From 015c9b5d157f0569b17da58473778d3952cbdb5c Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 14:20:36 +0000 Subject: [PATCH 01/17] codeql settings update --- .github/workflows/codeql.yaml | 36 +++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 27a904f944..825a014cc4 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -12,20 +12,13 @@ name: "CodeQL" on: - push: - branches: - - develop - - releases/** + workflow_dispatch: # run on request (no need for PR) pull_request: types: - opened - reopened - synchronize - schedule: - - cron: "0 0 * * 0" -permissions: - contents: read jobs: analyze: @@ -35,20 +28,20 @@ jobs: # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners # Consider using larger runners for possible analysis time improvements. - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 60 permissions: # required for all workflows security-events: write - # only required for workflows in private repositories - actions: read - contents: read - strategy: fail-fast: false matrix: - language: ["python"] + language: + - language: python + build-mode: none + - language: actions # to scan workflows + build-mode: none # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both @@ -74,13 +67,24 @@ jobs: uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: category: "/language:${{matrix.language}}" + - name: Generate Security Report uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 with: template: report token: ${{ secrets.GITHUB_TOKEN }} + outputDir: codeql-${{ matrix.language }} + + - name: Rename Report + shell: bash + continue-on-error: true + run: | + cd codeql-${{ matrix.language }} + mv "report.pdf" "codeql-${{ matrix.language }}.pdf" + - name: GitHub Upload Release Artifacts uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: - name: codeql-report - path: "./report.pdf" + name: codeql-${{ matrix.language }}-results + path: codeql-${{ matrix.language }}/*.pdf + retention-days: 7 From 65885566316ab0aac58ed4c6654b995816b450da Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 14:24:25 +0000 Subject: [PATCH 02/17] codeql fix --- .github/workflows/codeql.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 825a014cc4..1987c805aa 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -37,7 +37,7 @@ jobs: strategy: fail-fast: false matrix: - language: + include: - language: python build-mode: none - language: actions # to scan workflows @@ -56,6 +56,7 @@ jobs: uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. From 0c5c08b462b3c907651c079cc9f98e590f20343b Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 14:44:19 +0000 Subject: [PATCH 03/17] update trivy --- .ci/trivy.yaml | 3 ++- .github/workflows/code_scan.yaml | 22 +++++++++++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.ci/trivy.yaml b/.ci/trivy.yaml index c576d56bca..b19c9168b9 100644 --- a/.ci/trivy.yaml +++ b/.ci/trivy.yaml @@ -5,8 +5,9 @@ scan: scanners: - vuln - secret + - misconfig slow: false -severity: MEDIUM,HIGH,CRITICAL +severity: LOW,MEDIUM,HIGH,CRITICAL exit-code: 1 vulnerability: ignore-unfixed: false diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index ad66b1d55a..5f47bc7664 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -11,11 +11,11 @@ on: - cron: "0 18 * * 1-5" # Declare default permissions as read only. -permissions: read-all +permissions: {} jobs: - Trivy-scan: - runs-on: ubuntu-latest + Trivy: + runs-on: ubuntu-22.04 steps: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -27,27 +27,38 @@ jobs: run: python -m pip install --require-hashes --no-deps -r .ci/requirements.txt - name: Freeze dependencies run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml + - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 with: trivy-config: ".ci/trivy-json.yaml" scan-type: "fs" scan-ref: . + - name: Trivy Scanning uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 with: trivy-config: ".ci/trivy.yaml" scan-type: "fs" scan-ref: . + - name: Upload Trivy results artifact uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: trivy-results path: "${{ github.workspace }}/trivy-results.*" + retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} + - name: Upload deps list + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: python-deps-list + path: '${{ github.workspace }}/requirements.txt' + retention-days: 7 + Bandit: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 steps: - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -66,7 +77,8 @@ jobs: - name: Upload Bandit artifact uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: - name: bandit-report + name: bandit-results path: .tox/bandit-report.txt + retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} From 601a9a655b39a1bed1a4e24008f145f8d41bd79a Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 14:52:10 +0000 Subject: [PATCH 04/17] update bandit --- tox.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tox.ini b/tox.ini index 7aa0fa1ad5..0bc79062cd 100644 --- a/tox.ini +++ b/tox.ini @@ -99,7 +99,7 @@ deps = allowlist_externals = bandit commands = - - bandit -r -c .ci/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt + - bandit -r -c .ci/ipas_default.config {toxinidir}/ -f html -o {toxworkdir}/bandit-report.html . [testenv:fuzzing] From b60c9f36474317272647e7a51f681766133db00c Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 14:55:10 +0000 Subject: [PATCH 05/17] trivy fix --- .github/workflows/code_scan.