Skip to content

Commit

Permalink
WIP: CI Scans (securefederatedai#873)
Browse files Browse the repository at this point in the history
* Initial scans commit for bandit, hadolint, trivy

Signed-off-by: Patrick Foley <[email protected]>

* Address bandit scan results

Signed-off-by: Patrick Foley <[email protected]>

* Fix Trivy action

Signed-off-by: Patrick Foley <[email protected]>

* Fix linting

Signed-off-by: Patrick Foley <[email protected]>

* Add Coverity Badge

Signed-off-by: Patrick Foley <[email protected]>

* Update Hadolint threshold to flag errors only

Signed-off-by: Patrick Foley <[email protected]>

* Update Hadolint threshold to flag errors only

Signed-off-by: Patrick Foley <[email protected]>

---------

Signed-off-by: Patrick Foley <[email protected]>
  • Loading branch information
psfoley committed Oct 18, 2023
1 parent f52cd0f commit 958a9a5
Show file tree
Hide file tree
Showing 11 changed files with 81 additions and 14 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/scans.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions

name: Security Scans

on:
pull_request:
branches: [ develop ]

permissions:
contents: read

jobs:
build:

runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v3
- name: Set up Python 3.8
uses: actions/setup-python@v3
with:
python-version: "3.8"
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install .
- name: Hadolint Dockerfile Scan
run: |
docker run -v ${PWD}/openfl-docker:/openfl-docker --rm -i hadolint/hadolint hadolint -t error /openfl-docker/Dockerfile.base
29 changes: 29 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: build
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: Build
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Build an image from Dockerfile
run: |
docker build -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,12 @@
[<img src="https://img.shields.io/badge/[email protected]?logo=slack">](https://join.slack.com/t/openfl/shared_invite/zt-ovzbohvn-T5fApk05~YS_iZhjJ5yaTw)
[![License](https://img.shields.io/badge/License-Apache%202.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0)
[![Citation](https://img.shields.io/badge/cite-citation-brightgreen)](https://arxiv.org/abs/2105.06413)
[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/intel/openfl/blob/develop/openfl-tutorials/interactive_api/numpy_linear_regression/workspace/SingleNotebook.ipynb)
[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6599/badge)](https://bestpractices.coreinfrastructure.org/projects/6599)
<a href="https://scan.coverity.com/projects/securefederatedai-openfl">
<img alt="Coverity Scan Build Status"
src="https://scan.coverity.com/projects/29040/badge.svg"/>
</a>
[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/intel/openfl/blob/develop/openfl-tutorials/interactive_api/numpy_linear_regression/workspace/SingleNotebook.ipynb)

OpenFL is a Python 3 framework for Federated Learning. OpenFL is designed to be a _flexible_, _extensible_ and _easily learnable_ tool for data scientists. OpenFL is hosted by The Linux Foundation, aims to be community-driven, and welcomes contributions back to the project.

Expand Down
7 changes: 5 additions & 2 deletions openfl/experimental/utilities/metaflow_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
from metaflow.task import MetaDatum
import fcntl
import hashlib
from dill.source import getsource
from dill.source import getsource # nosec
# getsource only used to determine structure of FlowGraph
from typing import TYPE_CHECKING
if TYPE_CHECKING:
from openfl.experimental.interface import FLSpec
Expand Down Expand Up @@ -62,7 +63,9 @@ def __init__(self, name):
self.name = name

def __enter__(self):
lock_id = hashlib.new('md5', self.name.encode("utf8"), usedforsecurity=False).hexdigest()
lock_id = hashlib.new('md5', self.name.encode("utf8"),
usedforsecurity=False).hexdigest() # nosec
# MD5sum used for concurrency purposes, not security
self.fp = open(f"/tmp/.lock-{lock_id}.lck", "wb")
fcntl.flock(self.fp.fileno(), fcntl.LOCK_EX)

Expand Down
2 changes: 1 addition & 1 deletion openfl/interface/tutorial.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ def start(ip, port):
"""Start the Jupyter Lab from the tutorials directory."""
from os import environ
from os import sep
from subprocess import check_call
from subprocess import check_call # nosec
from sys import executable

from openfl.interface.cli_helper import TUTORIALS
Expand Down
6 changes: 3 additions & 3 deletions openfl/interface/workspace.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"""Workspace module."""

import os
import subprocess
import subprocess # nosec
import sys
from pathlib import Path
from typing import Tuple, Union
Expand Down Expand Up @@ -86,7 +86,7 @@ def create_(prefix, template):
def create(prefix, template):
"""Create federated learning workspace."""
from os.path import isfile
from subprocess import check_call
from subprocess import check_call # nosec
from sys import executable

from openfl.interface.cli_helper import print_tree
Expand Down Expand Up @@ -196,7 +196,7 @@ def import_(archive):
from os.path import basename
from os.path import isfile
from shutil import unpack_archive
from subprocess import check_call
from subprocess import check_call # nosec
from sys import executable

archive = Path(archive).absolute()
Expand Down
4 changes: 2 additions & 2 deletions openfl/plugins/interface_serializer/dill_serializer.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# SPDX-License-Identifier: Apache-2.0
"""Dill serializer plugin."""

import dill
import dill # nosec

from .serializer_interface import Serializer

Expand All @@ -24,4 +24,4 @@ def serialize(object_, filename):
def restore_object(filename):
"""Load and deserialize an object."""
with open(filename, 'rb') as f:
return dill.load(f)
return dill.load(f) # nosec
2 changes: 1 addition & 1 deletion openfl/transport/grpc/aggregator_server.py
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ def validate_collaborator(self, request, context):
if not self.aggregator.valid_collaborator_cn_and_id(
common_name, collaborator_common_name):
# Random delay in authentication failures
sleep(5 * random())
sleep(5 * random()) # nosec
context.abort(
StatusCode.UNAUTHENTICATED,
f'Invalid collaborator. CN: |{common_name}| '
Expand Down
4 changes: 2 additions & 2 deletions openfl/utilities/ca/ca.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@
import sys
import shutil
import signal
import subprocess
import subprocess # nosec
import time
from logging import getLogger
from pathlib import Path
from subprocess import check_call
from subprocess import check_call # nosec

from click import confirm

Expand Down
3 changes: 2 additions & 1 deletion openfl/utilities/ca/downloader.py
Original file line number Diff line number Diff line change
Expand Up @@ -67,5 +67,6 @@ def _download(url, prefix, confirmation):
if confirmation:
confirm('CA binaries will be downloaded now', default=True, abort=True)
name = url.split('/')[-1]
urllib.request.urlretrieve(url, f'{prefix}/{name}')
# nosec: private function definition with static urls
urllib.request.urlretrieve(url, f'{prefix}/{name}') # nosec
shutil.unpack_archive(f'{prefix}/{name}', f'{prefix}/step')
2 changes: 1 addition & 1 deletion openfl/utilities/workspace.py
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
import time
from contextlib import contextmanager
from pathlib import Path
from subprocess import check_call
from subprocess import check_call # nosec
from sys import executable
from typing import Optional
from typing import Tuple
Expand Down

0 comments on commit 958a9a5

Please sign in to comment.