Skip to content
This repository has been archived by the owner on Jan 5, 2024. It is now read-only.

Commit

Permalink
[WIP] Address review comments
Browse files Browse the repository at this point in the history
  • Loading branch information
eloquence committed Sep 29, 2023
1 parent 4ae8d1f commit 68d664b
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 63 deletions.
76 changes: 24 additions & 52 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
@@ -1,32 +1,36 @@
---
common-steps:
- &install_poetry_bullseye
- &install_poetry
run:
name: Install Poetry on Debian Bullseye (PyPI package)
name: Install Poetry
command: |
set -e
apt update && apt install -y --no-install-recommends python3-pip
pip install poetry==1.6.1
- &install_poetry_bookworm
run:
name: Install Poetry on Debian Bookworm (system package)
command: |
apt update && apt install -y --no-install-recommends python3-poetry
source /etc/os-release
if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
# Install Poetry via PyPI
apt-get update && apt-get install --yes --no-install-recommends python3-pip
pip install poetry==1.6.1
elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
# Install Poetry via system package
apt-get update && apt-get install --yes --no-install-recommends python3-poetry
else
echo "Unsupported Debian version: $VERSION_CODENAME"
exit 1
fi
- &install_testing_dependencies
run:
name: Install testing dependencies
command: |
apt install -y --no-install-recommends git gnupg make
apt-get install --yes --no-install-recommends git gnupg make
poetry install --no-ansi
- &install_build_dependencies
run:
name: Install build dependencies
command: |
set -e
apt update && apt install -y git make sudo
apt-get update && apt-get install --yes git make sudo
- &run_unit_tests
run:
Expand All @@ -45,12 +49,16 @@ common-steps:
run:
name: Run static analysis on source code to find security issues
command: |
set -e
poetry update bandit
make bandit
- &check_python_dependencies_for_vulnerabilities
run:
name: Check Python dependencies for known vulnerabilities
command: |
set -e
poetry update safety
make safety
- &install_packaging_dependencies
Expand Down Expand Up @@ -110,16 +118,7 @@ jobs:
docker: *docker
steps:
- checkout
- when:
condition:
equal: [ bullseye, << parameters.image >> ]
steps:
- *install_poetry_bullseye
- when:
condition:
equal: [ bookworm, << parameters.image >> ]
steps:
- *install_poetry_bookworm
- *install_poetry
- *install_testing_dependencies
- *run_unit_tests
- store_test_results:
Expand All @@ -130,16 +129,7 @@ jobs:
docker: *docker
steps:
- checkout
- when:
condition:
equal: [ bullseye, << parameters.image >> ]
steps:
- *install_poetry_bullseye
- when:
condition:
equal: [ bookworm, << parameters.image >> ]
steps:
- *install_poetry_bookworm
- *install_poetry
- *install_testing_dependencies
- *run_lint

Expand All @@ -148,16 +138,7 @@ jobs:
docker: *docker
steps:
- checkout
- when:
condition:
equal: [ bullseye, << parameters.image >> ]
steps:
- *install_poetry_bullseye
- when:
condition:
equal: [ bookworm, << parameters.image >> ]
steps:
- *install_poetry_bookworm
- *install_poetry
- *install_testing_dependencies
- *check_security

Expand All @@ -166,16 +147,7 @@ jobs:
docker: *docker
steps:
- checkout
- when:
condition:
equal: [ bullseye, << parameters.image >> ]
steps:
- *install_poetry_bullseye
- when:
condition:
equal: [ bookworm, << parameters.image >> ]
steps:
- *install_poetry_bookworm
- *install_poetry
- *install_testing_dependencies
- *check_python_dependencies_for_vulnerabilities

Expand Down
13 changes: 2 additions & 11 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,13 @@ all: help

.PHONY: bandit
bandit: ## Run bandit with medium level excluding test-related folders
@echo "Installing latest version of Bandit in virtual environment…"
@poetry update bandit
@echo "Running bandit security checks…"
@poetry run bandit -ll --recursive securedrop_proxy

.PHONY: safety
safety: ## Runs `safety check` to check python dependencies for vulnerabilities
@echo "Installing latest version of safety in virtual environment…"
@poetry update safety
@echo "Running safety against requirements files in this repository…"
for req_file in `find . -type f -name '*requirements.txt'`; do \
echo "Checking file $$req_file" \
&& poetry run safety check --full-report -r $$req_file \
&& echo -e '\n' \
|| exit 1; \
done
@echo "Running safety against build requirements…"
@poetry run safety check --full-report -r build-requirements.txt

.PHONY: lint
lint: check-isort check-black mypy ## Run isort, black and flake8 and mypy
Expand Down

0 comments on commit 68d664b

Please sign in to comment.