add security linter bandit to nox

.github/workflows/checks.yml

@@ -89,6 +89,27 @@ jobs:
       - name: Run type-check
         run: poetry run nox -s type-check
 
+  security-check-job:
+    name: Security Checking (Python-${{ matrix.python-version }})
+    needs: [ version-check-job ]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: [ "3.8", "3.9", "3.10", "3.11" ]
+
+    steps:
+      - name: SCM Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python & Poetry Environment
+        uses: ./.github/actions/python-environment
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Run security-check
+        run: poetry run nox -s security-check
+
   tests-job:
     name: Tests (Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}})
     needs: [ build-documentation-job, lint-job, type-check-job ]

.gitignore

@@ -1,5 +1,6 @@
 .lint.json
 .lint.txt
+.security.json
 
 odbcconfig/odbcinst.ini
 

exasol/toolbox/metrics.py

@@ -19,6 +19,7 @@
     Any,
     Callable,
     Dict,
+    List,
     Optional,
     Union,
 )
@@ -67,6 +68,26 @@ def from_score(score: float) -> "Rating":
                 "Uncategorized score, score should be in the following interval [0,10]."
             )
 
+    @staticmethod
+    def bandit_rating(score: float) -> "Rating":
+        score = round(score, 3)
+        if score <= 0.2:
+            return Rating.F
+        elif 0.2 < score <= 1.6:
+            return Rating.E
+        elif 1.6 < score <= 3:
+            return Rating.D
+        elif 3 < score <= 4.4:
+            return Rating.C
+        elif 4.4 < score <= 5.8:
+            return Rating.B
+        elif 5.8 < score <= 6:
+            return Rating.A
+        else:
+            raise ValueError(
+                "Uncategorized score, score should be in the following interval [0,6]."
+            )
+
 
 @dataclass(frozen=True)
 class Report:
@@ -124,8 +145,27 @@ def reliability() -> Rating:
     return Rating.NotAvailable
 
 
-def security() -> Rating:
-    return Rating.NotAvailable
+def security(file: Union[str, Path]) -> Rating:
+    with open(file) as json_file:
+        security_lint = json.load(json_file)
+    return Rating.bandit_rating(_bandit_scoring(security_lint["results"]))
+
+
+def _bandit_scoring(ratings: List[Dict[str, Any]]) -> float:
+    def char(value: str, default: str = "H") -> str:
+        if value in ["HIGH", "MEDIUM", "LOW"]:
+            return value[0]
+        return default
+
+    weight = {"LL": 1/18, "LM": 1/15, "LH": 1/12, "ML": 1/9, "MM": 1/6, "MH": 1/3}
+    exp = 0.0
+    for infos in ratings:
+        severity = infos["issue_severity"]
+        if severity == "HIGH":
+            return 0.0
+        index = char(severity) + char(infos["issue_confidence"])
+        exp += weight[index]
+    return 6 * (2**-exp)
 
 
 def technical_debt() -> Rating:
@@ -137,14 +177,15 @@ def create_report(
     date: Optional[datetime.datetime] = None,
     coverage_report: Union[str, Path] = ".coverage",
     pylint_report: Union[str, Path] = ".lint.txt",
+    bandit_report: Union[str, Path] = ".security.json",
 ) -> Report:
     return Report(
         commit=commit,
         date=date if date is not None else datetime.datetime.now(),
         coverage=total_coverage(coverage_report),
         maintainability=maintainability(pylint_report),
         reliability=reliability(),
-        security=security(),
+        security=security(bandit_report),
         technical_debt=technical_debt(),
     )
 

exasol/toolbox/nox/_lint.py

@@ -37,6 +37,33 @@ def _type_check(session: Session, files: Iterable[str]) -> None:
     )
 
 
+def _security_lint(session: Session, files: Iterable[str]) -> None:
+    session.run(
+        "poetry",
+        "run",
+        "bandit",
+        "--severity-level",
+        "low",
+        "--quiet",
+        "--format",
+        "json",
+        "--output",
+        ".security.json",
+        "--exit-zero",
+        *files,
+    )
+    session.run(
+        "poetry",
+        "run",
+        "bandit",
+        "--severity-level",
+        "low",
+        "--quiet",
+        "--exit-zero",
+        *files,
+    )
+
+
 @nox.session(python=False)
 def lint(session: Session) -> None:
     """Runs the linter on the project"""
@@ -49,3 +76,10 @@ def type_check(session: Session) -> None:
     """Runs the type checker on the project"""
     py_files = [f"{file}" for file in python_files(PROJECT_CONFIG.root)]
     _type_check(session, py_files)
+
+
+@nox.session(name="security-check", python=False)
+def security_lint(session: Session) -> None:
+    """runs the security linter bandit on the project without the test files"""
+    py_files = [f"{file}" for file in python_files(PROJECT_CONFIG.root)]
+    _security_lint(session, list(filter(lambda file: "test" not in file, py_files)))

exasol/toolbox/nox/_metrics.py

@@ -47,10 +47,11 @@ def report(session: Session) -> None:
     required_files = (
         PROJECT_CONFIG.root / ".coverage",
         PROJECT_CONFIG.root / ".lint.txt",
+        PROJECT_CONFIG.root / ".security.json",
     )
     if not all(file.exists() for file in required_files):
         session.error(
-            "Please make sure you run the `coverage` and the `lint` target first"
+            "Please make sure you run the `coverage`, `security` and the `lint` target first"
         )
     sha1 = str(
         session.run("git", "rev-parse", "HEAD", external=True, silent=True)