From 64aa3374d9666e1d007421e5a39ddd4b6c2f55a3 Mon Sep 17 00:00:00 2001 From: Samarasimha Reddy Panga Date: Sat, 25 Sep 2021 18:38:09 +0530 Subject: [PATCH 1/4] added badge to readme and created new testcase --- .github/workflows/cicd.yml | 8 ++++++-- README.md | 2 +- test_app.py | 16 ++++++++++++++++ 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index ff94caa..ccf629d 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -6,7 +6,10 @@ on: push jobs: # first job to test the application using pytest unittest: - runs-on: ubuntu-latest # choose the OS for running the action + runs-on: ${{ matrix.os }} # choose the OS for running the action + strategy: + matrix: + os: [ubuntu-latest, windows-latest] # define the individual sequential steps to be run steps: - name: Checkout the repository @@ -23,10 +26,11 @@ jobs: pytest codecoverage: - runs-on: ubuntu-latest # choose the OS for running the action + runs-on: ${{ matrix.os }} # choose the OS for running the action strategy: matrix: python: ['3.7', '3.8', '3.9'] + os: [ubuntu-latest, windows-latest] env: PYTHON: ${{ matrix.python }} # define the individual sequential steps to be run diff --git a/README.md b/README.md index 48be970..e32279b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Dev-Sec-Ops Demo/Assignment -[![codecov](https://codecov.io/gh/PGCSEDS-IIITH/devsecops-iris/branch/master/graph/badge.svg?token=EILEH8L7R5)](https://codecov.io/gh/PGCSEDS-IIITH/devsecops-iris) +[![codecov](https://codecov.io/gh/PGCSEDS-IIITH/devsecops-iris/branch/master/graph/badge.svg?token=EILEH8L7R5)](https://codecov.io/gh/samara295/devsecops-iris) This repository contains code which demonstrates Dev-Sec-Ops using a `FastAPI` application which predicts the flower class using the IRIS dataset (https://scikit-learn.org/stable/auto_examples/datasets/plot_iris_dataset.html) diff --git a/test_app.py b/test_app.py index b65fc90..546a7c0 100644 --- a/test_app.py +++ b/test_app.py @@ -24,3 +24,19 @@ def test_pred_virginica(): # asserting the correct response is received assert response.status_code == 200 assert response.json() == {"flower_class": "Iris Virginica"} + +# test to check feedback_loop +def test_feedback_loop(): + # defining a sample payload for the testcase + payload = [{ + "sepal_length": 3, + "sepal_width": 5, + "petal_length": 3.2, + "petal_width": 4.4, + "flower_class":"Iris Virginica" + }] + with TestClient(app) as client: + response = client.post("/feedback_loop", json=payload) + # asserting the correct response is received + assert response.status_code == 200 + assert response.json() == {"detail": "Feedback loop successful"} From 84d68d883a05568bce5a5d92cbf588f2e23668fa Mon Sep 17 00:00:00 2001 From: Samarasimha Reddy Panga Date: Sat, 25 Sep 2021 18:59:08 +0530 Subject: [PATCH 2/4] Changes are updated in branch1 --- README.md | 2 +- results.sarif | 89 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 results.sarif diff --git a/README.md b/README.md index e32279b..a834198 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![codecov](https://codecov.io/gh/PGCSEDS-IIITH/devsecops-iris/branch/master/graph/badge.svg?token=EILEH8L7R5)](https://codecov.io/gh/samara295/devsecops-iris) -This repository contains code which demonstrates Dev-Sec-Ops using a `FastAPI` application which predicts the flower class using the IRIS dataset (https://scikit-learn.org/stable/auto_examples/datasets/plot_iris_dataset.html) +This repository contains code which demonstrates Dev-Sec-Ops using a `FastAPI` application which predicts the flower class using the IRIS dataset. (https://scikit-learn.org/stable/auto_examples/datasets/plot_iris_dataset.html) ## Running Instructions - Create a fork of