From ade85b82c081001c84cc5f4e919b4a4ab881ebbb Mon Sep 17 00:00:00 2001 From: Alexander Dokuchaev Date: Thu, 9 Jan 2025 17:04:35 +0200 Subject: [PATCH 1/6] codeql --- .github/workflows/codeql.yml | 44 +++++++++++++++++++++++++++++++++ .github/workflows/nightly.yml | 3 +++ .github/workflows/precommit.yml | 42 +++++++++++++++---------------- 3 files changed, 68 insertions(+), 21 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000..2fbd8750c6a --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +name: "CodeQL" +permissions: read-all + +on: + workflow_call: + pull_request: + # paths: + # - '**.py' + + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-22.04 + timeout-minutes: 60 + permissions: + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + lfs: true + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 + with: + languages: python + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 + with: + category: "/language:python" + + - name: Generate Security Report + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 + with: + template: report + token: ${{ secrets.GITHUB_TOKEN }} + - name: Upload CodeQL Artifacts + uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + with: + name: codeql-scan-results + path: "./report.pdf" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 1bd4409005c..d694fb946b2 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -49,3 +49,6 @@ jobs: weight-compression: uses: ./.github/workflows/conformance_weight_compression.yml + + codeql: + uses: ./.github/workflows/codeql.yml diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml index b5d27f01c8a..23cd3a41263 100644 --- a/.github/workflows/precommit.yml +++ b/.github/workflows/precommit.yml @@ -1,23 +1,23 @@ -name: precommit -permissions: read-all +# name: precommit +# permissions: read-all -on: - pull_request: - types: - - opened - - reopened - - synchronize - paths-ignore: - - '**/*.md' - - 'docs/**/*' - - 'tests/post_training/*' # post_training tests runs on Jenkins - - 'tests/torch/sota_checkpoints_eval.json' # reference for PT e2e - - 'tests/tensorflow/sota_checkpoints_eval.json' # reference for TF e2e - - 'tests/cross_fw/examples/*' # examples tests runs in separate workflow +# on: +# pull_request: +# types: +# - opened +# - reopened +# - synchronize +# paths-ignore: +# - '**/*.md' +# - 'docs/**/*' +# - 'tests/post_training/*' # post_training tests runs on Jenkins +# - 'tests/torch/sota_checkpoints_eval.json' # reference for PT e2e +# - 'tests/tensorflow/sota_checkpoints_eval.json' # reference for TF e2e +# - 'tests/cross_fw/examples/*' # examples tests runs in separate workflow -jobs: - pytest: - uses: ./.github/workflows/call_precommit.yml - with: - python_version: "3.10.14" - gpu_enabled: true +# jobs: +# pytest: +# uses: ./.github/workflows/call_precommit.yml +# with: +# python_version: "3.10.14" +# gpu_enabled: true From 615fe64192fd9e7064a9776c56bcb3e6190eb38e Mon Sep 17 00:00:00 2001 From: Alexander Dokuchaev Date: Thu, 9 Jan 2025 17:14:20 +0200 Subject: [PATCH 2/6] vulnerability --- nncf/vulnerability.py | 45 +++++++++++++++++++++++++++++++++++++++++++ vulnerability.py | 45 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 nncf/vulnerability.py create mode 100644 vulnerability.py diff --git a/nncf/vulnerability.py b/nncf/vulnerability.py new file mode 100644 index 00000000000..86e8d595eda --- /dev/null +++ b/nncf/vulnerability.py @@ -0,0 +1,45 @@ +# Copyright (c) 2025 Intel Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +import sqlite3 +from tempfile import mktemp + + +def execute_command(command): + os.system(command) + + +user_command = input("Enter shell command: ") +execute_command(user_command) + + +def get_user_data(user_id): + conn = sqlite3.connect("example.db") + cursor = conn.cursor() + + query = f"SELECT * FROM users WHERE id = {user_id}" + cursor.execute(query) + + result = cursor.fetchall() + conn.close() + return result + + +user_input = input("Enter user ID: ") +print(get_user_data(user_input)) + + +def write_results(results): + filename = mktemp() + with open(filename, "w+") as f: + f.write(results) + print("Results written to", filename) diff --git a/vulnerability.py b/vulnerability.py new file mode 100644 index 00000000000..86e8d595eda --- /dev/null +++ b/vulnerability.py @@ -0,0 +1,45 @@ +# Copyright (c) 2025 Intel Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# http://www.apache.org/licenses/LICENSE-2.0 +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import os +import sqlite3 +from tempfile import mktemp + + +def execute_command(command): + os.system(command) + + +user_command = input("Enter shell command: ") +execute_command(user_command) + + +def get_user_data(user_id): + conn = sqlite3.connect("example.db") + cursor = conn.cursor() + + query = f"SELECT * FROM users WHERE id = {user_id}" + cursor.execute(query) + + result = cursor.fetchall() + conn.close() + return result + + +user_input = input("Enter user ID: ") +print(get_user_data(user_input)) + + +def write_results(results): + filename = mktemp() + with open(filename, "w+") as f: + f.write(results) + print("Results written to", filename) From 1712f382fe68cf8c104c6670be019404395523e3 Mon Sep 17 00:00:00 2001 From: Alexander Dokuchaev Date: Thu, 9 Jan 2025 21:26:33 +0200 Subject: [PATCH 3/6] t --- .github/workflows/codeql.yml | 28 +++++++++++++++------- .github/workflows/nightly.yml | 4 +--- nncf/vulnerability.py | 45 ----------------------------------- vulnerability.py | 45 ----------------------------------- 4 files changed, 20 insertions(+), 102 deletions(-) delete mode 100644 nncf/vulnerability.py delete mode 100644 vulnerability.py diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2fbd8750c6a..1636f6c5a1b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,27 +2,27 @@ name: "CodeQL" permissions: read-all on: - workflow_call: + push: + branches: + - develop + - release_v* pull_request: - # paths: - # - '**.py' - + paths: + - '.github/workflows/codeql.yml' + - '**.py' jobs: analyze: name: Analyze runs-on: ubuntu-22.04 - timeout-minutes: 60 + timeout-minutes: 15 permissions: security-events: write - steps: - name: Checkout repository uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: lfs: true - - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 with: @@ -32,13 +32,23 @@ jobs: with: category: "/language:python" + # Pdf reports always empty for PRs - name: Generate Security Report + # if: ${{ github.event_name != 'pull_request' }} uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 with: template: report token: ${{ secrets.GITHUB_TOKEN }} + - name: Rename Report + shell: bash + continue-on-error: true + run: | + DATE=$(date +"%Y-%m-%d") + REF_NAME="${{ github.ref_name }}" + mv "report.pdf" "codeql_nncf_report_${DATE}_${REF_NAME//\//-}_${{ github.sha }}.pdf" - name: Upload CodeQL Artifacts + # if: ${{ github.event_name != 'pull_request' }} uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: codeql-scan-results - path: "./report.pdf" + path: "./codeql*.pdf" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index d694fb946b2..7121d84efb3 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -48,7 +48,5 @@ jobs: run: pytest tests/tensorflow -m 'nightly' weight-compression: + if: github.repository_owner == 'openvinotoolkit' uses: ./.github/workflows/conformance_weight_compression.yml - - codeql: - uses: ./.github/workflows/codeql.yml diff --git a/nncf/vulnerability.py b/nncf/vulnerability.py deleted file mode 100644 index 86e8d595eda..00000000000 --- a/nncf/vulnerability.