From a6d5795d10e8feb558939629154159bd358c251a Mon Sep 17 00:00:00 2001
From: Alexander Barabanov
 <97449232+AlexanderBarabanov@users.noreply.github.com>
Date: Thu, 16 Jan 2025 12:43:09 +0000
Subject: [PATCH] Security scan pipeline update (#4177)

* codeql settings update

* codeql fix

* update trivy

* update bandit

* trivy fix

* trivy fix

* trivy fix

* json output

* trivy fix

* trivy spdx

* codeql added

* bandit update

* remove bandit B320

* remove bandit B410

* remove workflow_dispatch

* revert trivy yaml

* fix format
---
 .ci/ipas_default.config          |   6 +-
 .github/workflows/code_scan.yaml | 134 +++++++++++++++++++++++++++----
 .github/workflows/codeql.yaml    |  37 +++++----
 tox.ini                          |   2 +-
 4 files changed, 143 insertions(+), 36 deletions(-)

diff --git a/.ci/ipas_default.config b/.ci/ipas_default.config
index 4bc8b481e39..95dd511397c 100644
--- a/.ci/ipas_default.config
+++ b/.ci/ipas_default.config
@@ -40,7 +40,7 @@
 # B317 : xml_bad_sax
 # B318 : xml_bad_minidom
 # B319 : xml_bad_pulldom
-# B320 : xml_bad_etree
+# B320 : xml_bad_etree - removed https://github.com/PyCQA/bandit/commit/e4da0b351f89a82b5de8dd791cbdd963476b5a11
 # B321 : ftplib
 # B323 : unverified_context
 # B324 : hashlib_new_insecure_functions
@@ -53,7 +53,7 @@
 # B407 : import_xml_expat
 # B408 : import_xml_minidom
 # B409 : import_xml_pulldom
-# B410 : import_lxml
+# B410 : import_lxml - removed https://github.com/PyCQA/bandit/commit/e4da0b351f89a82b5de8dd791cbdd963476b5a11
 # B411 : import_xmlrpclib
 # B412 : import_httpoxy
 # B413 : import_pycrypto
@@ -83,7 +83,7 @@
 # IPAS Required Checkers. Do not disable these
 # Additional checkers may be added if desired
 tests:
-  [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B320', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B410', 'B411', 'B412', 'B413']
+  [ 'B301', 'B302', 'B303', 'B304', 'B305', 'B306', 'B308', 'B310', 'B311', 'B312', 'B313', 'B314', 'B315', 'B316', 'B317', 'B318', 'B319', 'B321', 'B323', 'B324', 'B401', 'B402', 'B403', 'B404', 'B405', 'B406', 'B407', 'B408', 'B409', 'B411', 'B412', 'B413']
 
