@@ -14,77 +14,79 @@ Here are some examples of common vulnerabilities:
1414Vulnerability sources
1515---------------------
1616
17- - **Vulnerabilities from PyAnsys library code **: Maintainers are responsible for deciding whether to
18- address vulnerabilities. The priority of vulnerabilities can be escalated internally if they represent
19- a roadblock for usage. The Ansys business unit in charge of the project should handle
17+ - **Vulnerabilities from PyAnsys library code **: Maintainers are responsible for deciding whether
18+ to address vulnerabilities. The priority of vulnerabilities can be escalated internally if they
19+ represent a roadblock for usage. The Ansys business unit in charge of the project should handle
2020 vulnerabilities on a case-by-case basis.
2121
22- - **Vulnerabilities from external package dependencies **: When vulnerabilities exist in external packages
23- used by PyAnsys libraries, such as NumPy or Matplotlib, Ansys should not address these vulnerabilities
24- directly. Instead, raise an issue on the open source repository, pointing out the
25- vulnerability and linking the applicable `CVE `_. At most, be mindful of deprecated packages and functions
26- because they may not receive security patches and might introduce vulnerabilities into your codebase.
22+ - **Vulnerabilities from external package dependencies **: When vulnerabilities exist in external
23+ packages used by PyAnsys libraries, such as NumPy or Matplotlib, Ansys should not address these
24+ vulnerabilities directly. Instead, raise an issue on the open source repository, pointing out
25+ the vulnerability and linking the applicable `CVE `_. At most, be mindful of deprecated packages
26+ and functions because they may not receive security patches and might introduce vulnerabilities
27+ into your codebase.
2728
2829Vulnerability discovery and tracking
2930-------------------------------------
3031
31- Leverage available security tools like dependency scanners or static
32- analyzers (such as PyUp, Safety, or Bandit) to automatically detect and
33- remediate security vulnerabilities in Python packages and dependencies.
32+ Leverage available security tools like dependency scanners or static analyzers (such as PyUp,
33+ Safety, or Bandit) to automatically detect and remediate security vulnerabilities in Python
34+ packages and dependencies.
3435
35- The PyAnsys ecosystem has implemented automated mechanisms to track and
36- report vulnerabilities in the codebase. These tools are intended to be integrated
37- into the CI/CD workflow of the repositories.
36+ The PyAnsys ecosystem has implemented automated mechanisms to track and report vulnerabilities
37+ in the codebase. These tools are intended to be integrated into the CI/CD workflow of the
38+ repositories.
3839
39- The PyAnsys Core team has come up with a GitHub Action that can be used to
40- automatically check for vulnerabilities in the codebase. This action is based on
41- the following tools:
40+ The PyAnsys Core team has come up with a GitHub Action that can be used to automatically check
41+ for vulnerabilities in the codebase. This action is based on the following tools:
4242
4343- `Safety `_ : Checks installed dependencies for known security vulnerabilities.
4444- `Bandit `_: Attempts to find common security issues in Python code.
4545
46- Safety addresses external dependencies, while Bandit focuses on the codebase itself.
47- Both tools have been integrated into the ``ansys/actions/check-vulnerabilities `` action.
46+ Safety addresses external dependencies, while Bandit focuses on the codebase itself. Both tools
47+ have been integrated into the ``ansys/actions/check-vulnerabilities `` action.
4848
4949.. note ::
5050
5151 The tools selected for the action are not definitive. The action can be modified to include
5252 other tools or to use different versions of the tools in the future.
5353
54- For third-party packages, the PyAnsys Core team has listed a set of excluded advisories so
55- that the action does not fail. This is done to avoid false positives and to ensure that the action
56- does not block the CI/CD pipeline unnecessarily. You can find the list of excluded advisories
57- in `the action's documentation `_.
