From 7db70c5aac6abf461a7443dfdaaa0da398d06b6f Mon Sep 17 00:00:00 2001 From: Camille <78221213+clatapie@users.noreply.github.com> Date: Wed, 23 Oct 2024 09:53:18 +0200 Subject: [PATCH 1/6] add: ``ansys/actions/check-vulnerabilities`` action to cicd --- .github/workflows/ci.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5abb95986c..b34e811c01 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,6 +137,32 @@ jobs: python -c "from pyvista.plotting import system_supports_plotting; print('System support plotting ' + str(system_supports_plotting()))" + check-vulnerabilities-dev: + name: "Check library vulnerabilities (development mode)" + if: github.ref != 'refs/heads/main' + runs-on: ubuntu-latest + steps: + - name: "Check library vulnerabilities with development mode" + uses: ansys/actions/check-vulnerabilities@v8 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + python-package-name: ${{ env.PACKAGE_NAME }} + dev-mode: true + + + check-vulnerabilities-main: + name: "Check library vulnerabilities (default mode - only on main)" + if: github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + steps: + - name: "Check library vulnerabilities with default mode" + uses: ansys/actions/check-vulnerabilities@v8 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + python-package-name: ${{ env.PACKAGE_NAME }} + docs-build: name: "Build documentation" runs-on: ubuntu-latest From 056aff5f504527587a52bd7f02d33429a90cf0a6 Mon Sep 17 00:00:00 2001 From: pyansys-ci-bot <92810346+pyansys-ci-bot@users.noreply.github.com> Date: Wed, 23 Oct 2024 07:56:51 +0000 Subject: [PATCH 2/6] chore: adding changelog file 3505.maintenance.md [dependabot-skip] --- doc/changelog.d/3505.maintenance.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 doc/changelog.d/3505.maintenance.md diff --git a/doc/changelog.d/3505.maintenance.md b/doc/changelog.d/3505.maintenance.md new file mode 100644 index 0000000000..b995717304 --- /dev/null +++ b/doc/changelog.d/3505.maintenance.md @@ -0,0 +1 @@ +ci: ``ansys/actions/check-vulnerabilities`` to CI-CD \ No newline at end of file From 3cb1b93fd645401b940a881d37440458f42b2926 Mon Sep 17 00:00:00 2001 From: Camille <78221213+clatapie@users.noreply.github.com> Date: Wed, 23 Oct 2024 14:58:33 +0200 Subject: [PATCH 3/6] fix: ignoring some bandit warnings and adding reasons --- src/ansys/mapdl/core/launcher.py | 22 +++++++++++++++++----- src/ansys/mapdl/core/licensing.py | 9 +++++++-- src/ansys/mapdl/core/mapdl_core.py | 15 +++++++++++++-- src/ansys/mapdl/core/mapdl_grpc.py | 5 ++++- 4 files changed, 41 insertions(+), 10 deletions(-) diff --git a/src/ansys/mapdl/core/launcher.py b/src/ansys/mapdl/core/launcher.py index 5a827e9bae..b8a49ddaa7 100644 --- a/src/ansys/mapdl/core/launcher.py +++ b/src/ansys/mapdl/core/launcher.py @@ -28,7 +28,10 @@ from queue import Empty, Queue import re import socket -import subprocess + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +import subprocess # nosec B404 import threading import time from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, Union @@ -161,14 +164,18 @@ def _is_ubuntu() -> bool: word "ubuntu" in it. """ + # must be running linux for this to be True if os.name != "posix": return False + # args value is controlled by the library. + # awk is not a partial path - Bandit false positive. + # Excluding bandit check. proc = subprocess.Popen( ["awk", "-F=", "/^NAME/{print $2}", "/etc/os-release"], stdout=subprocess.PIPE, - ) + ) # nosec B603 B607 if "ubuntu" in proc.stdout.read().decode().lower(): return True @@ -449,6 +456,9 @@ def launch_grpc( LOG.debug(f"Writing temporary input file: {tmp_inp} with 'FINISH' command.") LOG.debug("MAPDL starting in background.") + + # cmd is controlled by the library with generate_mapdl_launch_command. + # Excluding bandit check. process = subprocess.Popen( cmd, cwd=run_location, @@ -456,7 +466,7 @@ def launch_grpc( stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env_vars, - ) + ) # nosec B603 return process @@ -1711,10 +1721,12 @@ def _get_windows_host_ip(): def _run_ip_route(): - from subprocess import run try: - p = run(["ip", "route"], capture_output=True) + # args value is controlled by the library. + # ip is not a partial path - Bandit false positive + # Excluding bandit check. + p = subprocess.run(["ip", "route"], capture_output=True) # nosec B603 B607 except Exception: LOG.debug( "Detecting the IP address of the host Windows machine requires being able to execute the command 'ip route'." diff --git a/src/ansys/mapdl/core/licensing.py b/src/ansys/mapdl/core/licensing.py index 2c82e34f38..3ae21047b4 100644 --- a/src/ansys/mapdl/core/licensing.py +++ b/src/ansys/mapdl/core/licensing.py @@ -24,7 +24,10 @@ import os import socket -import subprocess + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +import subprocess # nosec B404 import time from ansys.mapdl.core import _HAS_ATP, LOG @@ -328,12 +331,14 @@ def _checkout_license(self, lic, host=None, port=2325): env["ANS_FLEXLM_DISABLE_DEFLICPATH"] = "TRUE" tstart = time.time() + # ansysli_util_path is