Merge pull request #5437 from wlemkows/add-bandit-gha

common: add Bandit security scan for pmreorder tool

.github/workflows/bandit.yml

+
+name: bandit
+
+on: [push, pull_request]
+
+env:
+  GITHUB_REPO: pmem/pmdk
+  DOCKER_REPO: ghcr.io/pmem/pmdk
+  HOST_WORKDIR:   /home/runner/work/pmdk/pmdk
+  WORKDIR:        utils/docker
+
+jobs:
+  linux:
+    name: Linux
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        CONFIG: ["BANDIT=1 OS=ubuntu OS_VER=20.04"]
+    steps:
+      - name: Print out the current date and time
+        run: date
+
+      - name: Clone the git repo
+        uses: actions/checkout@v2
+
+      - name: Pull or rebuild the image
+        run: cd $WORKDIR && ${{ matrix.CONFIG }} ./pull-or-rebuild-image.sh
+
+      - name: Run the build
+        run: cd $WORKDIR && ${{ matrix.CONFIG }} ./build-CI.sh

README.md

@@ -8,6 +8,7 @@
 [![PMDK release version](https://img.shields.io/github/release/pmem/pmdk.svg?sort=semver)](https://github.com/pmem/pmdk/releases/latest)
 [![Packaging status](https://repology.org/badge/tiny-repos/pmdk.svg)](https://repology.org/project/pmdk/versions)
 [![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/pmem/pmdk.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/pmem/pmdk/context:cpp)
+[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg?branch=master)](https://github.com/pmem/pmdk/actions/workflows/bandit.yml)
 
 The **Persistent Memory Development Kit (PMDK)** is a collection of libraries and tools for System Administrators and Application Developers to simplify managing and accessing persistent memory devices. For more information, see https://pmem.io.
 

src/tools/pmreorder/consistencycheckwrap.py

 # SPDX-License-Identifier: BSD-3-Clause
-# Copyright 2018-2021, Intel Corporation
+# Copyright 2018-2022, Intel Corporation
 
 from ctypes import cdll, c_char_p, c_int
 from loggingfacility import LoggingBase
@@ -121,7 +121,13 @@ class ProgChecker(ConsistencyCheckerBase):
 
         cmd = "{0} {1} {2}".format(self._bin_path, self._bin_cmd, filename)
         self._logger.debug("Consistency check program command: {}".format(cmd))
-        return system(cmd)
+        """
+        We mark the call of this command as 'nosec' (for Bandit scan) because
+        pmreorder entirely relies on the execution of checkers, which are
+        user-developed programs. Therefore, it is the user's responsibility
+        to provide safe input as a consistency checker.
+        """
+        return system(cmd)  # nosec
 
 
 def get_checker(checker_type, checker_path_args, func_name, logger=None):

utils/docker/build-CI.sh

@@ -50,6 +50,7 @@ containerName=pmdk-${OS}-${OS_VER}
 if [[ $MAKE_PKG -eq 0 ]] ; then command="./run-build.sh"; fi
 if [[ $MAKE_PKG -eq 1 ]] ; then command="./run-build-package.sh"; fi
 if [[ $COVERAGE -eq 1 ]] ; then command="./run-coverage.sh"; ci_env=`bash <(curl -s https://codecov.io/env)`; fi
+if [[ $BANDIT -eq 1 ]] ; then command="./run-bandit.sh"; fi
 
 if [[ ( "$CI_EVENT_TYPE" == "cron" || "$CI_BRANCH" == "coverity_scan" )\
 	&& "$COVERITY" -eq 1 ]]; then
@@ -141,6 +142,7 @@ docker run --rm --name=$containerName -i $TTY \
 	--env CI_RUN=$CI_RUN \
 	--env SRC_CHECKERS=$SRC_CHECKERS \
 	--env BLACKLIST_FILE=$BLACKLIST_FILE \
+	--env BANDIT=$BANDIT \
 	$ndctl_enable \
 	$pmemset_install \
 	--tmpfs /tmp:rw,relatime,suid,dev,exec,size=6G \

utils/docker/run-bandit.sh

+#!/usr/bin/env bash
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright 2022, Intel Corporation
+
+#
+# run-bandit.sh - is called inside a Docker container; runs bandit
+# security checker for code written in python
+#
+
+set -e
+
+# Get and prepare PMDK source
+./prepare-for-build.sh
+
+cd $WORKDIR
+
+# set path to pmreorder tool
+# at the moment pmreorder is the only python tool
+# released in the PMDK
+SCAN_DIR=src/tools/pmreorder
+
+echo "Start Bandit scan"
+
+bandit --version
+bandit -r "$SCAN_DIR"
+
+echo "End Bandit scan"