Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Poc bandit #7284

Merged
merged 22 commits into from
Dec 10, 2020
Merged

Poc bandit #7284

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
0bd0f5d
setup bandit to run in CI
m-vdb Nov 16, 2020
78945b8
skip first steps of workflow jobs when needed
m-vdb Nov 16, 2020
ed10a83
add bandit.yml
m-vdb Nov 16, 2020
5633851
Merge branch 'master' into poc-bandit
m-vdb Nov 20, 2020
030cdd5
speed up workflow by not installing bandit using poetry
m-vdb Nov 20, 2020
251c102
also run backend checks if poetry.lock changed
m-vdb Nov 20, 2020
d68ec7b
fix tracker store SQL injection possibility
m-vdb Nov 20, 2020
9c29551
ignore pickle and md5 checks
m-vdb Nov 20, 2020
6a56c91
remove unused f-string
m-vdb Nov 20, 2020
10c217c
make static-checks target
m-vdb Nov 30, 2020
2065125
changelog fragment
m-vdb Nov 30, 2020
d06d5a5
Merge branch 'master' into poc-bandit
m-vdb Nov 30, 2020
e5e196d
Merge branch 'master' into poc-bandit
m-vdb Dec 9, 2020
69a0a3a
add comments for skipped checks
m-vdb Dec 9, 2020
2608a3f
remove unused nosec
m-vdb Dec 9, 2020
9a8197c
do not skip B303 globally, but locally
m-vdb Dec 9, 2020
4d43563
Merge branch 'master' into poc-bandit
m-vdb Dec 9, 2020
60aacf6
install bandit in dev dependencies
m-vdb Dec 9, 2020
7d46b8b
add changelog fragment
m-vdb Dec 9, 2020
c06e6d3
more docstrings
m-vdb Dec 9, 2020
2d866aa
update lockfile
m-vdb Dec 10, 2020
6fd5ace
Delete duplicate changelog fragment
m-vdb Dec 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/change_filters.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
backend:
- 'pyproject.toml'
- 'poetry.lock'
- 'rasa/**/*'
- 'tests/**/*'
- 'data/**/*'
- 'examples/**/*'

docker:
- 'pyproject.toml'
- 'poetry.lock'
- 'rasa/**/*'
- 'docker/**/*'

Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/continous-integration.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ jobs:

steps:
- name: Checkout git repository 🕝
if: needs.changes.outputs.docs == 'true'
uses: actions/checkout@v2

- name: Set up Python 3.7 🐍
Expand Down Expand Up @@ -118,6 +119,7 @@ jobs:

steps:
- name: Checkout git repository 🕝
if: needs.changes.outputs.backend == 'true'
uses: actions/checkout@v2

- name: Set up Python 3.7 🐍
Expand Down Expand Up @@ -192,6 +194,7 @@ jobs:

steps:
- name: Checkout git repository 🕝
if: needs.changes.outputs.backend == 'true'
uses: actions/checkout@v2

- name: Set up Python ${{ matrix.python-version }} 🐍
Expand Down Expand Up @@ -290,6 +293,7 @@ jobs:

steps:
- name: Checkout git repository 🕝
if: needs.changes.outputs.docker == 'true'
uses: actions/checkout@v2

- name: Free disk space
Expand Down
47 changes: 47 additions & 0 deletions .github/workflows/security-scans.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,21 @@ on:
types: [opened, synchronize, labeled]

jobs:
changes:
name: Check for file changes
runs-on: ubuntu-latest
outputs:
backend: ${{ steps.filter.outputs.backend }}
docker: ${{ steps.filter.outputs.docker }}
docs: ${{ steps.filter.outputs.docs }}
steps:
- uses: actions/checkout@v2
- uses: RasaHQ/pr-changed-files-filter@c4f7116a04b8a4596313469429e2ad235f59d9c4
id: filter
with:
token: ${{ secrets.GITHUB_TOKEN }}
filters: .github/change_filters.yml

cleanup_runs:
name: Cancel old branch builds
runs-on: ubuntu-latest
Expand All @@ -27,3 +42,35 @@ jobs:

- name: Gitleaks - detecting hardcoded secrets
uses: zricethezav/gitleaks-action@v1.1.4

bandit:
name: Detect python security issues
runs-on: ubuntu-latest
needs: [changes]

steps:
- name: Checkout git repository 🕝
if: needs.changes.outputs.backend == 'true'
m-vdb marked this conversation as resolved.
Show resolved Hide resolved
uses: actions/checkout@v2

- name: Set up Python 3.7 🐍
if: needs.changes.outputs.backend == 'true'
uses: actions/setup-python@v1
with:
python-version: 3.7

- name: Read Poetry Version 🔢
if: needs.changes.outputs.backend == 'true'
run: |
echo "POETRY_VERSION=$(scripts/poetry-version.sh)" >> $GITHUB_ENV
shell: bash

- name: Install poetry 🦄
if: needs.changes.outputs.backend == 'true'
uses: Gr1N/setup-poetry@v4
with:
poetry-version: ${{ env.POETRY_VERSION }}

- name: Run Bandit 🔪
if: needs.changes.outputs.backend == 'true'
run: make lint-security
8 changes: 8 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ help:
@echo " Check docstring conventions in changed files."
@echo " types"
@echo " Check for type errors using mypy."
@echo " static-checks"
@echo " Run all python static checks."
@echo " prepare-tests-ubuntu"
@echo " Install system requirements for running tests on Ubuntu and Debian based systems."
@echo " prepare-tests-macos"
Expand Down Expand Up @@ -79,6 +81,10 @@ endif
# Diff of uncommitted changes for running locally
git diff HEAD -- rasa | poetry run flake8 --select D --diff

lint-security:
m-vdb marked this conversation as resolved.
Show resolved Hide resolved
m-vdb marked this conversation as resolved.
Show resolved Hide resolved
poetry run pip install bandit\>=1.6.2,\<2.0
m-vdb marked this conversation as resolved.
Show resolved Hide resolved
poetry run bandit -ll -ii -r --config bandit.yml rasa/*

types:
# FIXME: working our way towards removing these
# see https://github.com/RasaHQ/rasa/pull/6470
Expand All @@ -103,6 +109,8 @@ types:
--disable-error-code no-redef \
--disable-error-code func-returns-value

static-checks: lint lint-security types

prepare-tests-files:
poetry install -E spacy
poetry run python -m spacy download en_core_web_md
Expand Down
1 change: 1 addition & 0 deletions bandit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
skips: ['B322', 'B104', 'B301', 'B303']
m-vdb marked this conversation as resolved.
Show resolved Hide resolved
2 changes: 2 additions & 0 deletions changelog/7284.improvement.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Run [`bandit`](https://bandit.readthedocs.io/en/latest/) checks on pull requests.
Introduce `make static-checks` command to run all static checks locally.
71 changes: 44 additions & 27 deletions poetry.lock
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion rasa/core/tracker_store.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -935,7 +935,9 @@ def _create_database(engine: "Engine", db: Text):

cursor = conn.connection.cursor()
cursor.execute("COMMIT")
cursor.execute(f"SELECT 1 FROM pg_catalog.pg_database WHERE datname = '{db}'")
cursor.execute(
"SELECT 1 FROM pg_catalog.pg_database WHERE datname = ?", (db,) # nosec
)
m-vdb marked this conversation as resolved.
Show resolved Hide resolved
exists = cursor.fetchone()
if not exists:
try:
Expand Down