From a52606b24432208382b9ba70ef0edaafb60aa679 Mon Sep 17 00:00:00 2001
From: Weronika Lewandowska <weronika.lewandowska@intel.com>
Date: Wed, 11 May 2022 13:22:32 +0200
Subject: [PATCH] common: add Bandit security scan for pmreorder tool

---
 .github/workflows/bandit.yml                | 30 +++++++++++++++++++++
 README.md                                   |  1 +
 src/tools/pmreorder/consistencycheckwrap.py | 10 +++++--
 utils/docker/build-CI.sh                    |  2 ++
 utils/docker/run-bandit.sh                  | 27 +++++++++++++++++++
 5 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/bandit.yml
 create mode 100755 utils/docker/run-bandit.sh

diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
new file mode 100644
index 000000000..6d9eb560f
--- /dev/null
+++ b/.github/workflows/bandit.yml
@@ -0,0 +1,30 @@
+
+name: bandit
+
+on: [push, pull_request]
+
+env:
+  GITHUB_REPO: pmem/pmdk
+  DOCKER_REPO: ghcr.io/pmem/pmdk
+  HOST_WORKDIR:   /home/runner/work/pmdk/pmdk
+  WORKDIR:        utils/docker
+
+jobs:
+  linux:
+    name: Linux
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        CONFIG: ["BANDIT=1 OS=ubuntu OS_VER=20.04"]
+    steps:
+      - name: Print out the current date and time
+        run: date
+
+      - name: Clone the git repo
+        uses: actions/checkout@v2
+
+      - name: Pull or rebuild the image
+        run: cd $WORKDIR && ${{ matrix.CONFIG }} ./pull-or-rebuild-image.sh
+
+      - name: Run the build
+        run: cd $WORKDIR && ${{ matrix.CONFIG }} ./build-CI.sh
diff --git a/README.md b/README.md
index 96bf234a5..e1bc29697 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@
 [![PMDK release version](https://img.shields.io/github/release/pmem/pmdk.svg?sort=semver)](https://github.com/pmem/pmdk/releases/latest)
 [![Packaging status](https://repology.org/badge/tiny-repos/pmdk.svg)](https://repology.org/project/pmdk/versions)
 [![Language grade: C/C++](https://img.shields.io/lgtm/grade/cpp/g/pmem/pmdk.svg?logo=lgtm&logoWidth=18)](https://lgtm.com/projects/g/pmem/pmdk/context:cpp)
+[![Security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg?branch=master)](https://github.com/pmem/pmdk/actions/workflows/bandit.yml)
 
 The **Persistent Memory Development Kit (PMDK)** is a collection of libraries and tools for System Administrators and Application Developers to simplify managing and accessing persistent memory devices. For more information, see https://pmem.io.
 
diff --git a/src/tools/pmreorder/consistencycheckwrap.py b/src/tools/pmreorder/consistencycheckwrap.py
index d553618b2..bf55f7cff 100644
--- a/src/tools/pmreorder/consistencycheckwrap.py
+++ b/src/tools/pmreorder/consistencycheckwrap.py
@@ -1,5 +1,5 @@
 # SPDX-License-Identifier: BSD-3-Clause
-# Copyright 2018-2021, Intel Corporation
+# Copyright 2018-2022, Intel Corporation
 
 from ctypes import cdll, c_char_p, c_int
 from loggingfacility import LoggingBase
@@ -121,7 +121,13 @@ class ProgChecker(ConsistencyCheckerBase):
 
         cmd = "{0} {1} {2}".format(self._bin_path, self._bin_cmd, filename)
         self._logger.debug("Consistency check program command: {}".format(cmd))
-        return system(cmd)
+        """
+        We mark the call of this command as 'nosec' (for Bandit scan) because
+        pmreorder entirely relies on the execution of checkers, which are
+        user-developed programs. Therefore, it is the user's responsibility
+        to provide safe input as a consistency checker.
+        """
+        return system(cmd)  # nosec
 
 
 def get_checker(checker_type, checker_path_args, func_name, logger=None):
diff --git a/utils/docker/build-CI.sh b/utils/docker/build-CI.sh
index a1083305d..d0cc9b2fb 100755
--- a/utils/docker/build-CI.sh
+++ b/utils/docker/build-CI.sh
@@ -50,6 +50,7 @@ containerName=pmdk-${OS}-${OS_VER}
 if [[ $MAKE_PKG -eq 0 ]] ; then command="./run-build.sh"; fi
 if [[ $MAKE_PKG -eq 1 ]] ; then command="./run-build-package.sh"; fi
 if [[ $COVERAGE -eq 1 ]] ; then command="./run-coverage.sh"; ci_env=`bash <(curl -s https://codecov.io/env)`; fi
+if [[ $BANDIT -eq 1 ]] ; then command="./run-bandit.sh"; fi
 
 if [[ ( "$CI_EVENT_TYPE" == "cron" || "$CI_BRANCH" == "coverity_scan" )\
 	&& "$COVERITY" -eq 1 ]]; then
@@ -141,6 +142,7 @@ docker run --rm --name=$containerName -i $TTY \
 	--env CI_RUN=$CI_RUN \
 	--env SRC_CHECKERS=$SRC_CHECKERS \
 	--env BLACKLIST_FILE=$BLACKLIST_FILE \
+	--env BANDIT=$BANDIT \
 	$ndctl_enable \
 	$pmemset_install \
 	--tmpfs /tmp:rw,relatime,suid,dev,exec,size=6G \
diff --git a/utils/docker/run-bandit.sh b/utils/docker/run-bandit.sh
new file mode 100755
index 000000000..edadc71a7
--- /dev/null
+++ b/utils/docker/run-bandit.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: BSD-3-Clause
+# Copyright 2022, Intel Corporation
+
+#
+# run-bandit.sh - is called inside a Docker container; runs bandit
+# security checker for code written in python
+#
+
+set -e
+
+# Get and prepare PMDK source
+./prepare-for-build.sh
+
+cd $WORKDIR
+
+# set path to pmreorder tool
+# at the moment pmreorder is the only python tool
+# released in the PMDK
+SCAN_DIR=src/tools/pmreorder
+
+echo "Start Bandit scan"
+
+bandit --version
+bandit -r "$SCAN_DIR"
+
+echo "End Bandit scan"
-- 
GitLab