Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: missing security check for security issues in the codebase #3311

Open
ChengyuZhu6 opened this issue Sep 12, 2024 · 1 comment · May be fixed by #3312
Open

CI: missing security check for security issues in the codebase #3311

ChengyuZhu6 opened this issue Sep 12, 2024 · 1 comment · May be fixed by #3312

Comments

@ChengyuZhu6
Copy link

ChengyuZhu6 commented Sep 12, 2024
edited
Loading

🐛 Describe the bug

Currently, the project does not have a security linter integrated into its CI pipeline. This poses potential risks as security vulnerabilities in Python code can go undetected. I found many high security issues using Bandit

Error logs

security-issues.log

Installation instructions

No

Model Packaging

No

config.properties

No response

Versions

No

Repro instructions

Reproduce:

> pip install bandit
> bandit -r . --severity-level high -s B501 # Skip the B501 rule related to SSL certificate validation checks

Possible Solution

Add Security Check Using Bandit in CI
ChengyuZhu6 added a commit to ChengyuZhu6/serve that referenced this issue Sep 12, 2024
@ChengyuZhu6
CI: Add Bandit security check to lint workflow
eecf36a 
- Integrate Bandit to scan for security issues in the codebase.
- Configure Bandit to fail the workflow if any high-severity issues are found.

e.g.:

```bash
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html
   Location: ./binaries/build.py:52:30
51	        if not args.dry_run:
52	            build_exit_code = os.system(cur_wheel_cmd)
53	            # If any one of the steps fail, exit with error
```

Fixes: pytorch#3311

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
@ChengyuZhu6 ChengyuZhu6 linked a pull request Sep 12, 2024 that will close this issue
Open
1 task
@mreso
Copy link
Collaborator

mreso commented Sep 12, 2024

Thanks @ChengyuZhu6 for flagging this and creating your PR! We will take a look!

ChengyuZhu6 added a commit to ChengyuZhu6/serve that referenced this issue Sep 19, 2024
@ChengyuZhu6
CI: Add Bandit security check to lint workflow
5ec4f88 
- Integrate Bandit to scan for security issues in the codebase.
- Configure Bandit to fail the workflow if any high-severity issues are found.

e.g.:

```bash
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html
   Location: ./binaries/build.py:52:30
51	        if not args.dry_run:
52	            build_exit_code = os.system(cur_wheel_cmd)
53	            # If any one of the steps fail, exit with error
```

Fixes: pytorch#3311

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
ChengyuZhu6 added a commit to ChengyuZhu6/serve that referenced this issue Oct 7, 2024
@ChengyuZhu6
CI: Add Bandit security check to lint workflow
15f0300 
- Integrate Bandit to scan for security issues in the codebase.
- Configure Bandit to fail the workflow if any high-severity issues are found.

e.g.:

```bash
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html
   Location: ./binaries/build.py:52:30
51	        if not args.dry_run:
52	            build_exit_code = os.system(cur_wheel_cmd)
53	            # If any one of the steps fail, exit with error
```

Fixes: pytorch#3311

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

CI: Add Security Check Using Bandit in CI ChengyuZhu6/serve
2 participants
@mreso @ChengyuZhu6