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index 5f47bc7664..a56dd3567d 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -31,9 +31,10 @@ jobs: - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 with: - trivy-config: ".ci/trivy-json.yaml" - scan-type: "fs" + scan-type: fs scan-ref: . + format: spdx-json + output: trivy-results.spdx.json - name: Trivy Scanning uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 @@ -41,7 +42,8 @@ jobs: trivy-config: ".ci/trivy.yaml" scan-type: "fs" scan-ref: . - + skip-setup-trivy: true + - name: Upload Trivy results artifact uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: @@ -78,7 +80,7 @@ jobs: uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: bandit-results - path: .tox/bandit-report.txt + path: .tox/bandit-report.html retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} From cc9c166cae51cab73423fcd20f0854b320311c9e Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 15:04:27 +0000 Subject: [PATCH 06/17] trivy fix --- .github/workflows/code_scan.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index a56dd3567d..1e1192d54c 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -36,12 +36,14 @@ jobs: format: spdx-json output: trivy-results.spdx.json - - name: Trivy Scanning - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + - name: Run Trivy Scan (dockerfile and secrets) + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 + if: always() with: - trivy-config: ".ci/trivy.yaml" - scan-type: "fs" + scan-type: fs scan-ref: . + scanners: misconfig,secret,vuln + output: trivy-results-misconfig.txt skip-setup-trivy: true - name: Upload Trivy results artifact @@ -52,8 +54,10 @@ jobs: retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} + - name: Upload deps list uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + if: always() with: name: python-deps-list path: '${{ github.workspace }}/requirements.txt' From 8b344238435845890f8df3c8bef460c9559634d1 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 15:24:53 +0000 Subject: [PATCH 07/17] trivy fix --- .github/workflows/code_scan.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index 1e1192d54c..354bac5980 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -28,13 +28,21 @@ jobs: - name: Freeze dependencies run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml + - name: Run Trivy Scan (vuln) + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 + with: + scan-type: fs + scan-ref: requirements.txt + scanners: vuln + output: trivy-results-vuln.txt + - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 with: scan-type: fs scan-ref: . format: spdx-json - output: trivy-results.spdx.json + output: trivy-results-spdx.json - name: Run Trivy Scan (dockerfile and secrets) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 @@ -42,7 +50,7 @@ jobs: with: scan-type: fs scan-ref: . - scanners: misconfig,secret,vuln + scanners: misconfig,secret output: trivy-results-misconfig.txt skip-setup-trivy: true @@ -50,7 +58,7 @@ jobs: uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: trivy-results - path: "${{ github.workspace }}/trivy-results.*" + path: "${{ github.workspace }}/trivy-results-*" retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} From bcfa234fa8a615ca3b01c0a7f631825d5d778738 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 15:32:54 +0000 Subject: [PATCH 08/17] json output --- .github/workflows/code_scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index 354bac5980..6a65fc1403 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -34,7 +34,8 @@ jobs: scan-type: fs scan-ref: requirements.txt scanners: vuln - output: trivy-results-vuln.txt + format: json + output: trivy-results-vuln.json - name: Trivy Scanning (spdx.json) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 @@ -46,7 +47,6 @@ jobs: - name: Run Trivy Scan (dockerfile and secrets) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - if: always() with: scan-type: fs scan-ref: . From 5e037f9d4f90cc6d98628cfbce525a409d642956 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 15:39:06 +0000 Subject: [PATCH 09/17] trivy fix --- .github/workflows/code_scan.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index 6a65fc1403..d59cf9b09d 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -34,16 +34,7 @@ jobs: scan-type: fs scan-ref: requirements.txt scanners: vuln - format: json - output: trivy-results-vuln.json - - - name: Trivy Scanning (spdx.json) - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 - with: - scan-type: fs - scan-ref: . - format: spdx-json - output: trivy-results-spdx.json + output: trivy-results-vuln.txt - name: Run Trivy Scan (dockerfile and secrets) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 From 2dc8cb93d02bc37ad71d76bfeb72b437ea4c5411 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 15:42:49 +0000 Subject: [PATCH 10/17] trivy spdx --- .github/workflows/code_scan.