Enable bandit (#12722)

* Add new step to run Bandit security scan tool

Author: praveenkuttappan

eng/pipelines/templates/steps/analyze.yml

@@ -103,3 +103,10 @@ steps:
       BuildTargetingString: ${{ parameters.BuildTargetingString }}
       TestMarkArgument: ${{ parameters.TestMarkArgument }}
       AdditionalTestArgs: ${{parameters.AdditionalTestArgs}}
+
+  - template: ../steps/run_bandit.yml
+    parameters:
+      ServiceDirectory: ${{ parameters.ServiceDirectory }}
+      BuildTargetingString: ${{ parameters.BuildTargetingString }}
+      TestMarkArgument: ${{ parameters.TestMarkArgument }}
+      AdditionalTestArgs: ${{parameters.AdditionalTestArgs}}

eng/pipelines/templates/steps/run_apistub.yml

@@ -5,17 +5,6 @@ parameters:
   AdditionalTestArgs: ''
 
 steps:
-  - task: UsePythonVersion@0
-    displayName: 'Use Python 3.7'
-    condition: and(succeededOrFailed(), ne(variables['Skip.ApiStubGen'],'true'))
-    inputs:
-     versionSpec: '3.7'
-
-  - script: |
-      pip install -r eng/ci_tools.txt
-    displayName: 'Prep Environment'
-    condition: and(succeededOrFailed(), ne(variables['Skip.ApiStubGen'],'true'))
-
   - task: PythonScript@0
     displayName: 'Run Api Stub Generation'
     condition: and(succeededOrFailed(), ne(variables['Skip.ApiStubGen'],'true'))
@@ -28,4 +17,4 @@ steps:
         --service="${{ parameters.ServiceDirectory }}" 
         --toxenv="apistub"
         --disablecov
-        --omit-management
+        --filter-type="Omit_management"

eng/pipelines/templates/steps/run_bandit.yml

@@ -0,0 +1,20 @@
+parameters:
+  BuildTargetingString: 'azure-*'
+  ServiceDirectory: ''
+  TestMarkArgument: ''
+  EnvVars: {}
+
+steps:
+  - task: PythonScript@0
+    displayName: 'Run Bandit'
+    inputs:
+      scriptPath: 'scripts/devops_tasks/setup_execute_tests.py'
+      arguments: >-
+        "${{ parameters.BuildTargetingString }}" 
+        --mark_arg="${{ parameters.TestMarkArgument }}" 
+        --service="${{ parameters.ServiceDirectory }}" 
+        --toxenv="bandit"
+        --disablecov
+        --filter-type="Bandit"
+    env: ${{ parameters.EnvVars }}
+    condition: and(succeededOrFailed(), ne(variables['Skip.Bandit'],'true'))

eng/pipelines/templates/steps/run_pylint.yml

@@ -9,8 +9,7 @@ steps:
     displayName: 'Use Python 3.7'
     inputs:
      versionSpec: '3.7'
-    condition: and(succeededOrFailed(), ne(variables['Skip.Pylint'],'true'))
-    
+    condition: and(succeededOrFailed(), ne(variables['Skip.Pylint'],'true'))    
 
   - script: |
       pip install -r eng/ci_tools.txt
@@ -27,6 +26,6 @@ steps:
         --service="${{ parameters.ServiceDirectory }}" 
         --toxenv="lint"
         --disablecov
-        --omit-management
+        --filter-type="Omit_management"
     env: ${{ parameters.EnvVars }}
     condition: and(succeededOrFailed(), ne(variables['Skip.Pylint'],'true'))

eng/test_tools.txt

@@ -7,6 +7,7 @@ pytest-custom-exit-code==0.3.0
 pytest-xdist==1.32.0
 # we pin coverage to 4.5.4 because there is an bug with `pytest-cov`. the generated coverage files cannot be `coverage combine`ed
 coverage==4.5.4
+bandit==1.6.2
 
