Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: Add Security Check Using Bandit in CI #3312

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,3 +109,22 @@ jobs:
run: |
echo "Please fix the misspellings. If you are sure about some of them, "
echo "so append those to ts_scripts/spellcheck_conf/wordlist.txt"

security-check:
runs-on: ubuntu-20.04
steps:
- name: Setup Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.9
architecture: x64
- name: Checkout TorchServe
uses: actions/checkout@v3
- name: Install Bandit
run: |
python -m pip install --upgrade pip
pip install bandit
- name: Run bandit
run: |
# Skip the B501 rule related to SSL certificate validation checks
bandit -r . --severity-level high -s B501
7 changes: 6 additions & 1 deletion benchmarks/auto_benchmark.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import argparse
import datetime
import os
import shlex
import shutil
from subprocess import Popen

Expand Down Expand Up @@ -259,9 +260,13 @@ def clean_up_benchmark_env(bm_config):

def execute(command, wait=False, stdout=None, stderr=None, shell=True):
print("execute: {}".format(command))

# Split the command into a list of arguments
if isinstance(command, str):
command = shlex.split(command)

cmd = Popen(
command,
shell=shell,
close_fds=True,
stdout=stdout,
stderr=stderr,
Expand Down
8 changes: 6 additions & 2 deletions benchmarks/utils/common.py
Original file line number Diff line number Diff line change
@@ -1,12 +1,16 @@
import os
import shlex
from subprocess import Popen


def execute(command, wait=False, stdout=None, stderr=None, shell=True):
def execute(command, wait=False, stdout=None, stderr=None):
print(command)
# Split the command into a list of arguments
if isinstance(command, str):
command = shlex.split(command)

cmd = Popen(
command,
shell=shell,
close_fds=True,
stdout=stdout,
stderr=stderr,
Expand Down
6 changes: 4 additions & 2 deletions benchmarks/windows_install_dependencies.py
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,14 @@
import subprocess
import locale
import shutil
import shlex
import argparse

def run(command):
"""Returns (return-code, stdout, stderr)"""
p = subprocess.Popen(command, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
if isinstance(command, str):
command = shlex.split(command)
p = subprocess.Popen(command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
raw_output, raw_err = p.communicate()
rc = p.returncode
enc = locale.getpreferredencoding()
Expand Down
12 changes: 8 additions & 4 deletions binaries/build.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
import argparse
import glob
import os
import shlex
import subprocess
import sys

# To help discover local modules
Expand Down Expand Up @@ -49,10 +51,12 @@ def build_dist_whl(args):
print(f"## In directory: {os.getcwd()} | Executing command: {cur_wheel_cmd}")

if not args.dry_run:
build_exit_code = os.system(cur_wheel_cmd)
# If any one of the steps fail, exit with error
if build_exit_code != 0:
sys.exit(f"## {binary} build Failed !")
try:
cur_wheel_cmd_list = shlex.split(cur_wheel_cmd)
subprocess.run(cur_wheel_cmd_list, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except subprocess.CalledProcessError as e:
print(f"## {binary} build Failed! Error: {e.stderr.decode()}")
sys.exit(1)


def build(args):
Expand Down
40 changes: 18 additions & 22 deletions binaries/conda/build_packages.py
Original file line number Diff line number Diff line change
@@ -1,19 +1,16 @@
import argparse
import os
import subprocess
from datetime import date

from ts_scripts.utils import try_and_handle
from ts_scripts.utils import try_and_handle, find_conda_binary

conda_build_dir = os.path.dirname(os.path.abspath(__file__))
REPO_ROOT = os.path.join(conda_build_dir, "..", "..")
MINICONDA_DOWNLOAD_URL = (
"https://repo.anaconda.com/miniconda/Miniconda3-py39_4.9.2-Linux-x86_64.sh"
)
CONDA_BINARY = (
os.popen("which conda").read().strip()
if os.system(f"conda --version") == 0
else f"$HOME/miniconda/condabin/conda"
)
CONDA_BINARY = find_conda_binary()

