Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add python bandit checks. #316

Merged
merged 25 commits into from
Jul 5, 2021
Merged

Add python bandit checks. #316

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
f9de057
add linters
dvkruchinin Jun 29, 2021
efe68bf
Updated linters check
dvkruchinin Jun 29, 2021
5b0af21
Fix linters errors
dvkruchinin Jun 29, 2021
8232c9a
Fix remark checks
dvkruchinin Jun 29, 2021
27ff2ac
Remark linter fix errors
dvkruchinin Jun 29, 2021
b1c4abd
Update remark checks
dvkruchinin Jun 29, 2021
53d46c1
Simple update
dvkruchinin Jun 29, 2021
5fd0c38
Merge branch 'develop' of https://github.com/openvinotoolkit/datumaro…
dvkruchinin Jun 29, 2021
1e1c408
Apply comments
dvkruchinin Jun 29, 2021
4fe6b78
Exclude "docs", "ci" folders from setup.py
dvkruchinin Jun 29, 2021
a92c4cb
Linters output to console
dvkruchinin Jun 29, 2021
8153455
Remark report to console
dvkruchinin Jun 29, 2021
c6fac80
added --frail to remark-cli for exit with 1 on warnings
dvkruchinin Jun 29, 2021
1fcc16d
Remove json_to_html.py
dvkruchinin Jun 29, 2021
3185f09
check removed "pip install --user -U pip wheel setuptools"
dvkruchinin Jun 29, 2021
d4990b3
Merge branch 'develop' of https://github.com/openvinotoolkit/datumaro…
dvkruchinin Jul 1, 2021
0c6e016
Removed pylint checking. Due to it in another PR
dvkruchinin Jul 1, 2021
2ae2805
Revert setup.py for develop
dvkruchinin Jul 1, 2021
682cb20
Reqork pip install.
dvkruchinin Jul 1, 2021
163b507
disable some bandit warnings
Jul 2, 2021
930c193
Merge branch 'develop' of https://github.com/openvinotoolkit/datumaro…
dvkruchinin Jul 2, 2021
da22177
Merge remote-tracking branch 'origin/dkru/add-linters-check' into dkr…
dvkruchinin Jul 2, 2021
37b98c3
Update datumaro/components/operations.py
Jul 5, 2021
7d4abc6
Merge branch 'develop' into dkru/add-linters-check
Jul 5, 2021
2b0f147
Update datumaro/util/tf_util.py
Jul 5, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions .github/workflows/bandit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Linter
on: pull_request
jobs:
Bandit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-python@v2
with:
python-version: 3.8

- name: Run checks
run: |
pip install --user -r <(grep "^bandit" ./requirements.txt)
echo "Bandit version: "`bandit --version | head -1`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I won't say it is a problem, but this line looks a little bit extra, because the previous line outputs the version installed.

bandit -r ./
3 changes: 2 additions & 1 deletion datumaro/components/operations.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1292,7 +1292,8 @@ def _default_hash(item):
log.warning("Item (%s, %s) has no image "
"info, counted as unique", item.id, item.subset)
return None
return hashlib.md5(item.image.data.tobytes()).hexdigest()
# ignore B303 (md5 check), because the hash is not used in a security context
return hashlib.md5(item.image.data.tobytes()).hexdigest() # nosec

if item_hash is None:
item_hash = _default_hash
Expand Down
6 changes: 3 additions & 3 deletions datumaro/plugins/cifar_format.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

import os
import os.path as osp
import pickle
import pickle # nosec - disable B403:import_pickle check
Copy link
Contributor

@zhiltsov-max zhiltsov-max Jul 5, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an RCE hole, and it must be fixed.
https://docs.python.org/3/library/pickle.html#restricting-globals


import numpy as np
from datumaro.components.converter import Converter
Expand Down Expand Up @@ -52,7 +52,7 @@ def _load_categories(self, path):
# 'dog', 'frog', 'horse', 'ship', 'truck']
# num_vis: 3072
with open(path, 'rb') as labels_file:
data = pickle.load(labels_file)
data = pickle.load(labels_file) # nosec - disable B301:pickle check
for label in data['label_names']:
label_cat.add(label)
else:
Expand All @@ -69,7 +69,7 @@ def _load_items(self, path):
# 'filenames': list
# 'labels': list
with open(path, 'rb') as anno_file:
annotation_dict = pickle.load(anno_file, encoding='latin1')
annotation_dict = pickle.load(anno_file, encoding='latin1') # nosec - disable B301:pickle check

labels = annotation_dict.get('labels', [])
filenames = annotation_dict.get('filenames', [])
Expand Down
2 changes: 1 addition & 1 deletion datumaro/util/command_targets.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ def is_project_path(value):
try:
Project.load(value)
return True
except Exception:
except Exception: # nosec - disable B110:try_except_pass check
pass
return False

Expand Down
3 changes: 2 additions & 1 deletion datumaro/util/tf_util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,8 @@ def check_import():

from .os_util import check_instruction_set

result = subprocess.run([sys.executable, '-c', 'import tensorflow'],
# Disable B603:subprocess_without_shell_equals_true - the command line is controlled
result = subprocess.run([sys.executable, '-c', 'import tensorflow'], # nosec
timeout=60,
universal_newlines=True, # use text mode for output stream
stdout=subprocess.PIPE, stderr=subprocess.PIPE) # capture output
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@ Cython>=0.27.3 # include before pycocotools
opencv-python-headless>=4.1.0.25
pandas>=1.1.5
pytest>=5.3.5
bandit>=1.7.0
pylint>=2.7.0
8 changes: 4 additions & 4 deletions tests/test_util.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ def cb():
with Rollback() as on_error:
on_error.do(cb)
raise Exception('err')
except Exception:
except Exception: # nosec - disable B110:try_except_pass check
pass
finally:
self.assertTrue(success)
Expand All @@ -52,7 +52,7 @@ def foo(on_error=None):

try:
foo()
except Exception:
except Exception: # nosec - disable B110:try_except_pass check
pass
finally:
self.assertTrue(success)
Expand Down Expand Up @@ -86,7 +86,7 @@ def foo():

try:
foo()
except Exception:
except Exception: # nosec - disable B110:try_except_pass check
pass
finally:
self.assertTrue(success)
Expand All @@ -111,7 +111,7 @@ def cb2(a1, a2=None, ignore_errors=None):
on_error.do(cb2, 5, a2=2, ignore_errors=True,
fwd_kwargs={'ignore_errors': 4})
raise Exception('err')
except Exception:
except Exception: # nosec - disable B110:try_except_pass check
pass
finally:
self.assertTrue(success1)
Expand Down