Merge pull request #389 from lukaszstolarczuk/add-bandit

Add bandit scanner workflow

Author: bratpiorka

.github/workflows/bandit.yml

@@ -0,0 +1,30 @@
+# Bandit static analysis (for Python code)
+name: Bandit
+
+on: [push, pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  bandit:
+    name: Bandit
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{matrix.os}}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+    - name: Install Bandit
+      run: python3 -m pip install bandit
+
+    # Run Bandit recursively, but omit _deps directory (with 3rd party code)
+    - name: Run Bandit
+      run: python3 -m bandit -r . -x '/_deps/'

README.md

@@ -9,6 +9,7 @@
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/oneapi-src/unified-memory-framework/badge)](https://securityscorecards.dev/viewer/?uri=github.com/oneapi-src/unified-memory-framework)
 [![Coverity build](https://github.com/oneapi-src/unified-memory-framework/actions/workflows/coverity.yml/badge.svg?branch=main)](https://github.com/oneapi-src/unified-memory-framework/actions/workflows/coverity.yml)
 [![Coverity report](https://scan.coverity.com/projects/29761/badge.svg?flat=0)](https://scan.coverity.com/projects/oneapi-src-unified-memory-framework)
+[![Bandit](https://github.com/oneapi-src/unified-memory-framework/actions/workflows/bandit.yml/badge.svg?branch=main)](https://github.com/oneapi-src/unified-memory-framework/actions/workflows/bandit.yml)
 
 ## Introduction
 

scripts/generate_docs.py

@@ -1,13 +1,13 @@
 """
- Copyright (C) 2023 Intel Corporation
+ Copyright (C) 2023-2024 Intel Corporation
  
  Under the Apache License v2.0 with LLVM Exceptions. See LICENSE.TXT.
  SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 """
 
 from pathlib import Path
 from shutil import rmtree
-import subprocess
+import subprocess   # nosec B404
 import time
 
 
@@ -41,9 +41,8 @@ def _prepare_docs_dir(docs_path: Path) -> None:
 def _generate_xml(config_path: Path, docs_path: Path) -> None:
     print("Generating XML files with doxygen...", flush=True)
     try:
-        subprocess.run(
-            ["doxygen", Path(config_path, "Doxyfile")], text=True
-        ).check_returncode()
+        subprocess.run(["doxygen", Path(config_path, "Doxyfile")], text=True
+                       ).check_returncode()    # nosec B603, B607
         print(f"All XML files generated in {docs_path}", flush=True)
     except subprocess.CalledProcessError as ex:
         print("Generating XML files failed!")
@@ -54,9 +53,8 @@ def _generate_xml(config_path: Path, docs_path: Path) -> None:
 def _generate_html(config_path: Path, docs_path: Path) -> None:
     print("Generating HTML pages with sphinx...", flush=True)
     try:
-        subprocess.run(
-            ["sphinx-build", config_path, Path(docs_path, "html")], text=True
-        ).check_returncode()
+        subprocess.run(["sphinx-build", config_path, Path(docs_path, "html")], text=True
+                       ).check_returncode()    # nosec B603, B607
         print(f"All HTML files generated in {docs_path}", flush=True)
     except subprocess.CalledProcessError as ex:
         print("Generating HTML pages failed!")

test/test_installation.py

@@ -9,7 +9,7 @@
 import difflib
 from pathlib import Path
 import platform
-import subprocess
+import subprocess   # nosec B404
 import sys
 from typing import List
 
@@ -143,7 +143,7 @@ def install_umf(self) -> None:
 
         install_cmd = f"cmake --install {self.build_dir} --config {self.build_type.title()} --prefix {self.install_dir}"
         try:
-            subprocess.run(install_cmd.split()).check_returncode()
+            subprocess.run(install_cmd.split()).check_returncode()      # nosec B603
         except subprocess.CalledProcessError:
             sys.exit(f"Error: UMF installation command '{install_cmd}' failed")
 
@@ -180,7 +180,7 @@ def uninstall_umf(self) -> None:
         """
         uninstall_cmd = f"cmake --build {self.build_dir} --target uninstall"
         try:
-            subprocess.run(uninstall_cmd.split()).check_returncode()
+            subprocess.run(uninstall_cmd.split()).check_returncode()    # nosec B603
         except subprocess.CalledProcessError:
             sys.exit(f"Error: UMF uninstallation command '{uninstall_cmd}' failed")