From 65fd9c00df196abf0e8293637a091844a4a2ae71 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Mon, 3 Jun 2024 15:57:52 +0900 Subject: [PATCH 1/7] Add Trivy code scan workflow --- .github/workflows/code_scan.yml | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/code_scan.yml diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml new file mode 100644 index 00000000..344b69e2 --- /dev/null +++ b/.github/workflows/code_scan.yml @@ -0,0 +1,40 @@ +name: Code Scanning + +on: + push: + branches: + - releases/* + schedule: + # every UTC 6PM from Mon to Fri + - cron: "0 18 * * 1-5" + workflow_dispatch: # run on request (no need for PR) + +# Declare default permissions as read only. +permissions: read-all + +jobs: + Trivy-Scan: + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Set up Python + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: "3.10" + - name: Install dependencies + run: | + pip install . + pip freeze > requirements.txt + - name: Trivy Scanning + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: fs + scan-ref: requirements.txt + format: json + output: .tox/trivy-scan-result.spdx.json + - name: Upload Trivy results artifact + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: trivy-scan-results + path: .tox/trivy-scan-results.spdx.json From d50675b323fc64b182d397fc5a5cbdb8d1821b24 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Tue, 4 Jun 2024 10:41:47 +0900 Subject: [PATCH 2/7] Enable PR run --- .github/workflows/code_scan.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index 344b69e2..335f5602 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -1,6 +1,11 @@ name: Code Scanning on: + pull_request: + types: + - opened + - reopened + - synchronize push: branches: - releases/* From efda5d3a63d48fb4565b9737b462e9fa73c6b7c9 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Tue, 4 Jun 2024 10:45:38 +0900 Subject: [PATCH 3/7] Fix trivy output --- .github/workflows/code_scan.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index 335f5602..f7fda451 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -31,15 +31,15 @@ jobs: run: | pip install . pip freeze > requirements.txt - - name: Trivy Scanning + - name: Run Trivy scan uses: aquasecurity/trivy-action@0.20.0 with: scan-type: fs scan-ref: requirements.txt - format: json - output: .tox/trivy-scan-result.spdx.json - - name: Upload Trivy results artifact + format: spdx-json + output: trivy-scan-results.spdx.json + - name: Upload Trivy scan results uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: trivy-scan-results - path: .tox/trivy-scan-results.spdx.json + path: trivy-scan-results.spdx.json From 91ea89cc04d000589768232b78cae77356c40d41 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Tue, 4 Jun 2024 10:57:19 +0900 Subject: [PATCH 4/7] Add security scan --- .github/workflows/code_scan.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index f7fda451..6879ccb2 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -31,7 +31,13 @@ jobs: run: | pip install . pip freeze > requirements.txt - - name: Run Trivy scan + - name: Run Trivy security scan + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: fs + scan-ref: requirements.txt + output: trivy-scan-results.txt + - name: Run Trivy spdx scan uses: aquasecurity/trivy-action@0.20.0 with: scan-type: fs @@ -42,4 +48,4 @@ jobs: uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: trivy-scan-results - path: trivy-scan-results.spdx.json + path: trivy-scan-results.* From 554d46eddcd92fb51fa4e53559b7f99072faec39 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Tue, 4 Jun 2024 11:18:18 +0900 Subject: [PATCH 5/7] Add Bandit scanning --- .ci/ipas_default.config | 409 ++++++++++++++++++++++++++++++++ .github/workflows/code_scan.yml | 25 +- 2 files changed, 433 insertions(+), 1 deletion(-) create mode 100644 .ci/ipas_default.config diff --git a/.ci/ipas_default.config b/.ci/ipas_default.config new file mode 100644 index 00000000..bdb8fefb --- /dev/null +++ b/.ci/ipas_default.config @@ -0,0 +1,409 @@ + +### Bandit config file generated from: +# './bandit/bandit/cli/config_generator.py --out ipas_default.config' + +### This config may optionally select a subset of tests to run or skip by +### filling out the 'tests' and 'skips' lists given below. If no tests are +### specified for inclusion then it is assumed all tests are desired. The skips +### set will remove specific tests from the include set. This can be controlled +### using the -t/-s CLI options. Note that the same test ID should not appear +### in both 'tests' and 'skips', this would be nonsensical and is detected by +### Bandit at runtime. + +# Available tests: +# B101 : assert_used +# B102 : exec_used +# B103 : set_bad_file_permissions +# B104 : hardcoded_bind_all_interfaces +# B105 : hardcoded_password_string +# B106 : hardcoded_password_funcarg +# B107 : hardcoded_password_default +# B108 : hardcoded_tmp_directory +# B110 : try_except_pass +# B112 : try_except_continue +# B201 : flask_debug_true +# B301 : pickle +# B302 : marshal +# B303 : md5 +# B304 : ciphers +# B305 : cipher_modes +# B306 : mktemp_q +# B307 : eval +# B308 : mark_safe +# B310 : urllib_urlopen +# B311 : random +# B312 : telnetlib +# B313 : xml_bad_cElementTree +# B314 : xml_bad_ElementTree +# B315 : xml_bad_expatreader +# B316 : xml_bad_expatbuilder +# B317 : xml_bad_sax +# B318 : xml_bad_minidom +# B319 : xml_bad_pulldom +# B320 : xml_bad_etree +# B321 : ftplib +# B323 : unverified_context +# B324 : hashlib_new_insecure_functions +# B401 : import_telnetlib +# B402 : import_ftplib +# B403 : import_pickle +# B404 : import_subprocess +# B405 : import_xml_etree +# B406 : import_xml_sax +# B407 : import_xml_expat +# B408 : import_xml_minidom +# B409 : import_xml_pulldom +# B410 : import_lxml +# B411 : import_xmlrpclib +# B412 : import_httpoxy +# B413 : import_pycrypto +# B501 : request_with_no_cert_validation +# B502 : ssl_with_bad_version +# B503 : ssl_with_bad_defaults +# B504 : ssl_with_no_version +# B505 : weak_cryptographic_key +# B506 : yaml_load +# B507 : ssh_no_host_key_verification +# B601 : paramiko_calls +# B602 : subprocess_popen_with_shell_equals_true +# B603 : subprocess_without_shell_equals_true +# B604 : any_other_function_with_shell_equals_true +# B605 : start_process_with_a_shell +# B606 : start_process_with_no_shell +# B607 : start_process_with_partial_path +# B608 : hardcoded_sql_expressions +# B609 : linux_commands_wildcard_injection +# B610 : django_extra_used +# B611 : django_rawsql_used +# B701 : jinja2_autoescape_false +# B702 : use_of_mako_templates +# B703 : django_mark_safe + +# (optional) list included test IDs here, eg '[B101, B406]': +# IPAS Required Checkers. Do not disable these +# Additional checkers may be added if desired +tests: + [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B320', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B410', 'B411', 'B412', 'B413'] + +# (optional) list skipped test IDs here, eg '[B101, B406]': +# The following checkers are not required but be added to tests list if desired +skips: + [ 'B101', 'B102', 'B103', 'B104', 'B105', 'B106', 'B107', 'B108', 'B110', 'B112', 'B201', 'B501', 'B502', 'B503', 'B504', 'B505', 'B506', 'B507', 'B601', 'B602', 'B603', 'B604', 'B605', 'B606', 'B607', 'B608', 'B609', 'B610', 'B611', 'B701', 'B702', 'B703'] + + +# Added to exclude some path which are not actual source code for this project +exclude_dirs: [ + '.tox/', + '.vscode/', + '.git/', + 'build/', +] + +### (optional) plugin settings - some test plugins require configuration data +### that may be given here, per-plugin. All bandit test plugins have a built in +### set of sensible defaults and these will be used if no configuration is +### provided. It is not necessary to provide settings for every (or any) plugin +### if the defaults are acceptable. + +any_other_function_with_shell_equals_true: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +assert_used: + skips: [] +hardcoded_tmp_directory: + tmp_dirs: + - /tmp + - /var/tmp + - /dev/shm +linux_commands_wildcard_injection: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +ssl_with_bad_defaults: + bad_protocol_versions: + - PROTOCOL_SSLv2 + - SSLv2_METHOD + - SSLv23_METHOD + - PROTOCOL_SSLv3 + - PROTOCOL_TLSv1 + - SSLv3_METHOD + - TLSv1_METHOD +ssl_with_bad_version: + bad_protocol_versions: + - PROTOCOL_SSLv2 + - SSLv2_METHOD + - SSLv23_METHOD + - PROTOCOL_SSLv3 + - PROTOCOL_TLSv1 + - SSLv3_METHOD + - TLSv1_METHOD +start_process_with_a_shell: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +start_process_with_no_shell: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +start_process_with_partial_path: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +subprocess_popen_with_shell_equals_true: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +subprocess_without_shell_equals_true: + no_shell: + - os.execl + - os.execle + - os.execlp + - os.execlpe + - os.execv + - os.execve + - os.execvp + - os.execvpe + - os.spawnl + - os.spawnle + - os.spawnlp + - os.spawnlpe + - os.spawnv + - os.spawnve + - os.spawnvp + - os.spawnvpe + - os.startfile + shell: + - os.system + - os.popen + - os.popen2 + - os.popen3 + - os.popen4 + - popen2.popen2 + - popen2.popen3 + - popen2.popen4 + - popen2.Popen3 + - popen2.Popen4 + - commands.getoutput + - commands.getstatusoutput + subprocess: + - subprocess.Popen + - subprocess.call + - subprocess.check_call + - subprocess.check_output + - subprocess.run +try_except_continue: + check_typed_exception: false +try_except_pass: + check_typed_exception: false +weak_cryptographic_key: + weak_key_size_dsa_high: 1024 + weak_key_size_dsa_medium: 2048 + weak_key_size_ec_high: 160 + weak_key_size_ec_medium: 224 + weak_key_size_rsa_high: 1024 + weak_key_size_rsa_medium: 2048 diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index 6879ccb2..aacd4ec9 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -19,7 +19,7 @@ permissions: read-all jobs: Trivy-Scan: - runs-on: ubuntu-20.04 + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -49,3 +49,26 @@ jobs: with: name: trivy-scan-results path: trivy-scan-results.* + # Use always() to always run this step to publish scan results when there are test failures + if: ${{ always() }} + + Bandit-Scan: + runs-on: ubuntu-22.04 + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Set up Python + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 + with: + python-version: "3.10" + - name: Install dependencies + run: pip install bandit + - name: Bandit Scanning + run: bandit -r -c .ci/ipas_default.config . -f txt -o bandit-scan-results.txt + - name: Upload Bandit artifact + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: bandit-scan-results + path: bandit-scan-results.txt + # Use always() to always run this step to publish scan results when there are test failures + if: ${{ always() }} From 4c2c290d9c43b0bb8d30d10e2e7e26d54f3aa0c0 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Tue, 4 Jun 2024 11:24:22 +0900 Subject: [PATCH 6/7] Fix bandit issue --- openvino_xai/common/utils.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openvino_xai/common/utils.py b/openvino_xai/common/utils.py index fc13e045..c6d5c50d 100644 --- a/openvino_xai/common/utils.py +++ b/openvino_xai/common/utils.py @@ -39,6 +39,7 @@ def has_xai(model: ov.Model) -> bool: return False +# Not a part of product def retrieve_otx_model(data_dir: str | Path, model_name: str, dir_url=None) -> None: destination_folder = Path(data_dir) / "otx_models" os.makedirs(destination_folder, exist_ok=True) @@ -50,7 +51,7 @@ def retrieve_otx_model(data_dir: str | Path, model_name: str, dir_url=None) -> N for post_fix in ["xml", "bin"]: if not os.path.isfile(os.path.join(destination_folder, model_name + f".{post_fix}")): - urlretrieve( + urlretrieve( # nosec B310 f"{dir_url}/{snapshot_file}.{post_fix}", f"{destination_folder}/{model_name}.{post_fix}", ) From 429efcc104d31313708fde511192da42f1c08f00 Mon Sep 17 00:00:00 2001 From: Songki Choi Date: Tue, 4 Jun 2024 16:25:09 +0900 Subject: [PATCH 7/7] Rename code scan workflow --- .github/workflows/code_scan.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/code_scan.yml b/.github/workflows/code_scan.yml index aacd4ec9..119f9362 100644 --- a/.github/workflows/code_scan.yml +++ b/.github/workflows/code_scan.yml @@ -1,17 +1,9 @@ -name: Code Scanning +name: Security Code Scan on: - pull_request: - types: - - opened - - reopened - - synchronize push: branches: - releases/* - schedule: - # every UTC 6PM from Mon to Fri - - cron: "0 18 * * 1-5" workflow_dispatch: # run on request (no need for PR) # Declare default permissions as read only.