Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Centralize CI for bandit and safety #1814

Merged
merged 1 commit into from
Feb 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 1 addition & 77 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ common-steps:
name: Run static analysis on source code to find security issues
command: |
set -e
make -C client semgrep bandit
make -C client semgrep

- &client_check_source_strings
run:
Expand All @@ -92,13 +92,6 @@ common-steps:
set -e
make -C client verify-mo

- &client_check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
set -e
make -C client safety

- &export_install_poetry
run:
name: Install Poetry
Expand Down Expand Up @@ -145,12 +138,6 @@ common-steps:
command: |
make -C export semgrep

- &export_check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
make -C export safety

- &log_install_poetry
run:
name: Install Poetry
Expand Down Expand Up @@ -223,24 +210,6 @@ common-steps:
command: |
make -C proxy lint

- &proxy_check_security
run:
name: Run static analysis on source code to find security issues
command: |
set -e
cd proxy
poetry update bandit
make bandit

- &proxy_check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
set -e
cd proxy
poetry update safety
make safety

version: 2.1

jobs:
Expand Down Expand Up @@ -295,16 +264,6 @@ jobs:
- *client_install_testing_dependencies
- *client_check_security

client_check-python-security:
parameters: *parameters
docker: *docker
steps:
- *client_install_poetry
- checkout
- *client_install_testing_dependencies
- *client_check_python_dependencies_for_vulnerabilities


client_check-internationalization:
parameters: *parameters
docker: *docker
Expand Down Expand Up @@ -344,15 +303,6 @@ jobs:
- *export_install_testing_dependencies
- *export_check_security

export_check-python-security:
parameters: *parameters
docker: *docker
steps:
- *export_install_poetry
- checkout
- *export_install_testing_dependencies
- *export_check_python_dependencies_for_vulnerabilities

log_test-bullseye:
docker:
- image: debian:bullseye
Expand Down Expand Up @@ -382,24 +332,6 @@ jobs:
- *proxy_install_testing_dependencies
- *proxy_run_lint

proxy_check-security:
parameters: *parameters
docker: *docker
steps:
- checkout
- *proxy_install_poetry
- *proxy_install_testing_dependencies
- *proxy_check_security

proxy_check-python-security:
parameters: *parameters
docker: *docker
steps:
- checkout
- *proxy_install_poetry
- *proxy_install_testing_dependencies
- *proxy_check_python_dependencies_for_vulnerabilities


workflows:
securedrop_client_ci:
Expand All @@ -418,8 +350,6 @@ workflows:
matrix: *matrix
- client_check-security:
matrix: *matrix
- client_check-python-security:
matrix: *matrix
- client_check-internationalization:
matrix: *matrix

Expand All @@ -431,8 +361,6 @@ workflows:
matrix: *matrix
- export_check-security:
matrix: *matrix
- export_check-python-security:
matrix: *matrix

securedrop_log_ci:
jobs:
Expand All @@ -450,10 +378,6 @@ workflows:
- bullseye
- proxy_lint:
matrix: *proxy_matrix
- proxy_check-security:
matrix: *proxy_matrix
- proxy_check-python-security:
matrix: *proxy_matrix

client_nightly:
triggers:
Expand Down
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ updates:
interval: "weekly"

# Python development dependencies
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
allow:
- dependency-type: "development"
- package-ecosystem: "pip"
directory: "/client"
schedule:
Expand Down
43 changes: 43 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,46 @@ jobs:
- name: Lint .desktop files
run: |
make lint-desktop

lint:
strategy:
matrix:
debian_version:
- bullseye
- bookworm
runs-on: ubuntu-latest
container: debian:${{ matrix.debian_version }}
steps:
- run: |
apt-get update && apt-get install --yes git make
- uses: actions/checkout@v4
- name: Install dependencies
run: |
source /etc/os-release
if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
# Install Poetry via PyPI
apt-get install --yes --no-install-recommends python3-pip
pip install poetry==1.6.1
elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
# Install Poetry via system package
apt-get install --yes --no-install-recommends python3-poetry
else
echo "Unsupported Debian version: $VERSION_CODENAME"
exit 1
fi
poetry install
- name: Run lint
run: make lint

safety:
runs-on: ubuntu-latest
container: debian:bookworm
steps:
- run: |
apt-get update && apt-get install --yes git make python3-poetry
- uses: actions/checkout@v4
- name: Run safety
run: |
poetry install
poetry update safety
make safety
13 changes: 13 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,19 @@ lint-desktop: ## Lint .desktop files
# See: https://www.freedesktop.org/wiki/Software/desktop-file-utils/
find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate

.PHONY: lint
lint: bandit ## Run linters and formatters

bandit: ## Run bandit security checks
@poetry run bandit -c pyproject.toml -r . --severity-level medium

safety: ## Run safety dependency checks on build dependencies
find . -name build-requirements.txt | xargs -n1 poetry run safety check --full-report \
--ignore 51668 \
--ignore 61601 \
--ignore 61893 \
--ignore 62044 \
-r

# Explanation of the below shell command should it ever break.
# 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
Expand Down
18 changes: 1 addition & 17 deletions client/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -113,24 +113,8 @@ test-sdk: ## Run just the sdk tests
lint: ## Run the linters
@poetry run flake8 securedrop_client tests

.PHONY: safety
safety: ## Runs `safety check` to check python dependencies for vulnerabilities
@echo "Checking build-requirements.txt with safety"
@poetry run safety check --full-report \
--ignore 51668 \
--ignore 61601 \
--ignore 61893 \
--ignore 62044 \
-r build-requirements.txt

# Bandit is a static code analysis tool to detect security vulnerabilities in Python applications
# https://wiki.openstack.org/wiki/Security/Projects/Bandit
.PHONY: bandit
bandit: ## Run bandit with medium level excluding test-related folders
@poetry run bandit -ll --recursive . --exclude ./tests,./.venv

.PHONY: check
check: clean check-black check-isort semgrep bandit lint mypy test-random test-integration test-functional ## Run the full CI test suite
check: clean check-black check-isort semgrep lint mypy test-random test-integration test-functional ## Run the full CI test suite

# Explanation of the below shell command should it ever break.
# 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
Expand Down
Loading