From 040b66c007adc70336a03c9e6204296ffa288ccc Mon Sep 17 00:00:00 2001 From: Alex Lowe Date: Mon, 30 Sep 2024 10:57:18 -0400 Subject: [PATCH] ci: add security scan (#5068) --- .github/workflows/security-scan.yaml | 17 +++++++++++++++++ osv-scanner.toml | 4 ++++ requirements-devel.txt | 2 +- requirements-docs.txt | 2 +- requirements.txt | 2 +- tools/freeze-requirements.sh | 2 +- 6 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/security-scan.yaml create mode 100644 osv-scanner.toml diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml new file mode 100644 index 0000000000..20770c8ad9 --- /dev/null +++ b/.github/workflows/security-scan.yaml @@ -0,0 +1,17 @@ +name: Security scan +on: + pull_request: + push: + branches: + - main + - hotfix/* + - work/secscan # For development + +jobs: + python-scans: + name: Scan Python project + uses: canonical/starflow/.github/workflows/scan-python.yaml@main + with: + packages: python-apt-dev + osv-extra-args: '--config=source/osv-scanner.toml' + trivy-extra-args: '--severity HIGH,CRITICAL --ignore-unfixed --skip-dirs "tests/spread/**"' diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 0000000000..17da2fac14 --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,4 @@ +[[IgnoredVulns]] +id = "CVE-2024-35195" +ignoreUntil = "2025-01-01T00:00:00Z" +reason = "Needed for requests-unixsocket, which we're replacing with requests-unixsocket2" diff --git a/requirements-devel.txt b/requirements-devel.txt index 2660b4f900..37f48f4751 100644 --- a/requirements-devel.txt +++ b/requirements-devel.txt @@ -199,5 +199,5 @@ yamllint==1.35.1 zipp==3.20.2 zope.deprecation==5.0 zope.interface==7.0.3 -python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux" +python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux" pyinstaller==5.13.2; sys.platform == "win32" diff --git a/requirements-docs.txt b/requirements-docs.txt index 787942bceb..1504cc4323 100644 --- a/requirements-docs.txt +++ b/requirements-docs.txt @@ -147,4 +147,4 @@ websockets==12.0 wheel==0.44.0 ws4py==0.5.1 zipp==3.20.2 -python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux" +python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux" diff --git a/requirements.txt b/requirements.txt index 638d3ddb58..75e74f446c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -78,4 +78,4 @@ wadllib==1.3.6 wheel==0.44.0 ws4py==0.5.1 zipp==3.20.2 -python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux" +python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux" diff --git a/tools/freeze-requirements.sh b/tools/freeze-requirements.sh index 22723c420a..5f086892ee 100755 --- a/tools/freeze-requirements.sh +++ b/tools/freeze-requirements.sh @@ -5,7 +5,7 @@ requirements_fixups() { # Python apt library pinned to source. sed -i '/python-apt=*/d' "$req_file" - echo 'python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz; sys.platform == "linux"' >> "$req_file" + echo 'python-apt @ https://launchpad.net/ubuntu/+archive/primary/+sourcefiles/python-apt/2.4.0ubuntu1/python-apt_2.4.0ubuntu1.tar.xz ; sys.platform == "linux"' >> "$req_file" # https://bugs.launchpad.net/ubuntu/+source/python-pip/+bug/1635463 sed -i '/pkg[-_]resources==0.0.0/d' "$req_file"