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index d59cf9b09d..8ab941a2c4 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -45,6 +45,15 @@ jobs: output: trivy-results-misconfig.txt skip-setup-trivy: true + - name: Trivy Scanning (spdx) + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + with: + scan-type: fs + scan-ref: . + format: spdx-json + output: trivy-results-spdx.json + skip-setup-trivy: true + - name: Upload Trivy results artifact uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: From 68dc05cef71a1ac2f8b3e2a301eedf6ac8333061 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 15:48:21 +0000 Subject: [PATCH 11/17] codeql added --- .github/workflows/code_scan.yaml | 85 ++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index 8ab941a2c4..fa80b29d5f 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -96,3 +96,88 @@ jobs: retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} + + CodeQL: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-22.04 + permissions: + # required for all workflows + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + - language: actions # to scan workflows + build-mode: none + steps: + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + category: "/language:${{matrix.language}}" + + - name: Generate CodeQL Report + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + template: report + outputDir: codeql-${{ matrix.language }} + + - name: Rename Report + shell: bash + continue-on-error: true + run: | + cd codeql-${{ matrix.language }} + mv "report.pdf" "codeql-${{ matrix.language }}.pdf" + + - name: Upload Report + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: codeql-${{ matrix.language }}-results + path: codeql-${{ matrix.language }}/*.pdf + retention-days: 7 + + Summarize: + needs: [Trivy, Bandit, CodeQL] + if: always() + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 + with: + egress-policy: audit + + # Create directory first + - name: Create results directory + run: mkdir -p all-results + + # Download artifacts with error handling + - name: Download all results + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + continue-on-error: true # Don't fail if some tools didn't generate results + with: + pattern: "*-results" + merge-multiple: true + path: all-results + + # Only upload if there are files + - name: Upload combined results + if: hashFiles('all-results/**/*') != '' + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: security-scan-results + path: all-results + retention-days: 7 \ No newline at end of file From 4dd4ed4f99211a7fa6bd0bdf21e8282be56ab9c0 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 16:19:03 +0000 Subject: [PATCH 12/17] bandit update --- .github/workflows/code_scan.yaml | 9 ++------- tox.ini | 2 +- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index fa80b29d5f..cd58c70279 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -10,7 +10,6 @@ on: # every UTC 6PM from Mon to Fri - cron: "0 18 * * 1-5" -# Declare default permissions as read only. permissions: {} jobs: @@ -92,7 +91,7 @@ jobs: uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: name: bandit-results - path: .tox/bandit-report.html + path: .tox/bandit-results.txt retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} @@ -155,11 +154,7 @@ jobs: if: always() runs-on: ubuntu-22.04 steps: - - name: Harden Runner - uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3 - with: - egress-policy: audit - + # Create directory first - name: Create results directory run: mkdir -p all-results diff --git a/tox.ini b/tox.ini index 0bc79062cd..a4d8d7ac0d 100644 --- a/tox.ini +++ b/tox.ini @@ -99,7 +99,7 @@ deps = allowlist_externals = bandit commands = - - bandit -r -c .ci/ipas_default.config {toxinidir}/ -f html -o {toxworkdir}/bandit-report.html . + - bandit -r -c .ci/ipas_default.config -f txt -o {toxworkdir}/bandit-results.txt . [testenv:fuzzing] From 9806bab17003749e86440340a04d85aec37b31ba Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 16:26:29 +0000 Subject: [PATCH 13/17] remove bandit B320 --- .ci/ipas_default.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.ci/ipas_default.config b/.ci/ipas_default.config index 4bc8b481e3..457534264b 100644 --- a/.ci/ipas_default.config +++ b/.ci/ipas_default.config @@ -40,7 +40,7 @@ # B317 : xml_bad_sax # B318 : xml_bad_minidom # B319 : xml_bad_pulldom -# B320 : xml_bad_etree +# B320 : xml_bad_etree - removed https://github.com/PyCQA/bandit/commit/e4da0b351f89a82b5de8dd791cbdd963476b5a11 # B321 : ftplib # B323 : unverified_context # B324 : hashlib_new_insecure_functions @@ -83,7 +83,7 @@ # IPAS Required Checkers. Do not disable these # Additional checkers may be added if desired tests: - [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B320', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B410', 'B411', 'B412', 'B413'] + [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B410', 'B411', 'B412', 'B413'] # (optional) list skipped test IDs here, eg '[B101, B406]': # The following checkers are not required but be added to tests list if desired From 7b3e4fa0fcfab554dc1341300a009312a060451b Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 16:30:08 +0000 Subject: [PATCH 14/17] remove bandit B410 --- .ci/ipas_default.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.ci/ipas_default.config b/.ci/ipas_default.config index 457534264b..95dd511397 100644 --- a/.ci/ipas_default.config +++ b/.ci/ipas_default.config @@ -53,7 +53,7 @@ # B407 : import_xml_expat # B408 : import_xml_minidom # B409 : import_xml_pulldom -# B410 : import_lxml +# B410 : import_lxml - removed https://github.com/PyCQA/bandit/commit/e4da0b351f89a82b5de8dd791cbdd963476b5a11 # B411 : import_xmlrpclib # B412 : import_httpoxy # B413 : import_pycrypto @@ -83,7 +83,7 @@ # IPAS Required Checkers. Do not disable these # Additional checkers may be added if desired tests: - [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B410', 'B411', 'B412', 'B413'] + [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B411', 'B412', 'B413'] # (optional) list skipped test IDs here, eg '[B101, B406]': # The following checkers are not required but be added to tests list if desired From d70043c171b4e8e050014e72f2ce4f16a6404942 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 16:39:39 +0000 Subject: [PATCH 15/17] remove workflow_dispatch --- .github/workflows/codeql.