform ${{ env.SARIF_REPORT_PATH }} --output ${{ env.HTML_REPORT_PATH }} + run: sarif-multitool rewrite ${{ env.SARIF_REPORT_PATH }} --output ${{ env.HTML_REPORT_PATH }} - name: Upload Bandit SARIF Report as Artifact if: always() @@ -63,8 +63,3 @@ jobs: with: name: "bandit-html-report_${{ env.REPORT_DATE }}" path: ${{ env.HTML_REPORT_PATH }} - - - name: Upload SARIF file to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ env.SARIF_REPORT_PATH }} From 5412498d9ee0f81cde2bafef6f5f4ebb3185e65c Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:56:50 +0530 Subject: [PATCH 12/22] Update bandit.yml --- .github/workflows/bandit.yml | 28 +++++++--------------------- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 7d3ec70639..574ae071d3 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -21,16 +21,14 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 - + - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV - - name: Define Report Paths - run: | - echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV - echo "HTML_REPORT_PATH=${{ github.workspace }}/results.html" >> $GITHUB_ENV + - name: Define JSON Report Path + run: echo "JSON_REPORT_PATH=${{ github.workspace }}/bandit_report_${{ env.REPORT_DATE }}.json" >> $GITHUB_ENV - - name: Perform Bandit Analysis (SARIF) + - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: configfile: 'DEFAULT' @@ -43,23 +41,11 @@ jobs: baseline: 'DEFAULT' ini: 'DEFAULT' targets: '.' + args: '-r . -f json -o ${{ env.JSON_REPORT_PATH }}' - - name: Install SARIF to HTML Converter - run: npm install -g @microsoft/sarif-multitool - - - name: Convert SARIF to HTML - run: sarif-multitool rewrite ${{ env.SARIF_REPORT_PATH }} --output ${{ env.HTML_REPORT_PATH }} - - - name: Upload Bandit SARIF Report as Artifact + - name: Upload Bandit Report as Artifact if: always() uses: actions/upload-artifact@v4 with: name: "bandit-report-summary_${{ env.REPORT_DATE }}" - path: ${{ env.SARIF_REPORT_PATH }} - - - name: Upload Bandit HTML Report as Artifact - if: always() - uses: actions/upload-artifact@v4 - with: - name: "bandit-html-report_${{ env.REPORT_DATE }}" - path: ${{ env.HTML_REPORT_PATH }} + path: ${{ env.JSON_REPORT_PATH }} From 6151a37921ffcf5e0c12a0335149468b290b9e1c Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 22:58:50 +0530 Subject: [PATCH 13/22] Update bandit.yml --- .github/workflows/bandit.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 574ae071d3..c56364d4e1 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -25,10 +25,11 @@ jobs: - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV - - name: Define JSON Report Path - run: echo "JSON_REPORT_PATH=${{ github.workspace }}/bandit_report_${{ env.REPORT_DATE }}.json" >> $GITHUB_ENV - - - name: Perform Bandit Analysis + - name: Define Report Paths + run: | + echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV + echo "HTML_REPORT_PATH=${{ github.workspace }}/results.html" >> $GITHUB_ENV + - name: Perform Bandit Analysis (SARIF) uses: PyCQA/bandit-action@v1 with: configfile: 'DEFAULT' @@ -41,11 +42,16 @@ jobs: baseline: 'DEFAULT' ini: 'DEFAULT' targets: '.' - args: '-r . -f json -o ${{ env.JSON_REPORT_PATH }}' - - name: Upload Bandit Report as Artifact + - name: Install SARIF Tools + run: pip install sarif-tools + + - name: Convert SARIF to HTML + run: sarif-tools html ${{ env.SARIF_REPORT_PATH }} -o ${{ env.HTML_REPORT_PATH }} + + - name: Upload Bandit SARIF Report as Artifact if: always() uses: actions/upload-artifact@v4 with: name: "bandit-report-summary_${{ env.REPORT_DATE }}" - path: ${{ env.JSON_REPORT_PATH }} + path: ${{ env.SARIF_REPORT_PATH }} From ba57e06c404c3e9c34fcb7f1c4b1db0f1a172301 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 23:00:27 +0530 Subject: [PATCH 14/22] Final test update bandit.yml --- .github/workflows/bandit.yml | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index c56364d4e1..9a9b4e059a 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -21,15 +21,14 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v3 - + - name: Set Report Date run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV - - - name: Define Report Paths - run: | - echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV - echo "HTML_REPORT_PATH=${{ github.workspace }}/results.html" >> $GITHUB_ENV - - name: Perform Bandit Analysis (SARIF) + + - name: Define SARIF Report Path + run: echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV + + - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: configfile: 'DEFAULT' @@ -42,13 +41,7 @@ jobs: baseline: 'DEFAULT' ini: 'DEFAULT' targets: '.' - - - name: Install SARIF Tools - run: pip install sarif-tools - - - name: Convert SARIF to HTML - run: sarif-tools html ${{ env.SARIF_REPORT_PATH }} -o ${{ env.HTML_REPORT_PATH }} - + - name: Upload Bandit SARIF Report as Artifact if: always() uses: actions/upload-artifact@v4 From cd1ec499c9098429cd313aeab0367253db56ce54 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Sun, 12 Jan 2025 23:03:40 +0530 Subject: [PATCH 15/22] Update bandit.yml --- .github/workflows/bandit.