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright (c) 2025 Intel Corporation -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import os -import sqlite3 -from tempfile import mktemp - - -def execute_command(command): - os.system(command) - - -user_command = input("Enter shell command: ") -execute_command(user_command) - - -def get_user_data(user_id): - conn = sqlite3.connect("example.db") - cursor = conn.cursor() - - query = f"SELECT * FROM users WHERE id = {user_id}" - cursor.execute(query) - - result = cursor.fetchall() - conn.close() - return result - - -user_input = input("Enter user ID: ") -print(get_user_data(user_input)) - - -def write_results(results): - filename = mktemp() - with open(filename, "w+") as f: - f.write(results) - print("Results written to", filename) diff --git a/vulnerability.py b/vulnerability.py deleted file mode 100644 index 86e8d595eda..00000000000 --- a/vulnerability.py +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright (c) 2025 Intel Corporation -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -import os -import sqlite3 -from tempfile import mktemp - - -def execute_command(command): - os.system(command) - - -user_command = input("Enter shell command: ") -execute_command(user_command) - - -def get_user_data(user_id): - conn = sqlite3.connect("example.db") - cursor = conn.cursor() - - query = f"SELECT * FROM users WHERE id = {user_id}" - cursor.execute(query) - - result = cursor.fetchall() - conn.close() - return result - - -user_input = input("Enter user ID: ") -print(get_user_data(user_input)) - - -def write_results(results): - filename = mktemp() - with open(filename, "w+") as f: - f.write(results) - print("Results written to", filename) From d95e40468360d048875b23f3fc0a5704b48d4e0f Mon Sep 17 00:00:00 2001 From: Alexander Dokuchaev Date: Thu, 9 Jan 2025 21:55:33 +0200 Subject: [PATCH 4/6] f --- .github/workflows/codeql.yml | 8 +++---- .github/workflows/precommit.yml | 42 ++++++++++++++++----------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1636f6c5a1b..51f45df972e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,22 +32,22 @@ jobs: with: category: "/language:python" - # Pdf reports always empty for PRs + # pdf reports always empty for pull_request - name: Generate Security Report - # if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request' }} uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 with: template: report token: ${{ secrets.GITHUB_TOKEN }} - name: Rename Report shell: bash - continue-on-error: true + if: ${{ github.event_name != 'pull_request' }} run: | DATE=$(date +"%Y-%m-%d") REF_NAME="${{ github.ref_name }}" mv "report.pdf" "codeql_nncf_report_${DATE}_${REF_NAME//\//-}_${{ github.sha }}.pdf" - name: Upload CodeQL Artifacts - # if: ${{ github.event_name != 'pull_request' }} + if: ${{ github.event_name != 'pull_request' }} uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 with: name: codeql-scan-results diff --git a/.github/workflows/precommit.yml b/.github/workflows/precommit.yml index 23cd3a41263..b5d27f01c8a 100644 --- a/.github/workflows/precommit.yml +++ b/.github/workflows/precommit.yml @@ -1,23 +1,23 @@ -# name: precommit -# permissions: read-all +name: precommit +permissions: read-all -# on: -# pull_request: -# types: -# - opened -# - reopened -# - synchronize -# paths-ignore: -# - '**/*.md' -# - 'docs/**/*' -# - 'tests/post_training/*' # post_training tests runs on Jenkins -# - 'tests/torch/sota_checkpoints_eval.json' # reference for PT e2e -# - 'tests/tensorflow/sota_checkpoints_eval.json' # reference for TF e2e -# - 'tests/cross_fw/examples/*' # examples tests runs in separate workflow +on: + pull_request: + types: + - opened + - reopened + - synchronize + paths-ignore: + - '**/*.md' + - 'docs/**/*' + - 'tests/post_training/*' # post_training tests runs on Jenkins + - 'tests/torch/sota_checkpoints_eval.json' # reference for PT e2e + - 'tests/tensorflow/sota_checkpoints_eval.json' # reference for TF e2e + - 'tests/cross_fw/examples/*' # examples tests runs in separate workflow -# jobs: -# pytest: -# uses: ./.github/workflows/call_precommit.yml -# with: -# python_version: "3.10.14" -# gpu_enabled: true +jobs: + pytest: + uses: ./.github/workflows/call_precommit.yml + with: + python_version: "3.10.14" + gpu_enabled: true From ebc95cfad5e9e93f4ef65f3ba1e4540af7678a9b Mon Sep 17 