ci: ansys/actions/check-vulnerabilities to CI-CD

.github/workflows/ci.yml

@@ -137,6 +137,18 @@ jobs:
           python -c "from pyvista.plotting import system_supports_plotting; print('System support plotting ' + str(system_supports_plotting()))"
 
 
+  check-vulnerabilities:
+    name: "Check library vulnerabilities"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Check library vulnerabilities with development mode"
+        uses: ansys/actions/check-vulnerabilities@v8
+        with:
+          python-version: ${{ env.MAIN_PYTHON_VERSION }}
+          token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }}
+          python-package-name: ${{ env.PACKAGE_NAME }}
+          dev-mode: ${{ github.ref != 'refs/heads/main' }}
+
   docs-build:
     name: "Build documentation"
     runs-on: ubuntu-latest

doc/changelog.d/3505.maintenance.md

@@ -0,0 +1 @@
+ci: ``ansys/actions/check-vulnerabilities`` to CI-CD

src/ansys/mapdl/core/launcher.py

@@ -28,7 +28,10 @@
 from queue import Empty, Queue
 import re
 import socket
-import subprocess
+
+# Subprocess is needed to start the backend. But
+# the input is controlled by the library. Excluding bandit check.
+import subprocess  # nosec B404
 import threading
 import time
 from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, Union
@@ -161,14 +164,18 @@ def _is_ubuntu() -> bool:
     word "ubuntu" in it.
 
     """
+
     # must be running linux for this to be True
     if os.name != "posix":
         return False
 
+    # args value is controlled by the library.
+    # awk is not a partial path - Bandit false positive.
+    # Excluding bandit check.
     proc = subprocess.Popen(
         ["awk", "-F=", "/^NAME/{print $2}", "/etc/os-release"],
         stdout=subprocess.PIPE,
-    )
+    )  # nosec B603 B607
     if "ubuntu" in proc.stdout.read().decode().lower():
         return True
 
@@ -449,14 +456,17 @@ def launch_grpc(
             LOG.debug(f"Writing temporary input file: {tmp_inp} with 'FINISH' command.")
 
     LOG.debug("MAPDL starting in background.")
+
+    # cmd is controlled by the library with generate_mapdl_launch_command.
+    # Excluding bandit check.
     process = subprocess.Popen(
         cmd,
         cwd=run_location,
         stdin=subprocess.DEVNULL,
         stdout=subprocess.PIPE,
         stderr=subprocess.PIPE,
         env=env_vars,
-    )
+    )  # nosec B603
 
     return process
 
@@ -1711,10 +1721,12 @@ def _get_windows_host_ip():
 
 
 def _run_ip_route():
-    from subprocess import run
 
     try:
-        p = run(["ip", "route"], capture_output=True)
+        # args value is controlled by the library.
+        # ip is not a partial path - Bandit false positive
+        # Excluding bandit check.
+        p = subprocess.run(["ip", "route"], capture_output=True)  # nosec B603 B607
     except Exception:
         LOG.debug(
             "Detecting the IP address of the host Windows machine requires being able to execute the command 'ip route'."

src/ansys/mapdl/core/licensing.py

@@ -24,7 +24,10 @@
 
 import os
 import socket
-import subprocess
+
+# Subprocess is needed to start the backend. But
+# the input is controlled by the library. Excluding bandit check.
+import subprocess  # nosec B404
 import time
 
 from ansys.mapdl.core import _HAS_ATP, LOG
@@ -328,12 +331,14 @@ def _checkout_license(self, lic, host=None, port=2325):
             env["ANS_FLEXLM_DISABLE_DEFLICPATH"] = "TRUE"
 
         tstart = time.time()
+        # ansysli_util_path is controlled by the library.
+        # Excluding bandit check.
         process = subprocess.Popen(
             [f'"{ansysli_util_path}"', "-checkout", f"{lic}"],
             stdout=subprocess.PIPE,
             stderr=subprocess.STDOUT,
             env=env,
-        )
+        )  # nosec B603
         output = process.stdout.read().decode()
 
         t_elap = time.time() - tstart

src/ansys/mapdl/core/mapdl_core.py

@@ -30,7 +30,10 @@
 import pathlib
 import re
 from shutil import copyfile, rmtree
-from subprocess import DEVNULL, call
+
+# Subprocess is needed to start the backend. But
+# the input is controlled by the library. Excluding bandit check.
+from subprocess import DEVNULL, call  # nosec B404
 import tempfile
 import time
 from typing import TYPE_CHECKING, Any, Dict, List, Literal, Optional, Tuple, Union
@@ -1696,6 +1699,13 @@ def open_gui(self, include_result=None, inplace=None):  # pragma: no cover
                 f"The changes you make will overwrite the files in {run_dir}."
             )
         add_sw = add_sw.split()
+
+        # Ensure exec_file is a file
+        try:
+            pathlib.Path(exec_file).is_file()
+        except FileNotFoundError:
+            raise FileNotFoundError("The executable file for ANSYS was not found. ")
+
         exec_array = [
             f"{exec_file}",
             "-g",
@@ -1706,11 +1716,12 @@ def open_gui(self, include_result=None, inplace=None):  # pragma: no cover
             *add_sw,
         ]
 
+        # exec_array is controlled by the library. Excluding bandit check.
         call(
             exec_array,
             stdout=DEVNULL,
             cwd=run_dir,
-        )
+        )  # nosec B603
 
         # Going back
         os.chdir(cwd)

src/ansys/mapdl/core/mapdl_grpc.py

@@ -31,7 +31,10 @@
 import pathlib
 import re
 import shutil
-from subprocess import Popen
+
+# Subprocess is needed to start the backend. But
+# the input is controlled by the library. Excluding bandit check.
+from subprocess import Popen  # nosec B404
 import tempfile
 import threading
 import time