diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5abb95986c..14e8de1f91 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -137,6 +137,17 @@ jobs: python -c "from pyvista.plotting import system_supports_plotting; print('System support plotting ' + str(system_supports_plotting()))" + check-vulnerabilities: + name: "Check library vulnerabilities" + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-vulnerabilities@v8 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + python-package-name: ${{ env.PACKAGE_NAME }} + dev-mode: ${{ github.ref != 'refs/heads/main' }} + docs-build: name: "Build documentation" runs-on: ubuntu-latest diff --git a/doc/changelog.d/3505.maintenance.md b/doc/changelog.d/3505.maintenance.md new file mode 100644 index 0000000000..b995717304 --- /dev/null +++ b/doc/changelog.d/3505.maintenance.md @@ -0,0 +1 @@ +ci: ``ansys/actions/check-vulnerabilities`` to CI-CD \ No newline at end of file diff --git a/src/ansys/mapdl/core/launcher.py b/src/ansys/mapdl/core/launcher.py index 5a827e9bae..b8a49ddaa7 100644 --- a/src/ansys/mapdl/core/launcher.py +++ b/src/ansys/mapdl/core/launcher.py @@ -28,7 +28,10 @@ from queue import Empty, Queue import re import socket -import subprocess + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +import subprocess # nosec B404 import threading import time from typing import TYPE_CHECKING, Any, Callable, Dict, List, Optional, Union @@ -161,14 +164,18 @@ def _is_ubuntu() -> bool: word "ubuntu" in it. """ + # must be running linux for this to be True if os.name != "posix": return False + # args value is controlled by the library. + # awk is not a partial path - Bandit false positive. + # Excluding bandit check. proc = subprocess.Popen( ["awk", "-F=", "/^NAME/{print $2}", "/etc/os-release"], stdout=subprocess.PIPE, - ) + ) # nosec B603 B607 if "ubuntu" in proc.stdout.read().decode().lower(): return True @@ -449,6 +456,9 @@ def launch_grpc( LOG.debug(f"Writing temporary input file: {tmp_inp} with 'FINISH' command.") LOG.debug("MAPDL starting in background.") + + # cmd is controlled by the library with generate_mapdl_launch_command. + # Excluding bandit check. process = subprocess.Popen( cmd, cwd=run_location, @@ -456,7 +466,7 @@ def launch_grpc( stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env_vars, - ) + ) # nosec B603 return process @@ -1711,10 +1721,12 @@ def _get_windows_host_ip(): def _run_ip_route(): - from subprocess import run try: - p = run(["ip", "route"], capture_output=True) + # args value is controlled by the library. + # ip is not a partial path - Bandit false positive + # Excluding bandit check. + p = subprocess.run(["ip", "route"], capture_output=True) # nosec B603 B607 except Exception: LOG.debug( "Detecting the IP address of the host Windows machine requires being able to execute the command 'ip route'." diff --git a/src/ansys/mapdl/core/licensing.py b/src/ansys/mapdl/core/licensing.py index 2c82e34f38..3ae21047b4 100644 --- a/src/ansys/mapdl/core/licensing.py +++ b/src/ansys/mapdl/core/licensing.py @@ -24,7 +24,10 @@ import os import socket -import subprocess + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +import subprocess # nosec B404 import time from ansys.mapdl.core import _HAS_ATP, LOG @@ -328,12 +331,14 @@ def _checkout_license(self, lic, host=None, port=2325): env["ANS_FLEXLM_DISABLE_DEFLICPATH"] = "TRUE" tstart = time.time() + # ansysli_util_path is controlled by the library. + # Excluding bandit check. process = subprocess.Popen( [f'"{ansysli_util_path}"', "-checkout", f"{lic}"], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, env=env, - ) + ) # nosec B603 output = process.stdout.read().decode() t_elap = time.time() - tstart diff --git a/src/ansys/mapdl/core/mapdl_core.py b/src/ansys/mapdl/core/mapdl_core.py index f1aa990d15..c380cda782 100644 --- a/src/ansys/mapdl/core/mapdl_core.py +++ b/src/ansys/mapdl/core/mapdl_core.py @@ -30,7 +30,10 @@ import pathlib import re from shutil import copyfile, rmtree -from subprocess import DEVNULL, call + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +from subprocess import DEVNULL, call # nosec B404 import tempfile import time from typing import TYPE_CHECKING, Any, Dict, List, Literal, Optional, Tuple, Union @@ -1696,6 +1699,13 @@ def open_gui(self, include_result=None, inplace=None): # pragma: no cover f"The changes you make will overwrite the files in {run_dir}." ) add_sw = add_sw.split() + + # Ensure exec_file is a file + try: + pathlib.Path(exec_file).is_file() + except FileNotFoundError: + raise FileNotFoundError("The executable file for ANSYS was not found. ") + exec_array = [ f"{exec_file}", "-g", @@ -1706,11 +1716,12 @@ def open_gui(self, include_result=None, inplace=None): # pragma: no cover *add_sw, ] + # exec_array is controlled by the library. Excluding bandit check. call( exec_array, stdout=DEVNULL, cwd=run_dir, - ) + ) # nosec B603 # Going back os.chdir(cwd) diff --git a/src/ansys/mapdl/core/mapdl_grpc.py b/src/ansys/mapdl/core/mapdl_grpc.py index 35ef630f0a..ea0aac63d8 100644 --- a/src/ansys/mapdl/core/mapdl_grpc.py +++ b/src/ansys/mapdl/core/mapdl_grpc.py @@ -31,7 +31,10 @@ import pathlib import re import shutil -from subprocess import Popen + +# Subprocess is needed to start the backend. But +# the input is controlled by the library. Excluding bandit check. +from subprocess import Popen # nosec B404 import tempfile import threading import time