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 9a9b4e059a..972474d994 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -22,8 +22,9 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - - name: Set Report Date - run: echo "REPORT_DATE=$(date +'%d-%b-%Y')" >> $GITHUB_ENV + - name: Set Filename Suffix Report Date and Time + run: | + echo "REPORT_DATE=$(date +'%d-%b-%Y %H:%M:%S')" >> $GITHUB_ENV - name: Define SARIF Report Path run: echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV From 4c714c65a738fe173a76ee08b99cdefaa723b637 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Wed, 15 Jan 2025 11:12:03 +0530 Subject: [PATCH 16/22] testing bandit scan config file --- .github/workflows/bandit.yml | 2 +- pre_commit.toml | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 pre_commit.toml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 972474d994..21caf7c89f 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -32,7 +32,7 @@ jobs: - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: - configfile: 'DEFAULT' + configfile: 'pre_commit.toml' profile: 'DEFAULT' tests: 'DEFAULT' skips: 'DEFAULT' diff --git a/pre_commit.toml b/pre_commit.toml new file mode 100644 index 0000000000..161f03af57 --- /dev/null +++ b/pre_commit.toml @@ -0,0 +1,17 @@ +[tool.bandit] +# Exclude specific directories or files from the scan +exclude = ["docs/"] + +# Specify the test IDs to be skipped +skips = [ + "B323", # _create_unverified_context + "B314", # xml.etree.ElementTree.parse + "B404", # subprocess module + "B405", # xml.etree.ElementTree + "B311", # Standard pseudo-random generators + "B403" # pickle module +] + +# Set the severity and confidence levels +severity = "LOW" +confidence = "HIGH" \ No newline at end of file From cdd7bd1225444aa9cc69aa2bb6d5c63d10025d25 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Wed, 15 Jan 2025 11:16:55 +0530 Subject: [PATCH 17/22] Revert to succesful bandit scan --- .github/workflows/bandit.yml | 2 +- pre_commit.toml | 17 ----------------- 2 files changed, 1 insertion(+), 18 deletions(-) delete mode 100644 pre_commit.toml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 21caf7c89f..972474d994 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -32,7 +32,7 @@ jobs: - name: Perform Bandit Analysis uses: PyCQA/bandit-action@v1 with: - configfile: 'pre_commit.toml' + configfile: 'DEFAULT' profile: 'DEFAULT' tests: 'DEFAULT' skips: 'DEFAULT' diff --git a/pre_commit.toml b/pre_commit.toml deleted file mode 100644 index 161f03af57..0000000000 --- a/pre_commit.toml +++ /dev/null @@ -1,17 +0,0 @@ -[tool.bandit] -# Exclude specific directories or files from the scan -exclude = ["docs/"] - -# Specify the test IDs to be skipped -skips = [ - "B323", # _create_unverified_context - "B314", # xml.etree.ElementTree.parse - "B404", # subprocess module - "B405", # xml.etree.ElementTree - "B311", # Standard pseudo-random generators - "B403" # pickle module -] - -# Set the severity and confidence levels -severity = "LOW" -confidence = "HIGH" \ No newline at end of file From ba7c8c7e928cee6c7e09b1d8e2b7201479f52f96 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Wed, 15 Jan 2025 11:19:53 +0530 Subject: [PATCH 18/22] Final tweaks for bandit scan --- .github/workflows/bandit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 972474d994..646bebbc61 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -24,7 +24,7 @@ jobs: - name: Set Filename Suffix Report Date and Time run: | - echo "REPORT_DATE=$(date +'%d-%b-%Y %H:%M:%S')" >> $GITHUB_ENV + echo "REPORT_DATE=$(date +'%d-%b-%Y_%H-%M-%S')" >> $GITHUB_ENV - name: Define SARIF Report Path run: echo "SARIF_REPORT_PATH=${{ github.workspace }}/results.sarif" >> $GITHUB_ENV From 912ad5f900411f5b4136f9645c7f4e1c1c088a70 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Thu, 16 Jan 2025 14:06:17 +0530 Subject: [PATCH 19/22] Changes for enabling