serve icon indicating copy to clipboard operation
serve copied to clipboard

CI: Add Security Check Using Bandit in CI

Open ChengyuZhu6 opened this issue 5 months ago • 4 comments

Description

Currently, the project does not have a security linter integrated into its CI pipeline. This poses potential risks as security vulnerabilities in Python code can go undetected. I found many high security issues using Bandit

error log: https://github.com/user-attachments/files/16975951/security-issues.log

Resolve two high security issues:

  • [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified
  • [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected

Fixes #3311

Type of change

  • [x] Bug fix (non-breaking change which fixes an issue)

Feature/Issue validation/testing

> pip install bandit
> bandit -r . --severity-level high -s B501 # Skip the B501 rule related to SSL certificate validation checks
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:03
Run started:2024-09-12 08:45:39.950729

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 34920
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 1075
		Medium: 222
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 200
		Medium: 20
		High: 1077
Files skipped (0):

ChengyuZhu6 avatar Sep 12 '24 08:09 ChengyuZhu6