Added CodeQL and Bandit security checks as GitHub Actions

[mstfbl]

This PR adds the CodeQL and Bandit Security checks in the form of GitHub Action Workflows, where the two workflows run with each opened PR to the master branch.

For CodeQL, the task will upload CodeQL results under the "Security" GitHub repo tab and in the "Code scanning results" section.

For Bandit, the task will pass if no high-severity issues have been found in the repo (outside of the ./third-party submodules directory).

[mstfbl]

I see that the ci/circleci: circleci_consistency build test is failing. Per the given instructions, I ran python .circleci/regenerate.py, however I'm only seeing these probably wrong changes occur:

In `.circleci/config.yml:

workflows:
  build:
    jobs:
      - circleci_consistency
      - binary_linux_wheel:
          conda_docker_image: pytorch/conda-builder:cpu
          cu_version: cpu
          name: binary_linux_wheel_py3.6_cpu
          python_version: '3.6'
          wheel_docker_image: pytorch/manylinux-cuda102
      - binary_linux_wheel:
          conda_docker_image: pytorch/conda-builder:cuda101
          cu_version: cu101
          name: binary_linux_wheel_py3.6_cu101
          python_version: '3.6'

Whereas before it was:

workflows:
  build:
    jobs:
      - circleci_consistency
      - binary_linux_wheel:
          conda_docker_image: pytorch/conda-builder:cpu
          cu_version: cpu
          name: binary_linux_wheel_py3.6_cpu
          python_version: '3.6'
          wheel_docker_image: pytorch/manylinux-cuda102
      - binary_linux_wheel:
          conda_docker_image: pytorch/conda-builder:cuda101
          cu_version: cu101
          name: binary_linux_wheel_py3.6_cu101
          python_version: '3.6'

What is the correct fix for this?

Edit: This issues has been fixed with select_autoescape(enabled_extensions=('html', 'xml')).

[NicolasHug]

I think these changes occur because you changed autoescape=False to True. Was this intended?

[fmassa]

Thanks for the PR!

I'm leaving this to @malfet and @seemethere to decide if we should move forward with this change, but if we do I'd rather have this as an optional dependency.

[mstfbl]

Hi @NicolasHug , yes this was intentional. It has now been fixed with select_autoescape(enabled_extensions=('html', 'xml')).

[malfet]

LGTM, but please move defusedxml import to the regular import block

[mstfbl]

I have removed the Bandit-specific changes from this PR. I've opened #3635 for the autoescape fix and and #3636 for the defusedxml addition.

[fmassa]

I'm merging this to unblock, but for a follow-up PR could you please update the workflow to use PyTorch nightly instead?

[fmassa]

(Can be done in a follow-up PR): torchvision from master uses PyTorch nightly, so it would be better to change this to instead install PyTorch from a nightly release