Bandit scan in precommit --- .pre-commit-config.yaml | 8 +++- README.md | 3 ++ pre_commit.toml | 17 ++++++++ precommit-doc.md | 66 +++++++++++++++++++++++++++++++ precommit-setup.sh | 87 +++++++++++++++++++++++++++++++++++++++++ 5 files changed, 180 insertions(+), 1 deletion(-) create mode 100644 pre_commit.toml create mode 100644 precommit-doc.md create mode 100644 precommit-setup.sh diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index eb9b3a0916..e2008b7ec5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -27,4 +27,10 @@ repos: - --in-place - --remove-unused-variables - --recursive - - --ignore-pass-statements \ No newline at end of file + - --ignore-pass-statements + - repo: https://github.com/PyCQA/bandit + rev: 1.7.4 + hooks: + - id: bandit + args: ["-c", "pre_commit.toml"] + additional_dependencies: ["bandit[toml]"] \ No newline at end of file diff --git a/README.md b/README.md index 5ed611dd72..275899ed8b 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,9 @@ OpenFL supports popular aggregation algorithms out-of-the-box, with more algorit | FedProx | [Li et al., 2020](https://arxiv.org/pdf/1812.06127.pdf) | yes | yes | - | | FedCurv | [Shoham et al., 2019](https://arxiv.org/pdf/1910.07796.pdf) | yes | - | - | +### Enabling Bandit Precommit +To ensure that precommit is setup in your local for Bandit Scan. For more details, kindly follow this doc: [Setup Guide - Precommit](precommit-doc.md) + ## Contributing We welcome contributions! Please refer to the [contributing guidelines](https://openfl.readthedocs.io/en/latest/contributing.html). diff --git a/pre_commit.toml b/pre_commit.toml new file mode 100644 index 0000000000..454ce7c519 --- /dev/null +++ b/pre_commit.toml @@ -0,0 +1,17 @@ +[tool.bandit] +# Exclude specific directories or files from the scan +exclude = ["tests/", "doc/"] + +# Specify the test IDs to be skipped +skips = [ + "B323", # _create_unverified_context + "B314", # xml.etree.ElementTree.parse + "B404", # subprocess module + "B405", # xml.etree.ElementTree + "B311", # Standard pseudo-random generators + "B403" # pickle module +] + +# Set the severity and confidence levels +severity = "LOW" +confidence = "HIGH" diff --git a/precommit-doc.md b/precommit-doc.md new file mode 100644 index 0000000000..9782a5d01e --- /dev/null +++ b/precommit-doc.md @@ -0,0 +1,66 @@ +## Pre-commit with Bandit + +To ensure code quality and security, we use [pre-commit](https://pre-commit.com/) with [Bandit](https://bandit.readthedocs.io/en/latest/) to automatically scan for security issues before commits. + +Follow the steps below to set up and use pre-commit in your local development environment. + +### Setup + +1. **Clone the repository**: + + ```sh + git clone https://github.com/intel-innersource/frameworks.ai.openfl.openfl-security.git + cd frameworks.ai.openfl.openfl-security + ``` + +2. **Run the setup script**: + + We have provided a `precommit-setup.sh` script to simplify the installation process. This script will install pre-commit and set up the pre-commit hooks. + + ```sh + ./precommit-setup.sh + ``` + + The `setup.sh` script performs the following actions: + - Check for prerequisties in local: (python, pip) + - Installs pre-commit if it is not already installed. + - Installs the pre-commit hooks defined in the .pre-commit-config.yaml file. + +3. **Verify the installation**: + + After running the setup script, you can verify that pre-commit is installed and the hooks are set up correctly by running: + + ```sh + pre-commit --version + pre-commit install + ``` + +### Usage + +Once the pre-commit hooks are installed, Bandit scans will automatically run before each commit. If any issues are found, the commit will be aborted, and you will need to fix the issues before committing again. + +1. **Make changes to your code**: + + Edit your files as needed. + +2. **Stage your changes**: + + ```sh + git add + ``` + +3. **Commit your changes**: + + ```sh + git commit -m "Your commit message" + ``` + + During the commit process, pre-commit will automatically run the Bandit scan. If the scan is successful, the commit will proceed. If any issues are found, the commit will be aborted, and you will need to address the issues before committing again. + +### How to bypass precommit hooks? + +To exclude the bandit pre-commit hook when making a Git commit, you can use the --no-verify option. This bypasses any pre-commit hooks that are set up in your repository. + +```sh +git commit --no-verify -m "Your commit message" +``` diff --git a/precommit-setup.sh b/precommit-setup.sh new file mode 100644 index 0000000000..9b55289bc9 --- /dev/null +++ b/precommit-setup.