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 1987c805aa..c6f613da6b 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -12,7 +12,6 @@ name: "CodeQL" on: - workflow_dispatch: # run on request (no need for PR) pull_request: types: - opened From f7ecfa49f12bc831465ab8030d8a1b3367728871 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 16:51:44 +0000 Subject: [PATCH 16/17] revert trivy yaml --- .ci/trivy.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.ci/trivy.yaml b/.ci/trivy.yaml index b19c9168b9..c576d56bca 100644 --- a/.ci/trivy.yaml +++ b/.ci/trivy.yaml @@ -5,9 +5,8 @@ scan: scanners: - vuln - secret - - misconfig slow: false -severity: LOW,MEDIUM,HIGH,CRITICAL +severity: MEDIUM,HIGH,CRITICAL exit-code: 1 vulnerability: ignore-unfixed: false From 72a5b104be785711cddf4d9efec9ef2ba9cff755 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 17:47:43 +0000 Subject: [PATCH 17/17] fix format --- .github/workflows/code_scan.yaml | 94 ++++++++++++++++---------------- .github/workflows/codeql.yaml | 15 +++-- 2 files changed, 53 insertions(+), 56 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index cd58c70279..85d0d8abb1 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -26,7 +26,7 @@ jobs: run: python -m pip install --require-hashes --no-deps -r .ci/requirements.txt - name: Freeze dependencies run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml - + - name: Run Trivy Scan (vuln) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 with: @@ -34,7 +34,7 @@ jobs: scan-ref: requirements.txt scanners: vuln output: trivy-results-vuln.txt - + - name: Run Trivy Scan (dockerfile and secrets) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 with: @@ -51,7 +51,7 @@ jobs: scan-ref: . format: spdx-json output: trivy-results-spdx.json - skip-setup-trivy: true + skip-setup-trivy: true - name: Upload Trivy results artifact uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 @@ -61,15 +61,15 @@ jobs: retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} - + - name: Upload deps list uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: always() with: name: python-deps-list - path: '${{ github.workspace }}/requirements.txt' + path: "${{ github.workspace }}/requirements.txt" retention-days: 7 - + Bandit: runs-on: ubuntu-22.04 steps: @@ -107,54 +107,52 @@ jobs: fail-fast: false matrix: include: - - language: python - build-mode: none - - language: actions # to scan workflows - build-mode: none + - language: python + build-mode: none + - language: actions # to scan workflows + build-mode: none steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - category: "/language:${{matrix.language}}" - - - name: Generate CodeQL Report - uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - template: report - outputDir: codeql-${{ matrix.language }} - - - name: Rename Report - shell: bash - continue-on-error: true - run: | - cd codeql-${{ matrix.language }} - mv "report.pdf" "codeql-${{ matrix.language }}.pdf" - - - name: Upload Report - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 - with: - name: codeql-${{ matrix.language }}-results - path: codeql-${{ matrix.language }}/*.pdf - retention-days: 7 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + category: "/language:${{matrix.language}}" + + - name: Generate CodeQL Report + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + template: report + outputDir: codeql-${{ matrix.language }} + + - name: Rename Report + shell: bash + continue-on-error: true + run: | + cd codeql-${{ matrix.language }} + mv "report.pdf" "codeql-${{ matrix.language }}.pdf" + + - name: Upload Report + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: codeql-${{ matrix.language }}-results + path: codeql-${{ matrix.language }}/*.pdf + retention-days: 7 Summarize: needs: [Trivy, Bandit, CodeQL] if: always() runs-on: ubuntu-22.04 steps: - # Create directory first - name: Create results directory run: mkdir -p all-results @@ -175,4 +173,4 @@ jobs: with: name: security-scan-results path: all-results - retention-days: 7 \ No newline at end of file + retention-days: 7 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index c6f613da6b..49e78c1ac6 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -18,7 +18,6 @@ on: - reopened - synchronize - jobs: analyze: name: Analyze @@ -37,10 +36,10 @@ jobs: fail-fast: false matrix: include: - - language: python - build-mode: none - - language: actions # to scan workflows - build-mode: none + - language: python + build-mode: none + - language: actions # to scan workflows + build-mode: none # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both @@ -67,21 +66,21 @@ jobs: uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: category: "/language:${{matrix.language}}" - + - name: Generate Security Report uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 with: template: report token: ${{ secrets.GITHUB_TOKEN }} outputDir: codeql-${{ matrix.language }} - + - name: Rename Report shell: bash continue-on-error: true run: | cd codeql-${{ matrix.language }} mv "report.pdf" "codeql-${{ matrix.language }}.pdf" - + - name: GitHub Upload Release Artifacts uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: