Extend the code quality tools with security checks (#89)

* Add the bandit library as one of the dev dependencies * Add a dedicated command to allow running the security checks * Resolve all the problems pointed out by the newly added bandit library * Add the pip-audit library as one of the dev dependencies * Extend the security check with running the pip-audit library * Upgrade the version of Lambdalizator to enable security checks
pdyba · Jan 5, 2024 · e8bcf3f · e8bcf3f
1 parent 71e1bc8
commit e8bcf3f
Show file tree

Hide file tree

Showing 7 changed files with 107 additions and 5 deletions.
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -26,6 +26,8 @@ jobs:
       - run: make flake8
       - run: make mypy
       - run: make pylint
+      - run: make bandit
+      - run: make pip-audit
 
   unit_tests:
     name: Run unit tests

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -333,6 +333,11 @@ Released 2024-01-05
 - Adjusts the code to the latest standards set by Python 3.12
 - Disables support for Python 3.8 due to deprecated typing aliases
 
+### Version 0.6.1
+Released 2024-01-05
+
+- Extends the code quality tools with security checks
+
 ### Version 0.7.0
 Release ETA 2024-02-31 ;)
 

diff --git a/Makefile b/Makefile
@@ -90,8 +90,21 @@ pylint:
 .PHONY: lint
 lint: flake8 mypy pylint
 
-.PHONY: format-and-lint
-format-and-lint: format lint
+.PHONY: bandit
+bandit:
+	bandit --version
+	bandit --recursive lbz setup.py
+
+.PHONY: pip-audit
+pip-audit:
+	pip-audit --version
+	pip-audit -r requirements.txt
+
+.PHONY: secure
+secure: bandit pip-audit
+
+.PHONY: format-lint-secure
+format-lint-secure: format lint secure
 
 
 ###############################################################################

diff --git a/lbz/events/enums.py b/lbz/events/enums.py
@@ -2,7 +2,7 @@ class CognitoEventType:
     # https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-email-sender.html
     EMAIL_ACCOUNT_TAKE_OVER_NOTIFICATION = "CustomEmailSender_AccountTakeOverNotification"
     EMAIL_ADMIN_CREATE_USER = "CustomEmailSender_AdminCreateUser"
-    EMAIL_FORGOT_PASSWORD = "CustomEmailSender_ForgotPassword"
+    EMAIL_FORGOT_PASSWORD = "CustomEmailSender_ForgotPassword"  # nosec B105
     EMAIL_RESEND_CODE = "CustomEmailSender_ResendCode"
     EMAIL_SIGNUP = "CustomEmailSender_SignUp"
     EMAIL_UPDATE_USER_ATTRIBUTE = "CustomEmailSender_UpdateUserAttribute"
@@ -11,7 +11,7 @@ class CognitoEventType:
     # https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-sms-sender.html
     SMS_ADMIN_CREATE_USER = "CustomSMSSender_AdminCreateUser"
     SMS_AUTHENTICATION = "CustomSMSSender_Authentication"
-    SMS_FORGOT_PASSWORD = "CustomSMSSender_ForgotPassword"
+    SMS_FORGOT_PASSWORD = "CustomSMSSender_ForgotPassword"  # nosec B105
     SMS_RESEND_CODE = "CustomSMSSender_ResendCode"
     SMS_SIGNUP = "CustomSMSSender_SignUp"
     SMS_UPDATE_USER_ATTRIBUTE = "CustomSMSSender_UpdateUserAttribute"

diff --git a/requirements-dev.in b/requirements-dev.in
@@ -1,11 +1,13 @@
 -c requirements.txt
 
+bandit
 black
 boto3-stubs[cognito-idp,dynamodb,events,lambda,s3,sns,ssm,sqs]
 coverage
 flake8
 isort
 mypy
+pip-audit
 pip-tools
 pylint
 pytest

diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -6,14 +6,26 @@
 #
 astroid==3.0.2
     # via pylint
+bandit==1.7.6
+    # via -r requirements-dev.in
 black==23.12.1
     # via -r requirements-dev.in
+boolean-py==4.0
+    # via license-expression
 boto3-stubs[cognito-idp,dynamodb,events,lambda,s3,sns,sqs,ssm]==1.34.11
     # via -r requirements-dev.in
 botocore-stubs==1.34.11
     # via boto3-stubs
 build==1.0.3
     # via pip-tools
+cachecontrol[filecache]==0.13.1
+    # via
+    #   cachecontrol
+    #   pip-audit
+certifi==2023.11.17
+    # via requests
+charset-normalizer==3.3.2
+    # via requests
 click==8.1.7
     # via
     #   black
@@ -22,12 +34,26 @@ coverage[toml]==7.4.0
     # via
     #   -r requirements-dev.in
     #   pytest-cov
+cyclonedx-python-lib==5.2.0
+    # via pip-audit
+defusedxml==0.7.1
+    # via py-serializable
 dill==0.3.7
     # via pylint
 exceptiongroup==1.2.0
     # via pytest
+filelock==3.13.1
+    # via cachecontrol
 flake8==6.1.0
     # via -r requirements-dev.in
+gitdb==4.0.11
+    # via gitpython
+gitpython==3.1.40
+    # via bandit
+html5lib==1.1
+    # via pip-audit
+idna==3.6
+    # via requests
 importlib-metadata==7.0.1
     # via build
 iniconfig==2.0.0
@@ -36,10 +62,18 @@ isort==5.13.2
     # via
     #   -r requirements-dev.in
     #   pylint
+license-expression==30.2.0
+    # via cyclonedx-python-lib
+markdown-it-py==3.0.0
+    # via rich
 mccabe==0.7.0
     # via
     #   flake8
     #   pylint
+mdurl==0.1.2
+    # via markdown-it-py
+msgpack==1.0.7
+    # via cachecontrol
 mypy==1.8.0
     # via -r requirements-dev.in
 mypy-boto3-cognito-idp==1.34.3
@@ -62,13 +96,25 @@ mypy-extensions==1.0.0
     # via
     #   black
     #   mypy
+packageurl-python==0.13.1
+    # via cyclonedx-python-lib
 packaging==23.2
     # via
     #   black
     #   build
+    #   pip-audit
+    #   pip-requirements-parser
     #   pytest
 pathspec==0.12.1
     # via black
+pbr==6.0.0
+    # via stevedore
+pip-api==0.0.30
+    # via pip-audit
+pip-audit==2.6.2
+    # via -r requirements-dev.in
+pip-requirements-parser==32.0.1
+    # via pip-audit
 pip-tools==7.3.0
     # via -r requirements-dev.in
 platformdirs==4.1.0
@@ -77,12 +123,18 @@ platformdirs==4.1.0
     #   pylint
 pluggy==1.3.0
     # via pytest
+py-serializable==0.15.0
+    # via cyclonedx-python-lib
 pycodestyle==2.11.1
     # via flake8
 pyflakes==3.1.0
     # via flake8
+pygments==2.17.2
+    # via rich
 pylint==3.0.3
     # via -r requirements-dev.in
+pyparsing==3.1.1
+    # via pip-requirements-parser
 pyproject-hooks==1.0.0
     # via build
 pytest==7.4.4
@@ -94,6 +146,28 @@ pytest-cov==4.1.0
     # via -r requirements-dev.in
 pytest-mock==3.12.0
     # via -r requirements-dev.in
+pyyaml==6.0.1
+    # via bandit
+requests==2.31.0
+    # via
+    #   cachecontrol
+    #   pip-audit
+rich==13.7.0
+    # via
+    #   bandit
+    #   pip-audit
+six==1.16.0
+    # via
+    #   -c requirements.txt
+    #   html5lib
+smmap==5.0.1
+    # via gitdb
+sortedcontainers==2.4.0
+    # via cyclonedx-python-lib
+stevedore==5.1.0
+    # via bandit
+toml==0.10.2
+    # via pip-audit
 tomli==2.0.1
     # via
     #   black
@@ -125,6 +199,12 @@ typing-extensions==4.9.0
     #   mypy-boto3-sqs
     #   mypy-boto3-ssm
     #   pylint
+urllib3==1.26.18
+    # via
+    #   -c requirements.txt
+    #   requests
+webencodings==0.5.1
+    # via html5lib
 wheel==0.42.0
     # via pip-tools
 zipp==3.17.0

diff --git a/version b/version
@@ -1 +1 @@
-0.6.0
+0.6.1