54+ For third-party packages, the PyAnsys Core team has listed a set of excluded advisories so that
55+ the action does not fail. This is done to avoid false positives and to ensure that the action does
56+ not block the CI/CD pipeline unnecessarily. You can find the list of excluded advisories in
57+ `the action's documentation `_.
5858
59- For potential vulnerabilities in the codebase, repositories can configure Bandit to ignore specific
60- advisories. This can be due to the code not being ready yet to be fixed or that the advisory is not relevant
61- to the codebase. However, it is important to note that ignoring advisories should be done with caution,
62- and developers should be aware of the potential risks involved. Furthermore, repository maintainers should
63- document the reasons for ignoring advisories and ensure that they are regularly reviewed to determine if they
64- can be addressed.
59+ For potential vulnerabilities in the codebase, repositories can configure Bandit to ignore
60+ specific advisories. This can be due to the code not being ready yet to be fixed or that the
61+ advisory is not relevant to the codebase. However, it is important to note that ignoring
62+ advisories should be done with caution, and developers should be aware of the potential risks
63+ involved. Furthermore, repository maintainers should document the reasons for ignoring advisories
64+ and ensure that they are regularly reviewed to determine if they can be addressed.
6565
6666.. note ::
6767
68- An example on how to document the ignored advisories can be found in the `PyACP security considerations `_
69- documentation page. This should be taken as a reference for documenting ignored advisories in other repositories.
68+ An example on how to document the ignored advisories can be found in the `PyACP security
69+ considerations `_ documentation page. This should be taken as a reference for documenting ignored
70+ advisories in other repositories.
7071
7172.. warning ::
7273
73- Testing the action locally before enabling it in the CI/CD workflow is recommended. Information on how
74- to do this can be found in `the action's documentation `_.
74+ Testing the action locally before enabling it in the CI/CD workflow is recommended. Information
75+ on how to do this can be found in `the action's documentation `_.
7576
7677Vulnerability remediation and reporting
7778----------------------------------------
7879
79- When a vulnerability is detected, the action fails and reports the vulnerabilities found in the codebase.
80- Following that, these vulnerabilities are reported as draft security advisories in the repository's
81- **Security ** tab. Maintainers are then responsible for reviewing the advisories and deciding whether to address
82- them or not. These advisories are monitored by the PyAnsys Core team and are escalated internally if they
83- represent a roadblock for usage.
80+ When a vulnerability is detected, the action fails and reports the vulnerabilities found in the
81+ codebase. Following that, these vulnerabilities are reported as draft security advisories in the
82+ repository's **Security ** tab. Maintainers are then responsible for reviewing the advisories and
83+ deciding whether to address them or not. These advisories are monitored by the PyAnsys Core team
84+ and are escalated internally if they represent a roadblock for usage.
8485
85- Repositories should also have a process in place to handle vulnerabilities that are reported by users or
86- other developers. For that purpose, a ``SECURITY.md `` file should be created in the root of the repository.
87- This file should contain information on how to report vulnerabilities and the process for handling them.
86+ Repositories should also have a process in place to handle vulnerabilities that are reported by
87+ users or other developers. For that purpose, a ``SECURITY.md `` file should be created in the root
88+ of the repository. This file should contain information on how to report vulnerabilities and the
89+ process for handling them.
8890
8991Here is an example of a ``SECURITY.md `` file:
9092
@@ -108,34 +110,178 @@ Here is an example of a ``SECURITY.md`` file:
108110
109111------------------------
110112
111- When a vulnerability is detected and a decision is made to address it, the repository maintainers should
112- create a private fork of the repository and create a pull request with the fix. Information on
113- how to create such a temporary fork to resolve a vulnerability can be found in `Github's documentation `_.
114- When opened, the pull request should be reviewed in depth and include tests to ensure that the
115- vulnerability is fixed. Once the pull request is merged, the repository maintainers should create a new
116- release with the fix and update the changelog accordingly.