CONDA_PACKAGES_PATH = os.path.join(REPO_ROOT, "binaries", "conda", "output")
CONDA_LINUX_PACKAGES_PATH = os.path.join(
Expand All @@ -32,8 +29,7 @@

if os.name == "nt":
# Assumes miniconda is installed in windows
CONDA_BINARY = "conda"

CONDA_BINARY = "conda"

def add_nightly_suffix_conda(binary_name: str) -> str:
"""
Expand All @@ -52,29 +48,29 @@ def install_conda_build(dry_run):
"""

# Check if conda binary already exists
exit_code = os.system(f"conda --version")
if exit_code == 0:
print(
f"'conda' already present on the system. Proceeding without a fresh conda installation."
)
try:
subprocess.run(["conda", "--version"], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
print("'conda' already present on the system. Proceeding without a fresh conda installation.")
return
try_and_handle(
f"{CONDA_BINARY} install python=3.8 conda-build anaconda-client -y", dry_run
)
except subprocess.CalledProcessError:
# Conda is not available, proceed with installation
try_and_handle(
f"{CONDA_BINARY} install python=3.8 conda-build anaconda-client -y", dry_run
)


def install_miniconda(dry_run):
"""
Installs miniconda, a slimmer anaconda installation to build conda packages
"""

# Check if conda binary already exists
exit_code = os.system(f"conda --version")
if exit_code == 0:
print(
f"'conda' already present on the system. Proceeding without a fresh minconda installation."
)
try:
subprocess.run(["conda", "--version"], check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
print("'conda' already present on the system. Proceeding without a fresh conda installation.")
return
except subprocess.CalledProcessError as e:
raise (e)

if os.name == "nt":
print(
"Identified as Windows system. Please install miniconda using this URL: https://repo.anaconda.com/miniconda/Miniconda3-latest-Windows-x86_64.exe"
Expand Down
23 changes: 15 additions & 8 deletions binaries/install.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import os
import subprocess
import sys
import glob

Expand All @@ -13,19 +14,25 @@ def install():
if is_conda_env():
print("## Using conda to install torchserve and torch-model-archiver")
channel_dir = os.path.abspath(os.path.join(REPO_ROOT, "binaries", "conda", "output"))
conda_cmd = f"conda install --channel {channel_dir} -y torchserve torch-model-archiver"
print(f"## In directory: {os.getcwd()} | Executing command: {conda_cmd}")
install_exit_code = os.system(conda_cmd)
conda_cmd = ["conda", "install", "--channel", channel_dir, "-y", "torchserve", "torch-model-archiver"]
print(f"## In directory: {os.getcwd()} | Executing command: {' '.join(conda_cmd)}")

try:
subprocess.run(conda_cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except subprocess.CalledProcessError as e:
sys.exit("## Torchserve/Model archiver Installation Failed!")

else:
print("## Using pip to install torchserve and torch-model-archiver")
ts_wheel = glob.glob(os.path.join(REPO_ROOT, "dist", "*.whl"))[0]
ma_wheel = glob.glob(os.path.join(REPO_ROOT, "model-archiver", "dist", "*.whl"))[0]
pip_cmd = f"pip install {ts_wheel} {ma_wheel}"
print(f"## In directory: {os.getcwd()} | Executing command: {pip_cmd}")
install_exit_code = os.system(pip_cmd)
pip_cmd = ["pip", "install", ts_wheel, ma_wheel]
print(f"## In directory: {os.getcwd()} | Executing command: {' '.join(pip_cmd)}")

if install_exit_code != 0:
sys.exit("## Torchserve \ Model archiver Installation Failed !")
try:
subprocess.run(pip_cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
except subprocess.CalledProcessError as e:
sys.exit("## Torchserve/Model archiver Installation Failed!")


if __name__ == "__main__":
Expand Down
7 changes: 4 additions & 3 deletions binaries/s3_binary_upload.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
import glob
import logging
import os
import shlex
import subprocess
import sys

Expand Down Expand Up @@ -39,10 +40,10 @@ def s3_upload_local_folder(self, local_folder_path: str):
"""
LOGGER.info(f"Uploading *.whl files from folder: {local_folder_path}")
s3_command = f"{self.s3_command} --exclude '*' --include '*.whl' {local_folder_path} {self.s3_bucket.rstrip('/')}/whl/{self.channel}"

s3_command = shlex.split(s3_command)
try:
ret_code = subprocess.run(
s3_command, check=True, stdout=subprocess.PIPE, universal_newlines=True, shell=True
subprocess.run(
s3_command, check=True, stdout=subprocess.PIPE, universal_newlines=True
)
except subprocess.CalledProcessError as e:
LOGGER.info(f"S3 upload command failed: {s3_command}. Exception: {e}")
Expand Down
17 changes: 12 additions & 5 deletions binaries/upload.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
import glob
import os
import sys
import subprocess

# To help discover local modules
REPO_ROOT = os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")
Expand Down Expand Up @@ -44,11 +45,17 @@ def upload_conda_packages(args, PACKAGES, CONDA_PACKAGES_PATH):
"tar.bz2"
):
print(f"Uploading to anaconda package: {name}")
anaconda_upload_command = f"anaconda upload {file_path} --force"
exit_code = os.system(anaconda_upload_command)
if exit_code != 0:
print(f"Anaconda package upload failed for package {name}")
return exit_code
anaconda_upload_command = ["anaconda", "upload", file_path, "--force"]

try:
subprocess.run(
anaconda_upload_command,
check=True,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
except subprocess.CalledProcessError as e:
return e.returncode
print(f"All packages uploaded to anaconda successfully")


Expand Down
4 changes: 2 additions & 2 deletions examples/LLM/llama/chat_app/docker/torchserve_server_app.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,9 +15,9 @@


def start_server():
commands = ["torchserve", "--start", "--ts-config", "/home/model-server/config.properties"]
subprocess.run(
["torchserve --start --ts-config /home/model-server/config.properties"],
shell=True,
commands,
check=True,
)
while True:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
import argparse
import os
import shutil
import subprocess

MODEL_PTH_FILE = "resnet18-f37072fd.pth"
MODEL_STORE = "model_store"
Expand All @@ -15,7 +16,7 @@ def download_pth_file(output_file: str) -> None:
if not os.path.exists(output_file):
cmd = ["wget", " https://download.pytorch.org/models/resnet18-f37072fd.pth"]
print("Downloading resnet-18 pth file")
os.system(" ".join(cmd))
subprocess.run(cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)


def create_mar():
Expand All @@ -42,9 +43,8 @@ def create_mar():
"--handler image_classifier",
"--force",
]

print(f"Archiving resnet-18 model into {MAR_FILE}")
os.system(" ".join(cmd))
subprocess.run(cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)


def move_mar_file():
Expand Down
6 changes: 5 additions & 1 deletion examples/intel_extension_for_pytorch/intel_gpu.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import csv
import logging
import shlex
import subprocess
from io import StringIO

Expand All @@ -11,8 +12,11 @@

def check_cmd(cmd):
out = None
# Split the command into a list of arguments
if isinstance(command, str):
command = shlex.split(command)
try:
out = subprocess.check_output(cmd, shell=True, timeout=5, text=True)
out = subprocess.check_output(cmd, timeout=5, text=True)
except subprocess.TimeoutExpired:
logging.error("Timeout running %s", cmd)
except FileNotFoundError:
Expand Down
4 changes: 2 additions & 2 deletions examples/text_classification/run_script.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,5 +3,5 @@

os.makedirs(".data",exist_ok=True)

cmd="python train.py AG_NEWS --device cpu --save-model-path model.pt --dictionary source_vocab.pt"
subprocess.run(cmd, shell=True,check=True)
cmd = ["python", "train.py", "AG_NEWS", "--device", "cpu", "--save-model-path", "model.pt", "--dictionary", "source_vocab.pt"]
subprocess.run(cmd, check=True)
5 changes: 2 additions & 3 deletions examples/torchrec_dlrm/create_dlrm_mar.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,7 @@
This script creates a DLRM model and packs it into a TorchServe mar file
"""

import os

import subprocess
import torch
from dlrm_factory import DLRMFactory

Expand Down Expand Up @@ -32,7 +31,7 @@ def main():
]

print("Archiving model into dlrm.mar")
os.system(" ".join(cmd))
subprocess.run(cmd, check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
print("Done")


Expand Down
Loading