Merge pull request #1814 from freedomofpress/centralized-lint

Centralize CI for bandit and safety
freedomofpress · Feb 15, 2024 · e7b7d0c · e7b7d0c
2 parents 874fe76 + 9792fa7
commit e7b7d0c
Show file tree

Hide file tree

Showing 19 changed files with 981 additions and 1,194 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -76,7 +76,7 @@ common-steps:
       name: Run static analysis on source code to find security issues
       command: |
         set -e
-        make -C client semgrep bandit
+        make -C client semgrep
 
   - &client_check_source_strings
     run:
@@ -92,13 +92,6 @@ common-steps:
         set -e
         make -C client verify-mo
 
-  - &client_check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        set -e
-        make -C client safety
-
   - &export_install_poetry
     run:
       name: Install Poetry
@@ -145,12 +138,6 @@ common-steps:
       command: |
         make -C export semgrep
 
-  - &export_check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        make -C export safety
-
   - &log_install_poetry
     run:
       name: Install Poetry
@@ -223,24 +210,6 @@ common-steps:
       command: |
         make -C proxy lint
 
-  - &proxy_check_security
-    run:
-      name: Run static analysis on source code to find security issues
-      command: |
-        set -e
-        cd proxy
-        poetry update bandit
-        make bandit
-
-  - &proxy_check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        set -e
-        cd proxy
-        poetry update safety
-        make safety
-
 version: 2.1
 
 jobs:
@@ -295,16 +264,6 @@ jobs:
       - *client_install_testing_dependencies
       - *client_check_security
 
-  client_check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - *client_install_poetry
-      - checkout
-      - *client_install_testing_dependencies
-      - *client_check_python_dependencies_for_vulnerabilities
-
-
   client_check-internationalization:
     parameters: *parameters
     docker: *docker
@@ -344,15 +303,6 @@ jobs:
       - *export_install_testing_dependencies
       - *export_check_security
 
-  export_check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - *export_install_poetry
-      - checkout
-      - *export_install_testing_dependencies
-      - *export_check_python_dependencies_for_vulnerabilities
-
   log_test-bullseye:
     docker:
       - image: debian:bullseye
@@ -382,24 +332,6 @@ jobs:
       - *proxy_install_testing_dependencies
       - *proxy_run_lint
 
-  proxy_check-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *proxy_install_poetry
-      - *proxy_install_testing_dependencies
-      - *proxy_check_security
-
-  proxy_check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *proxy_install_poetry
-      - *proxy_install_testing_dependencies
-      - *proxy_check_python_dependencies_for_vulnerabilities
-
 
 workflows:
   securedrop_client_ci:
@@ -418,8 +350,6 @@ workflows:
           matrix: *matrix
       - client_check-security:
           matrix: *matrix
-      - client_check-python-security:
-          matrix: *matrix
       - client_check-internationalization:
           matrix: *matrix
 
@@ -431,8 +361,6 @@ workflows:
           matrix: *matrix
       - export_check-security:
           matrix: *matrix
-      - export_check-python-security:
-          matrix: *matrix
 
   securedrop_log_ci:
     jobs:
@@ -450,10 +378,6 @@ workflows:
                 - bullseye
       - proxy_lint:
           matrix: *proxy_matrix
-      - proxy_check-security:
-          matrix: *proxy_matrix
-      - proxy_check-python-security:
-          matrix: *proxy_matrix
 
   client_nightly:
     triggers:

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -6,6 +6,12 @@ updates:
       interval: "weekly"
 
   # Python development dependencies
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    allow:
+      - dependency-type: "development"
   - package-ecosystem: "pip"
     directory: "/client"
     schedule:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,3 +21,46 @@ jobs:
       - name: Lint .desktop files
         run: |
           make lint-desktop
+
+  lint:
+    strategy:
+      matrix:
+        debian_version:
+          - bullseye
+          - bookworm
+    runs-on: ubuntu-latest
+    container: debian:${{ matrix.debian_version }}
+    steps:
+      - run: |
+          apt-get update && apt-get install --yes git make
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          source /etc/os-release
+          if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
+              # Install Poetry via PyPI
+              apt-get install --yes --no-install-recommends python3-pip
+              pip install poetry==1.6.1
+          elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
+              # Install Poetry via system package
+              apt-get install --yes --no-install-recommends python3-poetry
+          else
+              echo "Unsupported Debian version: $VERSION_CODENAME"
+              exit 1
+          fi
+          poetry install
+      - name: Run lint
+        run: make lint
+
+  safety:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    steps:
+      - run: |
+          apt-get update && apt-get install --yes git make python3-poetry
+      - uses: actions/checkout@v4
+      - name: Run safety
+        run: |
+          poetry install
+          poetry update safety
+          make safety
diff --git a/Makefile b/Makefile
@@ -10,6 +10,19 @@ lint-desktop: ## Lint .desktop files
 	# See: https://www.freedesktop.org/wiki/Software/desktop-file-utils/
 	find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate
 
+.PHONY: lint
+lint: bandit ## Run linters and formatters
+
+bandit: ## Run bandit security checks
+	@poetry run bandit -c pyproject.toml -r . --severity-level medium
+
+safety:  ## Run safety dependency checks on build dependencies
+	find . -name build-requirements.txt | xargs -n1 poetry run safety check --full-report \
+		--ignore 51668 \
+		--ignore 61601 \
+		--ignore 61893 \
+		--ignore 62044 \
+ 		-r
 
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##

diff --git a/client/Makefile b/client/Makefile
@@ -113,24 +113,8 @@ test-sdk: ## Run just the sdk tests
 lint: ## Run the linters
 	@poetry run flake8 securedrop_client tests
 
-.PHONY: safety
-safety: ## Runs `safety check` to check python dependencies for vulnerabilities
-	@echo "Checking build-requirements.txt with safety"
-	@poetry run safety check --full-report \
-		--ignore 51668 \
-		--ignore 61601 \
-		--ignore 61893 \
-		--ignore 62044 \
-		-r build-requirements.txt
-
-# Bandit is a static code analysis tool to detect security vulnerabilities in Python applications
-# https://wiki.openstack.org/wiki/Security/Projects/Bandit
-.PHONY: bandit
-bandit: ## Run bandit with medium level excluding test-related folders
-	@poetry run bandit -ll --recursive . --exclude ./tests,./.venv
-
 .PHONY: check
-check: clean check-black check-isort semgrep bandit lint mypy test-random test-integration test-functional ## Run the full CI test suite
+check: clean check-black check-isort semgrep lint mypy test-random test-integration test-functional ## Run the full CI test suite
 
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##