 # locking packages defined as deps from azure-sdk-tools or azure-devtools
 pytoml==0.1.21

eng/tox/run_bandit.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+# --------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See License.txt in the project root for license information.
+# --------------------------------------------------------------------------------------------
+
+# This script is used to execute bandit within a tox environment. Depending on which package is being executed against,
+# a failure may be suppressed.
+
+from subprocess import check_call, CalledProcessError
+import argparse
+import os
+import logging
+import sys
+
+
+logging.getLogger().setLevel(logging.INFO)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Run bandit against target folder.")
+
+    parser.add_argument(
+        "-t",
+        "--target",
+        dest="target_package",
+        help="The target package directory on disk. The target module passed to bandit will be <target_package>/azure.",
+        required=True,
+    )
+
+    args = parser.parse_args()
+
+    package_name = os.path.basename(os.path.abspath(args.target_package))
+    try:
+        check_call(
+            [
+                sys.executable,
+                "-m",
+                "bandit",
+                "-r",
+                os.path.join(args.target_package, "azure"),
+                "-ll",
+            ]
+        )
+    except CalledProcessError as e:
+        logging.error("{} exited with error {}".format(package_name, e.returncode))
+        exit(1)

eng/tox/tox.ini

@@ -235,4 +235,16 @@ commands =
     # install API stub generator
     {envbindir}/python -m pip install "git+https://github.com/azure/azure-sdk-tools.git#subdirectory=packages/python-packages/api-stub-generator&egg=api-stub-generator"
     {envbindir}/python -m pip freeze
-    {envbindir}/python {toxinidir}/../../../eng/tox/run_apistubgen.py -t {toxinidir} -w {envtmpdir}
+    {envbindir}/python {toxinidir}/../../../eng/tox/run_apistubgen.py -t {toxinidir} -w {envtmpdir}
+
+
+[testenv:bandit]
+skipsdist = false
+skip_install = false
+usedevelop = false
+changedir = {envtmpdir}
+deps =
+  {[base]deps}
+commands =
+    {envbindir}/python -m pip freeze
+    {envbindir}/python {toxinidir}/../../../eng/tox/run_bandit.py -t {toxinidir}

scripts/devops_tasks/common_tasks.py

@@ -59,6 +59,10 @@
     "azure-mgmt-core",
 ]
 
+BANDIT_EXCLUDED_PACKAGES = [
+    "azure-servicebus",
+]
+
 omit_regression = (
     lambda x: "nspkg" not in x
     and "mgmt" not in x
@@ -70,13 +74,15 @@
 omit_build = lambda x: x # Dummy lambda to match omit type
 lambda_filter_azure_pkg = lambda x: x.startswith("azure") and "-nspkg" not in x
 omit_mgmt = lambda x: "mgmt" not in x or os.path.basename(x) in MANAGEMENT_PACKAGES_FILTER_EXCLUSIONS
+omit_bandit = lambda x: not(os.path.basename(x) in BANDIT_EXCLUDED_PACKAGES or "mgmt" in x)
 
 # dict of filter type and filter function
 omit_funct_dict = {
     "Build": omit_build,
     "Docs": omit_docs,
     "Regression": omit_regression,
     "Omit_management": omit_mgmt,
+    "Bandit": omit_bandit,
 }
 
 def log_file(file_location, is_error=False):

scripts/devops_tasks/setup_execute_tests.py

@@ -276,13 +276,14 @@ def execute_global_install_and_test(
     )
 
     parser.add_argument(
-        "--omit-management",
-        dest="omit_management",
-        default=False,
-        action="store_true",
-        help="Flag that indicates to omit any management packages except any management packages that should not be filtered. for e.g azure-mgmt-core",
+        "--filter-type",
+        dest="filter_type",
+        default='Build',
+        help="Filter type to identify eligible packages. for e.g. packages filtered in Build can pass filter type as Build,",
+        choices=['Build', "Docs", "Regression", "Omit_management", "Bandit"]
     )
 
+
     args = parser.parse_args()
 
     # We need to support both CI builds of everything and individual service
@@ -293,10 +294,7 @@ def execute_global_install_and_test(
     else:
         target_dir = root_dir
 
-    if args.omit_management:
-        targeted_packages = process_glob_string(args.glob_string, target_dir, "", "Omit_management")
-    else:
-        targeted_packages = process_glob_string(args.glob_string, target_dir)
+    targeted_packages = process_glob_string(args.glob_string, target_dir, "", args.filter_type)
     extended_pytest_args = []
 
     if len(targeted_packages) == 0: