Skip to content

Commit

Permalink
Centralize CI for bandit and safety
Browse files Browse the repository at this point in the history
Both of these projects can be run centrally across all components and
don't need to be installed and configured separately four times.

This also identifies and fixes that bandit wasn't being run on export
(though the issue it flagged was a false positive).

Refs #1773.
  • Loading branch information
legoktm committed Feb 8, 2024
1 parent e3c61d3 commit 0f1bedf
Show file tree
Hide file tree
Showing 19 changed files with 982 additions and 1,194 deletions.
78 changes: 1 addition & 77 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ common-steps:
name: Run static analysis on source code to find security issues
command: |
set -e
make -C client semgrep bandit
make -C client semgrep
- &client_check_source_strings
run:
Expand All @@ -92,13 +92,6 @@ common-steps:
set -e
make -C client verify-mo
- &client_check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
set -e
make -C client safety
- &export_install_poetry
run:
name: Install Poetry
Expand Down Expand Up @@ -145,12 +138,6 @@ common-steps:
command: |
make -C export semgrep
- &export_check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
make -C export safety
- &log_install_poetry
run:
name: Install Poetry
Expand Down Expand Up @@ -223,24 +210,6 @@ common-steps:
command: |
make -C proxy lint
- &proxy_check_security
run:
name: Run static analysis on source code to find security issues
command: |
set -e
cd proxy
poetry update bandit
make bandit
- &proxy_check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
set -e
cd proxy
poetry update safety
make safety
version: 2.1

jobs:
Expand Down Expand Up @@ -295,16 +264,6 @@ jobs:
- *client_install_testing_dependencies
- *client_check_security

client_check-python-security:
parameters: *parameters
docker: *docker
steps:
- *client_install_poetry
- checkout
- *client_install_testing_dependencies
- *client_check_python_dependencies_for_vulnerabilities


client_check-internationalization:
parameters: *parameters
docker: *docker
Expand Down Expand Up @@ -344,15 +303,6 @@ jobs:
- *export_install_testing_dependencies
- *export_check_security

export_check-python-security:
parameters: *parameters
docker: *docker
steps:
- *export_install_poetry
- checkout
- *export_install_testing_dependencies
- *export_check_python_dependencies_for_vulnerabilities

log_test-bullseye:
docker:
- image: debian:bullseye
Expand Down Expand Up @@ -382,24 +332,6 @@ jobs:
- *proxy_install_testing_dependencies
- *proxy_run_lint

proxy_check-security:
parameters: *parameters
docker: *docker
steps:
- checkout
- *proxy_install_poetry
- *proxy_install_testing_dependencies
- *proxy_check_security

proxy_check-python-security:
parameters: *parameters
docker: *docker
steps:
- checkout
- *proxy_install_poetry
- *proxy_install_testing_dependencies
- *proxy_check_python_dependencies_for_vulnerabilities


workflows:
securedrop_client_ci:
Expand All @@ -418,8 +350,6 @@ workflows:
matrix: *matrix
- client_check-security:
matrix: *matrix
- client_check-python-security:
matrix: *matrix
- client_check-internationalization:
matrix: *matrix

Expand All @@ -431,8 +361,6 @@ workflows:
matrix: *matrix
- export_check-security:
matrix: *matrix
- export_check-python-security:
matrix: *matrix

securedrop_log_ci:
jobs:
Expand All @@ -444,10 +372,6 @@ workflows:
matrix: *matrix
- proxy_lint:
matrix: *matrix
- proxy_check-security:
matrix: *matrix
- proxy_check-python-security:
matrix: *matrix

client_nightly:
triggers:
Expand Down
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ updates:
interval: "weekly"

# Python development dependencies
- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
allow:
- dependency-type: "development"
- package-ecosystem: "pip"
directory: "/client"
schedule:
Expand Down
43 changes: 43 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,46 @@ jobs:
- name: Lint .desktop files
run: |
make lint-desktop
lint:
strategy:
matrix:
debian_version:
- bullseye
- bookworm
runs-on: ubuntu-latest
container: debian:${{ matrix.debian_version }}
steps:
- run: |
apt-get update && apt-get install --yes git make
- uses: actions/checkout@v4
- name: Install dependencies
run: |
source /etc/os-release
if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
# Install Poetry via PyPI
apt-get install --yes --no-install-recommends python3-pip
pip install poetry==1.6.1
elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
# Install Poetry via system package
apt-get install --yes --no-install-recommends python3-poetry
else
echo "Unsupported Debian version: $VERSION_CODENAME"
exit 1
fi
poetry install
- name: Run lint
run: make lint

safety:
runs-on: ubuntu-latest
container: debian:bookworm
steps:
- run: |
apt-get update && apt-get install --yes git make python3-poetry
- uses: actions/checkout@v4
- name: Run safety
run: |
poetry install
poetry update safety
make safety
13 changes: 13 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,19 @@ lint-desktop: ## Lint .desktop files
# See: https://www.freedesktop.org/wiki/Software/desktop-file-utils/
find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate

.PHONY: lint
lint: bandit ## Run linters and formatters

bandit: ## Run bandit security checks
@poetry run bandit -c pyproject.toml -r . --severity-level medium

safety: ## Run safety dependency checks on build dependencies
find . -name build-requirements.txt | xargs -n1 poetry run safety check --full-report \
--ignore 51668 \
--ignore 61601 \
--ignore 61893 \
--ignore 62044 \
-r

# Explanation of the below shell command should it ever break.
# 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
Expand Down
18 changes: 1 addition & 17 deletions client/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -113,24 +113,8 @@ test-sdk: ## Run just the sdk tests
lint: ## Run the linters
@poetry run flake8 securedrop_client tests

.PHONY: safety
safety: ## Runs `safety check` to check python dependencies for vulnerabilities
@echo "Checking build-requirements.txt with safety"
@poetry run safety check --full-report \
--ignore 51668 \
--ignore 61601 \
--ignore 61893 \
--ignore 62044 \
-r build-requirements.txt

# Bandit is a static code analysis tool to detect security vulnerabilities in Python applications
# https://wiki.openstack.org/wiki/Security/Projects/Bandit
.PHONY: bandit
bandit: ## Run bandit with medium level excluding test-related folders
@poetry run bandit -ll --recursive . --exclude ./tests,./.venv

.PHONY: check
check: clean check-black check-isort semgrep bandit lint mypy test-random test-integration test-functional ## Run the full CI test suite
check: clean check-black check-isort semgrep lint mypy test-random test-integration test-functional ## Run the full CI test suite

# Explanation of the below shell command should it ever break.
# 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
Expand Down
Loading

0 comments on commit 0f1bedf

Please sign in to comment.