Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: Add Security Check Using Bandit in CI #3312

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

CI: Add Security Check Using Bandit in CI #3312

wants to merge 3 commits into from

Commits on Oct 7, 2024

  1. CI: Add Bandit security check to lint workflow 

    - Integrate Bandit to scan for security issues in the codebase.
- Configure Bandit to fail the workflow if any high-severity issues are found.

e.g.:

```bash
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
   Severity: High   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.9/plugins/b605_start_process_with_a_shell.html
   Location: ./binaries/build.py:52:30
51	        if not args.dry_run:
52	            build_exit_code = os.system(cur_wheel_cmd)
53	            # If any one of the steps fail, exit with error
```

Fixes: pytorch#3311

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
    @ChengyuZhu6
    ChengyuZhu6 committed Oct 7, 2024
    Configuration menu
    Copy the full SHA
    15f0300 View commit details
    Browse the repository at this point in the history

  2. security-fix: resolve security issue with subprocess call using shell… 

    …=True

- Issue: Fixed [B602:subprocess_popen_with_shell_equals_true] identified by Bandit,
  which flagged the use of `subprocess.Popen` with `shell=True` as a high-severity security risk (CWE-78: OS Command Injection).
- Ensures that the command is executed more securely without exposing it to shell injection vulnerabilities.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
    @ChengyuZhu6
    ChengyuZhu6 committed Oct 7, 2024
    Configuration menu
    Copy the full SHA
    e7a26d4 View commit details
    Browse the repository at this point in the history

  3. security-fix: resolve security issue with starting a process with a s… 

    …hell

- Issue: Fixed [B605:start_process_with_a_shell] identified by Bandit,
  which flagged starting a process with a shell as a high-severity security risk (CWE-78: OS Command Injection).
- Replaced os.system call with a safer alternative to prevent shell injection vulnerabilities.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
    @ChengyuZhu6
    ChengyuZhu6 committed Oct 7, 2024
    Configuration menu
    Copy the full SHA
    a7e7d6e View commit details
    Browse the repository at this point in the history