Add security linter results to workflow summary (#254)

Jannis-Mittenzwei · Nicoretti · web-flow · commit dec6bd3f99c2 · 2024-11-15T13:38:46.000+01:00
---------
Co-authored-by: Nicola Coretti &lt;nicola.coretti@exasol.com&gt;
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -51,3 +51,4 @@ jobs:
           poetry run coverage report -- --format markdown >> $GITHUB_STEP_SUMMARY
           echo  -e "\n\n# Static Code Analysis\n" >> $GITHUB_STEP_SUMMARY
           cat .lint.txt >> $GITHUB_STEP_SUMMARY
+          poetry run tbx security pretty-print .security.json >> $GITHUB_STEP_SUMMARY
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -2,4 +2,6 @@
 
 ## ✨ Added
 
-* #233: Added nox task to verify dependency declarations
+* #248: Added security results to workflow summary
+* #233: Added nox task to verify dependency declarations
+
diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml
@@ -51,3 +51,4 @@ jobs:
           poetry run coverage report -- --format markdown >> $GITHUB_STEP_SUMMARY
           echo  -e "\n\n# Static Code Analysis\n" >> $GITHUB_STEP_SUMMARY
           cat .lint.txt >> $GITHUB_STEP_SUMMARY
+          poetry run tbx security pretty-print .security.json >> $GITHUB_STEP_SUMMARY
diff --git a/exasol/toolbox/tools/security.py b/exasol/toolbox/tools/security.py
@@ -16,8 +16,8 @@
     Iterable,
     Tuple,
 )
-
 import typer
+from pathlib import Path
 
 stdout = print
 stderr = partial(print, file=sys.stderr)
@@ -101,6 +101,64 @@ def from_maven(report: str) -> Iterable[Issue]:
             )
 
 
+@dataclass(frozen=True)
+class SecurityIssue:
+    file_name: str
+    line: int
+    column: int
+    cwe: str
+    test_id: str
+    description: str
+    references: tuple
+
+
+def from_json(report_str: str, prefix: Path) -> Iterable[SecurityIssue]:
+    report = json.loads(report_str)
+    issues = report.get("results", {})
+    for issue in issues:
+        references = []
+        if issue["more_info"]:
+            references.append(issue["more_info"])
+        if issue.get("issue_cwe", {}).get("link", None):
+            references.append(issue["issue_cwe"]["link"])
+        yield SecurityIssue(
+            file_name=issue["filename"].replace(str(prefix) + "/", ""),
+            line=issue["line_number"],
+            column=issue["col_offset"],
+            cwe=str(issue["issue_cwe"].get("id", "")),
+            test_id=issue["test_id"],
+            description=issue["issue_text"],
+            references=tuple(references)
+        )
+
+
+def issues_to_markdown(issues: Iterable[SecurityIssue]) -> str:
+    template = cleandoc("""
+        {header}{rows}
+    """)
+
+    def _header():
+        header = "# Security\n\n"
+        header += "|File|line/<br>column|Cwe|Test ID|Details|\n"
+        header += "|---|:-:|:-:|:-:|---|\n"
+        return header
+
+    def _row(issue):
+        row = "|" + issue.file_name + "|"
+        row += f"line: {issue.line}<br>column: {issue.column}|"
+        row += issue.cwe + "|"
+        row += issue.test_id + "|"
+        for element in issue.references:
+            row += element + " ,<br>"
+        row = row[:-5] + "|"
+        return row
+
+    return template.format(
+        header=_header(),
+        rows="\n".join(_row(i) for i in issues)
+    )
+
+
 def security_issue_title(issue: Issue) -> str:
     return f"🔐 {issue.cve}: {issue.coordinates}"
 
@@ -159,7 +217,6 @@ def create_security_issue(issue: Issue, project="") -> Tuple[str, str]:
 CVE_CLI = typer.Typer()
 CLI.add_typer(CVE_CLI, name="cve", help="Work with CVE's")
 
-
 class Format(str, Enum):
     Maven = "maven"
 
@@ -257,6 +314,21 @@ def create(
         stdout(format_jsonl(issue_url, issue))
 