 # (optional) list skipped test IDs here, eg '[B101, B406]':
 # The following checkers are not required but be added to tests list if desired
diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml
index ad66b1d55a2..85d0d8abb1d 100644
--- a/.github/workflows/code_scan.yaml
+++ b/.github/workflows/code_scan.yaml
@@ -10,12 +10,11 @@ on:
     # every UTC 6PM from Mon to Fri
     - cron: "0 18 * * 1-5"
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
-  Trivy-scan:
-    runs-on: ubuntu-latest
+  Trivy:
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -27,27 +26,52 @@ jobs:
         run: python -m pip install --require-hashes --no-deps -r .ci/requirements.txt
       - name: Freeze dependencies
         run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml
-      - name: Trivy Scanning (spdx.json)
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+
+      - name: Run Trivy Scan (vuln)
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
         with:
-          trivy-config: ".ci/trivy-json.yaml"
-          scan-type: "fs"
+          scan-type: fs
+          scan-ref: requirements.txt
+          scanners: vuln
+          output: trivy-results-vuln.txt
+
+      - name: Run Trivy Scan (dockerfile and secrets)
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
+        with:
+          scan-type: fs
           scan-ref: .
-      - name: Trivy Scanning
+          scanners: misconfig,secret
+          output: trivy-results-misconfig.txt
+          skip-setup-trivy: true
+
+      - name: Trivy Scanning (spdx)
         uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
         with:
-          trivy-config: ".ci/trivy.yaml"
-          scan-type: "fs"
+          scan-type: fs
           scan-ref: .
+          format: spdx-json
+          output: trivy-results-spdx.json
+          skip-setup-trivy: true
+
       - name: Upload Trivy results artifact
         uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: trivy-results
-          path: "${{ github.workspace }}/trivy-results.*"
+          path: "${{ github.workspace }}/trivy-results-*"
+          retention-days: 7
         # Use always() to always run this step to publish scan results when there are test failures
         if: ${{ always() }}
+
+      - name: Upload deps list
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        if: always()
+        with:
+          name: python-deps-list
+          path: "${{ github.workspace }}/requirements.txt"
+          retention-days: 7
+
   Bandit:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -66,7 +90,87 @@ jobs:
       - name: Upload Bandit artifact
         uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
-          name: bandit-report
-          path: .tox/bandit-report.txt
+          name: bandit-results
+          path: .tox/bandit-results.txt
+          retention-days: 7
         # Use always() to always run this step to publish scan results when there are test failures
         if: ${{ always() }}
+
+  CodeQL:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-22.04
+    permissions:
+      # required for all workflows
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: python
+            build-mode: none
+          - language: actions # to scan workflows
+            build-mode: none
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          category: "/language:${{matrix.language}}"
+
+      - name: Generate CodeQL Report
+        uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          template: report
+          outputDir: codeql-${{ matrix.language }}
+
+      - name: Rename Report
+        shell: bash
+        continue-on-error: true
+        run: |
+          cd codeql-${{ matrix.language }}
+          mv "report.pdf" "codeql-${{ matrix.language }}.pdf"
+
+      - name: Upload Report
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: codeql-${{ matrix.language }}-results
+          path: codeql-${{ matrix.language }}/*.pdf
+          retention-days: 7
+
+  Summarize:
+    needs: [Trivy, Bandit, CodeQL]
+    if: always()
+    runs-on: ubuntu-22.04
+    steps:
+      # Create directory first
+      - name: Create results directory
+        run: mkdir -p all-results
+
+      # Download artifacts with error handling
+      - name: Download all results
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        continue-on-error: true # Don't fail if some tools didn't generate results
+        with:
+          pattern: "*-results"
+          merge-multiple: true
+          path: all-results
+
+      # Only upload if there are files
+      - name: Upload combined results
+        if: hashFiles('all-results/**/*') != ''
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: security-scan-results
+          path: all-results
+          retention-days: 7
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index 27a904f9445..49e78c1ac6d 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -12,20 +12,11 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches:
-      - develop
-      - releases/**
   pull_request:
     types:
       - opened
       - reopened
       - synchronize
-  schedule:
-    - cron: "0 0 * * 0"
-
-permissions:
-  contents: read
 
 jobs:
   analyze:
@@ -35,20 +26,20 @@ jobs:
     #   - https://gh.io/supported-runners-and-hardware-resources
     #   - https://gh.io/using-larger-runners
     # Consider using larger runners for possible analysis time improvements.
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     timeout-minutes: 60
     permissions:
       # required for all workflows
       security-events: write
 
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
-
     strategy:
       fail-fast: false
       matrix:
-        language: ["python"]
+        include:
+          - language: python
+            build-mode: none
+          - language: actions # to scan workflows
+            build-mode: none
         # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ]
         # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
         # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
@@ -63,6 +54,7 @@ jobs:
         uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
           # If you wish to specify custom queries, you can do so here or in a config file.
           # By default, queries listed here will override any specified in a config file.
           # Prefix the list here with "+" to use these queries and those in the config file.
@@ -74,13 +66,24 @@ jobs:
         uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
         with:
           category: "/language:${{matrix.language}}"
+
       - name: Generate Security Report
         uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4
         with:
           template: report
           token: ${{ secrets.GITHUB_TOKEN }}
+          outputDir: codeql-${{ matrix.language }}
+
+      - name: Rename Report
+        shell: bash
+        continue-on-error: true
+        run: |
+          cd codeql-${{ matrix.language }}
+          mv "report.pdf" "codeql-${{ matrix.language }}.pdf"
+
       - name: GitHub Upload Release Artifacts
         uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
-          name: codeql-report
-          path: "./report.pdf"
+          name: codeql-${{ matrix.language }}-results
+          path: codeql-${{ matrix.language }}/*.pdf
+          retention-days: 7
diff --git a/tox.ini b/tox.ini
index 7aa0fa1ad5b..a4d8d7ac0db 100644
--- a/tox.ini
+++ b/tox.ini
@@ -99,7 +99,7 @@ deps =
 allowlist_externals =
     bandit
 commands =
-    - bandit -r -c .ci/ipas_default.config {toxinidir}/ -f txt -o {toxworkdir}/bandit-report.txt
+    - bandit -r -c .ci/ipas_default.config -f txt -o {toxworkdir}/bandit-results.txt .
 
 
 [testenv:fuzzing]