Added CodeQL and Bandit security checks as GitHub Actions

.circleci/regenerate.py

@@ -295,7 +295,7 @@ def ios_workflows(indentation=6, nightly=False):
     env = jinja2.Environment(
         loader=jinja2.FileSystemLoader(d),
         lstrip_blocks=True,
-        autoescape=False,
+        autoescape=True,
         keep_trailing_newline=True,
     )
 

.circleci/unittest/linux/scripts/environment.yml

@@ -16,3 +16,4 @@ dependencies:
     - pillow>=4.1.1
     - scipy
     - av
+    - defusedxml

.circleci/unittest/windows/scripts/environment.yml

@@ -17,3 +17,4 @@ dependencies:
     - scipy
     - av
     - dataclasses
+    - defusedxml

.github/workflows/bandit.yml

@@ -0,0 +1,23 @@
+# GitHub Actions Bandit Workflow
+
+name: Bandit
+
+on:
+  pull_request:
+    branches: [ master ]
+
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      # Task will fail if any high-severity issues are found
+      # Ignoring submodules
+      - name: Run Bandit Security Analysis
+        run: |
+              python -m pip install bandit
+              python -m bandit -r . -x ./third_party -lll

.github/workflows/codeql.yml

@@ -0,0 +1,43 @@
+# GitHub Actions CodeQL Workflow
+
+name: CodeQL
+
+on:
+  pull_request:
+    branches: [ master ]
+
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        with:
+          languages: python, cpp
+
+      - name: Install Ninja
+        run: |
+              sudo apt-get update -y
+              sudo apt-get install -y ninja-build
+
+      - name: Update submodules
+        run: git submodule update --init --recursive
+
+      - name: Install Torch
+        run: |
+              python -m pip install cmake
+              python -m pip install torch==1.8.1+cpu -f https://download.pytorch.org/whl/torch_stable.html
+              sudo ln -s /usr/bin/ninja /usr/bin/ninja-build
+
+      - name: Build TorchVision
+        run: python setup.py develop --user
+
+      # If any code scanning alerts are found, they will be under Security -> CodeQL
+      # Link: https://github.com/pytorch/vision/security/code-scanning
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1

packaging/torchvision/meta.yaml

@@ -12,6 +12,7 @@ requirements:
     - jpeg <=9b
     # NOTE: The only ffmpeg version that we build is actually 4.2
     - ffmpeg >=4.2  # [not win]
+    - defusedxml
 
   host:
     - python
@@ -28,6 +29,7 @@ requirements:
     - jpeg <=9b
     - pillow >=4.1.1
     - defaults::numpy >=1.11
+    - defusedxml
     {{ environ.get('CONDA_PYTORCH_CONSTRAINT') }}
     {{ environ.get('CONDA_CUDATOOLKIT_CONSTRAINT') }}
 
@@ -55,6 +57,7 @@ test:
     - av >=8.0.1
     - jpeg <=9b
     - ca-certificates
+    - defusedxml
 
 
 about:

torchvision/datasets/voc.py

@@ -3,6 +3,7 @@
 import collections
 from .vision import VisionDataset
 import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as DET
 from PIL import Image
 from typing import Any, Callable, Dict, Optional, Tuple, List
 from .utils import download_and_extract_archive, verify_str_arg
@@ -203,7 +204,7 @@ def __getitem__(self, index: int) -> Tuple[Any, Any]:
             tuple: (image, target) where target is a dictionary of the XML tree.
         """
         img = Image.open(self.images[index]).convert("RGB")
-        target = self.parse_voc_xml(ET.parse(self.annotations[index]).getroot())
+        target = self.parse_voc_xml(DET.parse(self.annotations[index]).getroot())
 
         if self.transforms is not None:
             img, target = self.transforms(img, target)