the repo using the `fork` button. diff --git a/results.sarif b/results.sarif new file mode 100644 index 0000000..3fa5331 --- /dev/null +++ b/results.sarif @@ -0,0 +1,89 @@ +{ + "runs": [ + { + "tool": { + "driver": { + "name": "Bandit", + "rules": [ + { + "id": "B104", + "name": "hardcoded_bind_all_interfaces", + "helpUri": "https://bandit.readthedocs.io/en/latest/plugins/b104_hardcoded_bind_all_interfaces.html" + } + ] + } + }, + "invocations": [ + { + "executionSuccessful": true, + "endTimeUtc": "2021-09-25T13:05:38Z" + } + ], + "properties": { + "metrics": { + "_totals": { + "loc": 33, + "nosec": 0, + "SEVERITY.UNDEFINED": 0.0, + "CONFIDENCE.UNDEFINED": 0.0, + "SEVERITY.LOW": 0.0, + "CONFIDENCE.LOW": 0.0, + "SEVERITY.MEDIUM": 1.0, + "CONFIDENCE.MEDIUM": 1.0, + "SEVERITY.HIGH": 0.0, + "CONFIDENCE.HIGH": 0.0 + }, + "./main.py": { + "loc": 33, + "nosec": 0, + "SEVERITY.UNDEFINED": 0.0, + "SEVERITY.LOW": 0.0, + "SEVERITY.MEDIUM": 1.0, + "SEVERITY.HIGH": 0.0, + "CONFIDENCE.UNDEFINED": 0.0, + "CONFIDENCE.LOW": 0.0, + "CONFIDENCE.MEDIUM": 1.0, + "CONFIDENCE.HIGH": 0.0 + } + } + }, + "results": [ + { + "message": { + "text": "Possible binding to all interfaces." + }, + "locations": [ + { + "physicalLocation": { + "region": { + "snippet": { + "text": " uvicorn.run(\"main:app\", host=\"0.0.0.0\", port=8888, reload=True)\n" + }, + "startLine": 64 + }, + "artifactLocation": { + "uri": "main.py" + }, + "contextRegion": { + "snippet": { + "text": " # Uvicorn is used to run the server and listen for incoming API requests on 0.0.0.0:8888\n uvicorn.run(\"main:app\", host=\"0.0.0.0\", port=8888, reload=True)\n" + }, + "endLine": 64, + "startLine": 63 + } + } + } + ], + "properties": { + "issue_confidence": "MEDIUM", + "issue_severity": "MEDIUM" + }, + "ruleId": "B104", + "ruleIndex": 0 + } + ] + } + ], + "version": "2.1.0", + "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json" +} \ No newline at end of file From 63e2b75feb7136a3c8afba848b913ca46dd725a7 Mon Sep 17 00:00:00 2001 From: Samarasimha Reddy Panga Date: Sat, 25 Sep 2021 19:08:49 +0530 Subject: [PATCH 3/4] Badge is updated in Readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a834198..e9c821b 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,8 @@ # Dev-Sec-Ops Demo/Assignment -[![codecov](https://codecov.io/gh/PGCSEDS-IIITH/devsecops-iris/branch/master/graph/badge.svg?token=EILEH8L7R5)](https://codecov.io/gh/samara295/devsecops-iris) +[![codecov](https://codecov.io/gh/samara295/devsecops-iris/branch/master/graph/badge.svg?token=EILEH8L7R5)](https://codecov.io/gh/samara295/devsecops-iris) -This repository contains code which demonstrates Dev-Sec-Ops using a `FastAPI` application which predicts the flower class using the IRIS dataset. (https://scikit-learn.org/stable/auto_examples/datasets/plot_iris_dataset.html) +This repository contains code which demonstrates Dev-Sec-Ops using a `FastAPI` application which predicts the flower class using the IRIS dataset (https://scikit-learn.org/stable/auto_examples/datasets/plot_iris_dataset.html) ## Running Instructions - Create a fork of the repo using the `fork` button. From df38744e69715682527ebdb77ef788899a9714ad Mon Sep 17 00:00:00 2001 From: samara295 <85747122+samara295@users.noreply.github.com> Date: Sun, 26 Sep 2021 18:37:42 +0530 Subject: [PATCH 4/4] Create codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 71 +++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..6f26daf --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,71 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '40 20 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'python' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1