113+ When a vulnerability is detected and a decision is made to address it, the repository maintainers
114+ should create a private fork of the repository and create a pull request with the fix. Information
115+ on how to create such a temporary fork to resolve a vulnerability can be found in `Github's
116+ documentation `_. When opened, the pull request should be reviewed in depth and include tests to
117+ ensure that the vulnerability is fixed. Once the pull request is merged, the repository
118+ maintainers should create a new release with the fix and update the changelog accordingly.
117119
118120The release should be tagged with a new version number where the patch value has been incremented,
119- and the changelog should include a note about the vulnerability and the fix. The note should include
120- this information:
121+ and the changelog should include a note about the vulnerability and the fix. The note should
122+ include this information:
121123
122124- The CVE number of the vulnerability (if applicable)
123125- A description of the vulnerability and its potential consequences
124126- A description of the fix and how it addresses the vulnerability
125127- A link to the pull request that fixed the vulnerability
126128
127- Additionally, the security advisory should be published on the repository's **Security ** tab.
128- This advisory should include the same information as the changelog note, in other words the
129- CVE number, the date of the advisory, and the status of the advisory (such as published or withdrawn).
129+ Additionally, the security advisory should be published on the repository's **Security ** tab. This
130+ advisory should include the same information as the changelog note, in other words the CVE number,
131+ the date of the advisory, and the status of the advisory (such as published or withdrawn).
130132
131- A reference of a published security advisory can be found here: `PyAnsys Geometry subprocess advisory `_.
132- This advisory was published in the PyAnsys Geometry repository and includes information about a vulnerability
133- in which users could execute arbitrary code on the system by using one of this library's functions.
133+ A reference of a published security advisory can be found here: `PyAnsys Geometry subprocess
134+ advisory `_. This advisory was published in the PyAnsys Geometry repository and includes
135+ information about a vulnerability in which users could execute arbitrary code on the system by
136+ using one of this library's functions.
134137
135138Ensuring compliance across the PyAnsys ecosystem
136139------------------------------------------------
137140
138- The PyAnsys Core team is responsible for ensuring that the ``ansys/actions/check-vulnerabilities `` action is up to date and that it is
139- being used in all PyAnsys repositories considered as libraries (that is, Python packages shipped to PyPI).
140- Repository maintainers are responsible for ensuring that the action is implemented correctly and that the
141- results are reviewed regularly.
141+ The PyAnsys Core team is responsible for ensuring that the ``ansys/actions/check-vulnerabilities ``
142+ action is up to date and that it is being used in all PyAnsys repositories considered as libraries
143+ (that is, Python packages shipped to PyPI). Repository maintainers are responsible for ensuring
144+ that the action is implemented correctly and that the results are reviewed regularly.
145+
146+
147+ Addressing common vulnerabilities
148+ ---------------------------------
149+
150+ When developing Python applications, it is essential to be aware of common vulnerabilities that can
151+ occur in the codebase. These vulnerabilities can lead to security risks, data breaches, and other
152+ serious issues.
153+
154+ The `Bandit ` tool provides a blacklist of known vulnerable functions and methods that should
155+ not be used in Python code. Using these functions can lead to security vulnerabilities and
156+ should be avoided. Refer to the `blacklists Bandit documentation `_ for detailed information on
157+ `Bandit ` tool outputs.
158+
159+
160+ **Bandit blacklist **
161+
162+ The `Bandit ` tool provides a blacklist of known vulnerable functions and methods that should
163+ not be used in Python code. Using these functions can lead to security vulnerabilities and
164+ should be avoided.
165+
166+ Address each requested changes proposed by `Bandit ` to ensure that your code is secure.
167+ You can find information on how to improve your code in the `blacklists Bandit documentation `_.
168+
169+
170+ **subprocess command injection **
171+
172+ The `subprocess ` module can be vulnerable to command injection if user input is not properly
173+ sanitized. This can lead to arbitrary command execution, which is a significant security risk.