 
+class PPrintFormats(str, Enum):
+    markdown = "markdown"
+
+
+@CLI.command(name="pretty-print")
+def json_issue_to_markdown(
+        json_file: typer.FileText = typer.Argument(mode="r", help="json file with issues to convert"),
+        path: Path = typer.Argument(default=Path("."), help="path to project root")
+) -> None:
+    content = json_file.read()
+    issues = from_json(content, path.absolute())
+    issues = sorted(issues, key=lambda i: (i.file_name, i.cwe, i.test_id))
+    print(issues_to_markdown(issues))
+
+
 def format_jsonl(issue_url: str, issue: Issue) -> str:
     issue_json = asdict(issue)
     issue_json["issue_url"] = issue_url.strip()
diff --git a/poetry.lock b/poetry.lock
diff --git a/test/integration/cli/security-pprint-emty.t b/test/integration/cli/security-pprint-emty.t
@@ -0,0 +1,18 @@
+Create test input
+
+  $ cat > .security.json <<EOF
+  > {
+  >   "result":[
+  >   ]
+  > }
+  > EOF
+
+Run test case
+
+  $ tbx security pretty-print .security.json
+  # Security
+  
+  |File|line/<br>column|Cwe|Test ID|Details|
+  |---|:-:|:-:|:-:|---|
+  
+
diff --git a/test/integration/cli/security-pprint.t b/test/integration/cli/security-pprint.t
@@ -0,0 +1,81 @@
+Create test input
+
+  $ cat > .security.json <<EOF
+  > {
+  >   "results":[
+  >     {
+  >       "code": "555                 subprocess.check_call(\n556                     config.smv_postbuild_command, cwd=current_cwd, shell=True\n557                 )\n558                 if config.smv_postbuild_export_pattern != \"\":\n559                     matches = find_matching_files_and_dirs(\n",
+  >       "col_offset": 16,
+  >       "end_col_offset": 17,
+  >       "filename": "exasol/toolbox/sphinx/multiversion/main.py",
+  >       "issue_confidence": "HIGH",
+  >       "issue_cwe": {
+  >         "id": 78,
+  >         "link": "https://cwe.mitre.org/data/definitions/78.html"
+  >       },
+  >       "issue_severity": "HIGH",
+  >       "issue_text": "subprocess call with shell=True identified, security issue.",
+  >       "line_number": 556,
+  >       "line_range": [
+  >         555,
+  >         556,
+  >         557
+  >       ],
+  >       "more_info": "https://bandit.readthedocs.io/en/1.7.10/plugins/b602_subprocess_popen_with_shell_equals_true.html",
+  >       "test_id": "B602",
+  >       "test_name": "subprocess_popen_with_shell_equals_true"
+  >     },
+  >     {
+  >       "code": "156         )\n157         subprocess.check_call(cmd, cwd=gitroot, stdout=fp)\n158         fp.seek(0)\n",
+  >       "col_offset": 8,
+  >       "end_col_offset": 58,
+  >       "filename": "exasol/toolbox/sphinx/multiversion/git.py",
+  >       "issue_confidence": "HIGH",
+  >       "issue_cwe": {
+  >         "id": 78,
+  >         "link": "https://cwe.mitre.org/data/definitions/78.html"
+  >       },
+  >       "issue_severity": "LOW",
+  >       "issue_text": "subprocess call - check for execution of untrusted input.",
+  >       "line_number": 157,
+  >       "line_range": [
+  >         157
+  >       ],
+  >       "more_info": "https://bandit.readthedocs.io/en/1.7.10/plugins/b603_subprocess_without_shell_equals_true.html",
+  >       "test_id": "B603",
+  >       "test_name": "subprocess_without_shell_equals_true"
+  >     },
+  >     {
+  >       "code": "159         with tarfile.TarFile(fileobj=fp) as tarfp:\n160             tarfp.extractall(dst)\n",
+  >       "col_offset": 12,
+  >       "end_col_offset": 33,
+  >       "filename": "exasol/toolbox/sphinx/multiversion/git.py",
+  >       "issue_confidence": "HIGH",
+  >       "issue_cwe": {
+  >         "id": 22,
+  >         "link": "https://cwe.mitre.org/data/definitions/22.html"
+  >       },
+  >       "issue_severity": "HIGH",