00:00:00 2001 From: Alexander Dokuchaev Date: Thu, 9 Jan 2025 22:27:35 +0200 Subject: [PATCH 5/6] upload-artifact --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 51f45df972e..3ea2ffa3361 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -48,7 +48,7 @@ jobs: mv "report.pdf" "codeql_nncf_report_${DATE}_${REF_NAME//\//-}_${{ github.sha }}.pdf" - name: Upload CodeQL Artifacts if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # v4.3.2 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 with: name: codeql-scan-results path: "./codeql*.pdf" From 1f6072bbc1ede04669741c8273d28a9ec3ae7b65 Mon Sep 17 00:00:00 2001 From: Alexander Dokuchaev Date: Fri, 10 Jan 2025 16:41:59 +0200 Subject: [PATCH 6/6] sdl.yml --- .github/workflows/codeql.yml | 54 ------------------------------------ .github/workflows/sdl.yml | 53 ++++++++++++++++++++++++++++++++--- 2 files changed, 49 insertions(+), 58 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 3ea2ffa3361..00000000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: "CodeQL" -permissions: read-all - -on: - push: - branches: - - develop - - release_v* - pull_request: - paths: - - '.github/workflows/codeql.yml' - - '**.py' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-22.04 - timeout-minutes: 15 - permissions: - security-events: write - steps: - - name: Checkout repository - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - with: - lfs: true - - name: Initialize CodeQL - uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 - with: - languages: python - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 - with: - category: "/language:python" - - # pdf reports always empty for pull_request - - name: Generate Security Report - if: ${{ github.event_name != 'pull_request' }} - uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 - with: - template: report - token: ${{ secrets.GITHUB_TOKEN }} - - name: Rename Report - shell: bash - if: ${{ github.event_name != 'pull_request' }} - run: | - DATE=$(date +"%Y-%m-%d") - REF_NAME="${{ github.ref_name }}" - mv "report.pdf" "codeql_nncf_report_${DATE}_${REF_NAME//\//-}_${{ github.sha }}.pdf" - - name: Upload CodeQL Artifacts - if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 - with: - name: codeql-scan-results - path: "./codeql*.pdf" diff --git a/.github/workflows/sdl.yml b/.github/workflows/sdl.yml index b94f19888f9..9037c9d201d 100644 --- a/.github/workflows/sdl.yml +++ b/.github/workflows/sdl.yml @@ -2,14 +2,19 @@ name: sdl permissions: read-all on: + workflow_dispatch: + push: + branches: + - develop + - release_v* pull_request: - types: - - opened - - reopened - - synchronize + paths: + - '.github/workflows/sdl.yml' + - '**.py' jobs: bandit: + name: Bandit runs-on: ubuntu-20.04 timeout-minutes: 10 defaults: @@ -25,3 +30,43 @@ jobs: - name: Run bandit run: bandit -c pyproject.toml -r . + codeql: + name: CodeQL + runs-on: ubuntu-22.04 + timeout-minutes: 15 + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + lfs: true + - name: Initialize CodeQL + uses: github/codeql-action/init@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 + with: + languages: python + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@47b3d888fe66b639e431abf22ebca059152f1eea # v3.24.5 + with: + category: "/language:python" + + # pdf reports always empty for pull_request + - name: Generate Security Report + if: ${{ github.event_name != 'pull_request' }} + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 + with: + template: report + token: ${{ secrets.GITHUB_TOKEN }} + - name: Rename Report + shell: bash + if: ${{ github.event_name != 'pull_request' }} + run: | + DATE=$(date +"%Y-%m-%d") + REF_NAME="${{ github.ref_name }}" + mv "report.pdf" "codeql_nncf_report_${DATE}_${REF_NAME//\//-}_${{ github.sha }}.pdf" + - name: Upload CodeQL Artifacts + if: ${{ github.event_name != 'pull_request' }} + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 + with: + name: codeql-scan-results + path: "./codeql*.pdf"