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +# Function to add the installation path to PATH +add_to_path() { + if [[ ":$PATH:" != *":$1:"* ]]; then + export PATH="$PATH:$1" + echo "Added $1 to PATH" + else + echo "$1 is already in PATH" + fi +} + +# Function to check if Python and pip are installed +check_python_and_pip() { + if ! command -v python3 &> /dev/null; then + echo "Python3 is not installed. Please install Python3 and try again." + exit 1 + fi + + if ! command -v pip &> /dev/null; then + echo "pip is not installed. Please install pip and try again." + exit 1 + fi +} + +# Function to install pre-commit +install_precommit() { + if ! command -v pre-commit &> /dev/null; then + echo "pre-commit not found, installing..." + pip install --user pre-commit + else + echo "pre-commit is already installed" + fi +} + +# Check if Python and pip are installed +check_python_and_pip + +# Detect the operating system +OS="$(uname -s)" +case "$OS" in + Linux*) + echo "Detected Linux" + INSTALL_PATH="$HOME/.local/bin" + install_precommit + add_to_path "$INSTALL_PATH" + ;; + Darwin*) + echo "Detected MacOS" + INSTALL_PATH="$HOME/.local/bin" + install_precommit + add_to_path "$INSTALL_PATH" + ;; + CYGWIN*|MINGW32*|MSYS*|MINGW*) + echo "Detected Windows" + INSTALL_PATH="$HOME/AppData/Local/Packages/PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0/LocalCache/local-packages/Python312/Scripts" + install_precommit + add_to_path "$INSTALL_PATH" + ;; + *) + echo "Unknown OS" + exit 1 + ;; +esac + +# Add the installation path to the shell profile for persistence +if [[ "$OS" == "Linux" || "$OS" == "Darwin" ]]; then + SHELL_PROFILE="$HOME/.bashrc" + if [[ -f "$HOME/.zshrc" ]]; then + SHELL_PROFILE="$HOME/.zshrc" + fi + echo "export PATH=\$PATH:$INSTALL_PATH" >> "$SHELL_PROFILE" + source "$SHELL_PROFILE" +elif [[ "$OS" == "CYGWIN"* || "$OS" == "MINGW"* || "$OS" == "MSYS"* ]]; then + SHELL_PROFILE="$HOME/.bash_profile" + echo "export PATH=\$PATH:$INSTALL_PATH" >> "$SHELL_PROFILE" + source "$SHELL_PROFILE" +fi + +# Verify the installation +if command -v pre-commit &> /dev/null; then + echo "pre-commit installation successful" + pre-commit --version +else + echo "pre-commit installation failed" + exit 1 +fi From e7bb07494a54f8670de9dfbaee0aa09b50fa8b4e Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Thu, 16 Jan 2025 15:02:21 +0530 Subject: [PATCH 20/22] Include all files to be in precommit --- pre_commit.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pre_commit.toml b/pre_commit.toml index 454ce7c519..65f619aeb9 100644 --- a/pre_commit.toml +++ b/pre_commit.toml @@ -1,6 +1,6 @@ [tool.bandit] # Exclude specific directories or files from the scan -exclude = ["tests/", "doc/"] +# exclude = ["tests/", "docs/"] # Specify the test IDs to be skipped skips = [ From a7dd50c36ac76dcca615532652333c9146dc6664 Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Thu, 16 Jan 2025 18:52:37 +0530 Subject: [PATCH 21/22] Changes as per PR review Removed 1) skips - will be added once we need block 2) severity set to HIGH --- pre_commit.toml | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/pre_commit.toml b/pre_commit.toml index 65f619aeb9..6a748a6b02 100644 --- a/pre_commit.toml +++ b/pre_commit.toml @@ -2,16 +2,6 @@ # Exclude specific directories or files from the scan # exclude = ["tests/", "docs/"] -# Specify the test IDs to be skipped -skips = [ - "B323", # _create_unverified_context - "B314", # xml.etree.ElementTree.parse - "B404", # subprocess module - "B405", # xml.etree.ElementTree - "B311", # Standard pseudo-random generators - "B403" # pickle module -] - # Set the severity and confidence levels -severity = "LOW" +severity = "HIGH" confidence = "HIGH" From 84100644474fb9f0f419c6de6671b3986966cf8c Mon Sep 17 00:00:00 2001 From: Nambi Srinivasan S Date: Thu, 16 Jan 2025 21:13:04 +0530 Subject: [PATCH 22/22] testing changes to exclude bandit in linter --- scripts/lint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/lint.sh b/scripts/lint.sh index ac0b97e0a5..98261135bc 100755 --- a/scripts/lint.sh +++ b/scripts/lint.sh @@ -4,7 +4,7 @@ set -Eeuo pipefail base_dir=$(dirname $(dirname $0)) # Run the pre-commit checks -pre-commit run --all-files +SKIP=bandit pre-commit run --all-files ruff check --config "${base_dir}/pyproject.toml" openfl/