+  >       "issue_text": "tarfile.extractall used without any validation. Please check and discard dangerous members.",
+  >       "line_number": 160,
+  >       "line_range": [
+  >         160
+  >       ],
+  >       "more_info": "https://bandit.readthedocs.io/en/1.7.10/plugins/b202_tarfile_unsafe_members.html",
+  >       "test_id": "B202",
+  >       "test_name": "tarfile_unsafe_members"
+  >     }
+  >   ]
+  > }
+  > EOF
+
+Run test case
+
+  $ tbx security pretty-print .security.json
+  # Security
+  
+  |File|line/<br>column|Cwe|Test ID|Details|
+  |---|:-:|:-:|:-:|---|
+  |exasol/toolbox/sphinx/multiversion/git.py|line: 160<br>column: 12|22|B202|https://bandit.readthedocs.io/en/1.7.10/plugins/b202_tarfile_unsafe_members.html ,<br>https://cwe.mitre.org/data/definitions/22.html |
+  |exasol/toolbox/sphinx/multiversion/git.py|line: 157<br>column: 8|78|B603|https://bandit.readthedocs.io/en/1.7.10/plugins/b603_subprocess_without_shell_equals_true.html ,<br>https://cwe.mitre.org/data/definitions/78.html |
+  |exasol/toolbox/sphinx/multiversion/main.py|line: 556<br>column: 16|78|B602|https://bandit.readthedocs.io/en/1.7.10/plugins/b602_subprocess_popen_with_shell_equals_true.html ,<br>https://cwe.mitre.org/data/definitions/78.html |
diff --git a/test/unit/security_test.py b/test/unit/security_test.py
@@ -1,5 +1,6 @@
 import json
 import os
+import pathlib
 import subprocess
 from contextlib import contextmanager
 from inspect import cleandoc
@@ -403,3 +404,61 @@ def test_format_jsonl_removes_newline():
     )
     actual = security.format_jsonl("my_issue_url\n", issue)
     assert actual == expected
+
+
+@pytest.mark.parametrize(
+    "json_file,expected",
+    [
+        (
+            '''{
+    "results": [
+        {
+            "code": "1 import subprocess\\n2 from typing import Iterable\\n3 \\n",
+            "col_offset": 12,
+            "end_col_offset": 17,
+            "filename": "/home/test/python-toolbox/exasol/toolbox/git.py",
+            "issue_confidence": "HIGH",
+            "issue_cwe": {
+                "id": 78,
+                "link": "https://cwe.mitre.org/data/definitions/78.html"
+            },
+            "issue_severity": "LOW",
+            "issue_text": "Consider possible security implications associated with the subprocess module.",
+            "line_number": 53,
+            "line_range": [
+                1
+            ],
+            "more_info": "https://bandit.readthedocs.io/en/1.7.10/blacklists/blacklist_imports.html#b404-import-subprocess",
+            "test_id": "B404",
+            "test_name": "blacklist"
+        }
+    ]
+}
+            ''',
+            {
+                "file_name": "exasol/toolbox/git.py",
+                "line": 53,
+                "column": 12,
+                "cwe": "78",
+                "test_id": "B404",
+                "description": "Consider possible security implications associated with the subprocess module.",
+                "references": (
+                    "https://bandit.readthedocs.io/en/1.7.10/blacklists/blacklist_imports.html#b404-import-subprocess",
+                    "https://cwe.mitre.org/data/definitions/78.html"
+                )
+            }
+        )
+    ]
+)
+def test_from_json(json_file, expected):
+    actual = security.from_json(json_file, pathlib.Path("/home/test/python-toolbox"))
+    expected_issue = security.SecurityIssue(
+        file_name=expected["file_name"],
+        line=expected["line"],
+        column=expected["column"],
+        cwe=expected["cwe"],
+        test_id=expected["test_id"],
+        description=expected["description"],
+        references=expected["references"]
+    )
+    assert list(actual) == [expected_issue]
