Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change Snyk Actions #1713

Merged
merged 11 commits into from
Nov 26, 2024
Merged

Change Snyk Actions #1713

merged 11 commits into from
Nov 26, 2024

Conversation

noah-paige
Copy link
Contributor

Feature or Bugfix

Detail

  • Change GitHub Action step from using snyk/actions/python-3.9@master to snyk/actions/setup@master

    • snyk/actions/setup@master will just install Snyk CLI and we add step to explicitly call snyk test ... with our arguments
    • Changed because snyk/actions/python-3.9@master was setting up some virtual env and not finding the installed dependencies from make install (leading to Snyk skipping over the checks on requirements.txt)

  • Alternatives Explored

    • Specifying package-manager to pip rather than poetry (Poetry shell was being created that did not carry over installed deps from before using snyk/actions/python-3.9@master)
      • But not supported with all-projects flag
    • Adding configuration to pyproject.toml to prevent venv creation (could not find a working solution)
    • Using venvs and exporting PATH env variable to be used later by Snyk action step (could not find a working solution)

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

  • Does this PR introduce or modify any input fields or queries - this includes
    fetching data from storage outside the application (e.g. a database, an S3 bucket)?
    • Is the input sanitized?
    • What precautions are you taking before deserializing the data you consume?
    • Is injection prevented by parametrizing queries?
    • Have you ensured no eval or similar functions are used?
  • Does this PR introduce any functionality or component that requires authorization?
    • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
    • Are you logging failed auth attempts?
  • Are you using or adding any cryptographic features?
    • Do you use a standard proven implementations?
    • Are the used keys controlled by the customer? Where are they stored?
  • Are you introducing any new policies/roles/users?
    • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@noah-paige
Copy link
Contributor Author

Tested in a forked repo the same GitHub Action - Snyk workflow successful with output: Tested 8 projects, no vulnerable paths were found. (link to GH forked repo run)

@noah-paige
Copy link
Contributor Author

@petrkalos @dlpzx @SofiaSazonova - take a look when you have some time

Github Action's of Snyk running into some issues not reproducible locally but this PR changes to resolve and ultimately close the loop on Snyk setup

@dlpzx dlpzx merged commit b5f1131 into main Nov 26, 2024
9 checks passed
@dlpzx dlpzx mentioned this pull request Dec 4, 2024
Closed
dlpzx pushed a commit that referenced this pull request Dec 5, 2024
@noah-paige @dlpzx
Change Snyk Actions (#1713)
fce3455 
### Feature or Bugfix
<!-- please choose -->

### Detail
- Change GitHub Action step from using `snyk/actions/python-3.9@master`
to `snyk/actions/setup@master`
- `snyk/actions/setup@master` will just install Snyk CLI and we add step
to explicitly call `snyk test ...` with our arguments
- Changed because `snyk/actions/python-3.9@master` was setting up some
virtual env and not finding the installed dependencies from `make
install` (leading to Snyk skipping over the checks on
`requirements.txt`)


- Alternatives Explored
- Specifying `package-manager` to pip rather than poetry (Poetry shell
was being created that did not carry over installed deps from before
using `snyk/actions/python-3.9@master`)
        - But not supported with `all-projects` flag
- Adding configuration to `pyproject.toml` to prevent venv creation
(could not find a working solution)
- Using venvs and exporting PATH env variable to be used later by Snyk
action step (could not find a working solution)


### Relates
- #1708

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
@dlpzx dlpzx mentioned this pull request Dec 9, 2024
Merged
dlpzx added a commit that referenced this pull request Jan 15, 2025
@dlpzx @mourya-33
@noah-paige @petrkalos @SofiaSazonova
2.6.2 Security features (#1737)
749ffc3 
### Feature or Bugfix
- Security

### Detail

### 🔐 Security
* Update sanitization technique for terms filtering by @noah-paige in
#1692 and in
#1693
* Move access logging to a separate environment logging bucket by
@noah-paige in #1695
* Add explicit token duration config for both JWTs by @noah-paige in
#1698
* Disable GraphQL introspection if prod sizing by @noah-paige in
#1704
* Add snyk workflow on schedule by @noah-paige in
#1705,
#1708,
#1713,
#1745 and in in
#1746
* Unify Logger Config for Tasks by @noah-paige in
#1709
* Updating overly permissive policies tagged by checkov for environment
role using least privilege principles by @mourya-33 in
#1632

Data.all permission model has been reviewed to ensure all Mutations and
Queries have proper permissions:
* Add MANAGE_SHARES permissions by @dlpzx in
#1702
* Add permission check - is tenant to update SSM parameters API by
@dlpzx in #1714
* Add GET_SHARE_OBJECT permissions to get data filters API by @dlpzx in
#1717
* Add permissions on list datasets for env group + cosmetic S3 Datasets
by @dlpzx in #1718
* Add GET_WORKSHEET permission in RUN_SQL_QUERY by @dlpzx in
#1716
* Add permissions to Quicksight monitoring service layer by @dlpzx in
#1715
* Add LIST_ENVIRONMENT_DATASETS permission for listing shared datasets
and cleanup unused code by @dlpzx in
#1719
* Add is_owner permissions to Glossary mutations + add new integration
tests by @dlpzx in #1721
* Refactor env permissions + modify getTrustAccount by @dlpzx in
#1712
* Add Feed consistent permissions by @dlpzx in
#1722
* Add Votes consistent permissions by @dlpzx in
#1724
* Consistent get_<DATA_ASSET> permissions - Dashboards by @dlpzx in
#1729


### 🧪 Test improvements
Integration tests are in sync with `main` without 2.7 planned features.
In this PR all core modules, optional modules and submodules are tested.
That includes: tenant-permissions, omics, mlstudio, votes, notifications
and backwards compatiblity of s3 shares. by @SofiaSazonova, @noah-paige
, @petrkalos and @dlpzx


In addition, the following PR adds functional tests that ensure the
permission model of data.all is not corrupted.
* ⭐ Add resource permission checks by @petrkalos in
#1711


### Dependencies
* Update FastAPI by @petrkalos in #1577 
* update fastapi dependency by @noah-paige in
#1699
* Upgrade "cross-spawn" to "7.0.5" by @dlpzx in
#1701
* Bump python runtime to bump cdk klayers cryptography version by
@noah-paige in #1707


### Relates
- List above

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: mourya-33 <[email protected]>
Co-authored-by: Mourya Darivemula <[email protected]>
Co-authored-by: Noah Paige <[email protected]>
Co-authored-by: Petros Kalos <[email protected]>
Co-authored-by: Sofia Sazonova <[email protected]>
Co-authored-by: Sofia Sazonova <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dlpzx dlpzx dlpzx approved these changes

@petrkalos petrkalos petrkalos approved these changes

@SofiaSazonova SofiaSazonova Awaiting requested review from SofiaSazonova

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@noah-paige @petrkalos @dlpzx