[GHA] bandit (#3144)

### Changes

- Add sdl.yml with bandit check (version and config like in jenkins job)
- Use defusedxml instead of xml 
- Return #noseq inxamples (was deleted by mistake in
#3091)

Author: AlexanderDokuchaev

.github/scripts/pytest_md_summary.py

@@ -10,7 +10,8 @@
 # limitations under the License.
 
 import sys
-import xml.etree.ElementTree as ET
+
+from defusedxml import ElementTree as ET
 
 
 def parse_xml_report(xml_file) -> None:

.github/workflows/examples.yml

@@ -124,4 +124,5 @@ jobs:
       - name: Test Summary
         if: ${{ !cancelled() }}
         run: |
+            pip install defusedxml==0.7.1
             python .github/scripts/pytest_md_summary.py pytest-results.xml >> $GITHUB_STEP_SUMMARY

.github/workflows/sdl.yml

@@ -0,0 +1,27 @@
+name: sdl
+permissions: read-all
+
+on:
+  pull_request:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  bandit:
+    runs-on: ubuntu-20.04
+    timeout-minutes: 10
+    defaults:
+      run:
+        shell: bash
+    steps:
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
+        with:
+          python-version: 3.10.14
+      - name: Install bandit
+        run: pip install bandit[toml]==1.7.4
+      - name: Run bandit
+        run: bandit -c pyproject.toml -r .
+

examples/post_training_quantization/onnx/mobilenet_v2/main.py

@@ -71,7 +71,7 @@ def run_benchmark(path_to_model: Path, shape: List[int]) -> float:
         "-t", "15",
         "-shape", str(shape),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", str(cmd_output))
     return float(match.group(1))

examples/post_training_quantization/onnx/yolov8_quantize_with_accuracy_control/deploy.py

@@ -74,7 +74,7 @@ def run_benchmark(model_path: Path, config) -> float:
         "-t", "30",
         "-shape", str([1, 3, config.imgsz, config.imgsz]),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))
 

examples/post_training_quantization/openvino/anomaly_stfpm_quantize_with_accuracy_control/main.py

@@ -91,7 +91,7 @@ def run_benchmark(model_path: Path, shape: List[int]) -> float:
         "-t", "15",
         "-shape", str(shape),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))

examples/post_training_quantization/openvino/mobilenet_v2/main.py

@@ -57,7 +57,7 @@ def validate(model: ov.Model, val_loader: torch.utils.data.DataLoader) -> float:
 
 def run_benchmark(model_path: Path, shape: List[int]) -> float:
     cmd = ["benchmark_app", "-m", model_path.as_posix(), "-d", "CPU", "-api", "async", "-t", "15", "-shape", str(shape)]
-    cmd_output = subprocess.check_output(cmd, text=True)
+    cmd_output = subprocess.check_output(cmd, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))

examples/post_training_quantization/openvino/yolov8/main.py

@@ -91,7 +91,7 @@ def benchmark_performance(model_path: Path, config) -> float:
         "-t", "30",
         "-shape", str([1, 3, config.imgsz, config.imgsz]),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))
 

examples/post_training_quantization/openvino/yolov8_quantize_with_accuracy_control/main.py

@@ -117,7 +117,7 @@ def benchmark_performance(model_path, config) -> float:
         "-t", "30",
         "-shape", str([1, 3, config.imgsz, config.imgsz]),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))
 

examples/post_training_quantization/tensorflow/mobilenet_v2/main.py

@@ -47,7 +47,7 @@ def run_benchmark(model_path: Path, shape: List[int]) -> float:
         "-t", "15",
         "-shape", str(shape),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))

examples/post_training_quantization/torch/mobilenet_v2/main.py

@@ -71,7 +71,7 @@ def run_benchmark(model_path: Path, shape: List[int]) -> float:
         "-t", "15",
         "-shape", str(shape),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))

examples/post_training_quantization/torch/ssd300_vgg16/main.py

@@ -57,7 +57,7 @@ def get_model_size(ir_path: Path, m_type: str = "Mb") -> float:
 
 def run_benchmark(model_path: Path) -> float:
     command = ["benchmark_app", "-m", model_path.as_posix(), "-d", "CPU", "-api", "async", "-t", "15"]
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))

examples/quantization_aware_training/torch/anomalib/main.py

@@ -69,7 +69,7 @@ def run_benchmark(model_path: Path, shape: List[int]) -> float:
         "-t", "15",
         "-shape", str(shape),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     print(*cmd_output.splitlines()[-8:], sep="\n")
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))

examples/quantization_aware_training/torch/resnet18/main.py

@@ -217,7 +217,7 @@ def run_benchmark(model_path: Path, shape: Tuple[int, ...]) -> float:
         "-t", "15",
         "-shape", str(list(shape)),
     ]  # fmt: skip
-    cmd_output = subprocess.check_output(command, text=True)
+    cmd_output = subprocess.check_output(command, text=True)  # nosec
     match = re.search(r"Throughput\: (.+?) FPS", cmd_output)
     return float(match.group(1))
 

pyproject.toml

@@ -154,3 +154,10 @@ notice-rgx = """\
 
 [tool.pytest.ini_options]
 pythonpath = "."
+
+[tool.bandit]
+exclude_dirs = ["tools", "tests", "**/venv*", "build"]
+skips = [
+    "B101",   # assert_used
+    "B404" ,  # import_subprocess
+]