controlled by the library. + # Excluding bandit check. process = subprocess.Popen( [f'"{ansysli_util_path}"', "-checkout", f"{lic}"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=env, - ) + ) # nosec B603 output = process.stdout.read().decode() t_elap = time.time() - tstart diff --git a/src/ansys/mapdl/core/mapdl_core.py b/src/ansys/mapdl/core/mapdl_core.py index f1aa990d15..c380cda782 100644 --- a/src/ansys/mapdl/core/mapdl_core.py +++ b/src/ansys/mapdl/core/mapdl_core.py @@ -30,7 +30,10 @@ import pathlib import re from shutil import copyfile, rmtree -from subprocess import DEVNULL, call + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +from subprocess import DEVNULL, call # nosec B404 import tempfile import time from typing import TYPE_CHECKING, Any, Dict, List, Literal, Optional, Tuple, Union @@ -1696,6 +1699,13 @@ def open_gui(self, include_result=None, inplace=None): # pragma: no cover f"The changes you make will overwrite the files in {run_dir}." ) add_sw = add_sw.split() + + # Ensure exec_file is a file + try: + pathlib.Path(exec_file).is_file() + except FileNotFoundError: + raise FileNotFoundError("The executable file for ANSYS was not found. ") + exec_array = [ f"{exec_file}", "-g", @@ -1706,11 +1716,12 @@ def open_gui(self, include_result=None, inplace=None): # pragma: no cover *add_sw, ] + # exec_array is controlled by the library. Excluding bandit check. call( exec_array, stdout=DEVNULL, cwd=run_dir, - ) + ) # nosec B603 # Going back os.chdir(cwd) diff --git a/src/ansys/mapdl/core/mapdl_grpc.py b/src/ansys/mapdl/core/mapdl_grpc.py index 35ef630f0a..ea0aac63d8 100644 --- a/src/ansys/mapdl/core/mapdl_grpc.py +++ b/src/ansys/mapdl/core/mapdl_grpc.py @@ -31,7 +31,10 @@ import pathlib import re import shutil -from subprocess import Popen + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +from subprocess import Popen # nosec B404 import tempfile import threading import time From c5de19b30a9135aaf42d177d15c2bec9ca412cab Mon Sep 17 00:00:00 2001 From: Camille <78221213+clatapie@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:38:37 +0200 Subject: [PATCH 4/6] Update .github/workflows/ci.yml Co-authored-by: German <28149841+germa89@users.noreply.github.com> --- .github/workflows/ci.yml | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b34e811c01..e2794c50b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -138,8 +138,7 @@ jobs: check-vulnerabilities-dev: - name: "Check library vulnerabilities (development mode)" - if: github.ref != 'refs/heads/main' + name: "Check library vulnerabilities" runs-on: ubuntu-latest steps: - name: "Check library vulnerabilities with development mode" @@ -148,21 +147,7 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} python-package-name: ${{ env.PACKAGE_NAME }} - dev-mode: true - - - check-vulnerabilities-main: - name: "Check library vulnerabilities (default mode - only on main)" - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - steps: - - name: "Check library vulnerabilities with default mode" - uses: ansys/actions/check-vulnerabilities@v8 - with: - python-version: ${{ env.MAIN_PYTHON_VERSION }} - token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} - python-package-name: ${{ env.PACKAGE_NAME }} - + dev-mode: github.ref != 'refs/heads/main' docs-build: name: "Build documentation" runs-on: ubuntu-latest From 3ac0e13c557ce0305cf2c8afdcb59b6ee5a80486 Mon Sep 17 00:00:00 2001 From: Camille <78221213+clatapie@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:41:03 +0200 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> --- .github/workflows/ci.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e2794c50b0..1f841f8a38 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,7 +137,7 @@ jobs: python -c "from pyvista.plotting import system_supports_plotting; print('System support plotting ' + str(system_supports_plotting()))" - check-vulnerabilities-dev: + check-vulnerabilities: name: "Check library vulnerabilities" runs-on: ubuntu-latest steps: @@ -147,7 +147,8 @@ jobs: python-version: ${{ env.MAIN_PYTHON_VERSION }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} python-package-name: ${{ env.PACKAGE_NAME }} - dev-mode: github.ref != 'refs/heads/main' + dev-mode: ${{ github.ref != 'refs/heads/main' }} + docs-build: name: "Build documentation" runs-on: ubuntu-latest From 850670afe3f34ce76e60494fe33ae80243ae4ae8 Mon Sep 17 00:00:00 2001 From: Roberto Pastor Muela <37798125+RobPasMue@users.noreply.github.com> Date: Wed, 23 Oct 2024 15:45:15 +0200 Subject: [PATCH 6/6] Update .github/workflows/ci.yml --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1f841f8a38..14e8de1f91 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -141,8 +141,7 @@ jobs: name: "Check library vulnerabilities" runs-on: ubuntu-latest steps: - - name: "Check library vulnerabilities with development mode" - uses: ansys/actions/check-vulnerabilities@v8 + - uses: ansys/actions/check-vulnerabilities@v8 with: python-version: ${{ env.MAIN_PYTHON_VERSION }} token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}