174+
175+ To mitigate this risk, you should:
176+
177+ - avoid using the `subprocess ` module to execute shell commands with user input, as it can lead
178+ to command injection vulnerabilities.
179+ - if the previous point is not possible, you need to disable the `shell=True ` argument in
180+ `subprocess.run() ` or similar functions, as it allows for shell injection attacks.
181+
182+ By removing the `shell=True ` argument, a list is needed to pass the command and its
183+ arguments directly, which is safer. This way, user input is not executed as a shell command,
184+ and the risk of command injection is significantly reduced.
185+
186+ .. tab-set ::
187+
188+ .. tab-item :: Risk of `subprocess` command injection
189+
190+ .. code :: python
191+
192+ import subprocess
193+
194+ user_input = " malicious_command; rm -rf /" # User input that could be malicious
195+ subprocess.run(f " echo { user_input} " , shell = True ) # Vulnerable to command injection
196+
197+ tab-item :: Reduced risk of `subprocess` command injection
198+
199+ .. code :: python
200+
201+ import subprocess
202+
203+ user_input = " malicious_command; rm -rf /" # User input that could be malicious
204+ # Removing shell=True and using a list
205+ subprocess.run([" echo" # User input is not executed as a shell command
206+
207+
208+ try except continue statements **
209+
210+ Using `try except continue ` statements can lead to silent failures, making it difficult to debug
211+ issues and potentially allowing vulnerabilities to go unnoticed. Instead, you should handle
212+ exceptions explicitly and log or raise them as needed.
213+
214+ .. tab-set ::
215+
216+ .. tab-item :: `try except continue` without handling exceptions
217+
218+ .. code :: python
219+
220+ try :
221+ risky_operation() # Some code that might raise an exception
222+ except :
223+ continue # This will silently ignore all the exceptions and continue execution
224+
225+ tab-item :: `try except continue` with explicit exception handling
226+
227+ .. code :: python
228+
229+ try :
230+ risky_operation()
231+ except SpecificException as e:
232+ continue # Handle specific exceptions and continue
233+ except AnotherSpecificException as e:
234+ log_error(e) # Log the error for debugging
235+ raise # Raise the exception to notify the caller
236+
237+
238+ requests.get() without timeout **
239+
240+ Using `requests.get() ` without a timeout can lead to hanging requests, which can be exploited
241+ by attackers to cause denial of service (DoS) conditions. Always specify a timeout value to
242+ prevent this issue.
243+
244+ .. tab-set ::
245+
246+ .. tab-item :: `requests.get()` without timeout
247+
248+ .. code :: python
249+
250+ import requests
251+
252+ response = requests.get(" https://example.com" # No timeout specified
253+
254+ tab-item :: `requests.get()` with timeout
255+
256+ .. code :: python
257+
258+ import requests
259+
260+ response = requests.get(" https://example.com" timeout = 5 ) # Timeout set to 5 seconds
261+
262+
263+ random insecure functions **
264+
265+ Using insecure functions from the `random ` module can lead to predictable random number
266+ generation, which can be exploited by attackers. Instead, use the `secrets ` module, which
267+ provides a secure way to generate random numbers.
268+
269+ .. tab-set ::
270+
271+ .. tab-item :: Insecure random functions
272+
273+ .. code :: python
274+
275+ import random
276+
277+ random_number = random.randint(1 , 100 ) # Predictable random number generation
278+ random_letter = random.choice([" a" " b" " c" # Predictable choice from a list
279+
280+ tab-item :: Secure random functions
281+
282+ .. code :: python
283+
284+ import secrets
285+
286+ secure_random_number = secrets.randbelow(100 ) # Secure random number generation
287+ secure_random_letter = secrets.choice([" a" " b" " c" # Secure choice from a list
![pre-commit-ci[bot]](https://avatars.githubusercontent.com/in/68672?v=4&size=40){kind=avatar}
0 commit comments