WIP: safety

.circleci/config.yml

@@ -92,13 +92,6 @@ common-steps:
         set -e
         make -C client verify-mo
 
-  - &client_check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        set -e
-        make -C client safety
-
   - &export_install_poetry
     run:
       name: Install Poetry
@@ -145,12 +138,6 @@ common-steps:
       command: |
         make -C export semgrep
 
-  - &export_check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        make -C export safety
-
   - &log_install_poetry
     run:
       name: Install Poetry
@@ -223,15 +210,6 @@ common-steps:
       command: |
         make -C proxy lint
 
-  - &proxy_check_python_dependencies_for_vulnerabilities
-    run:
-      name: Check Python dependencies for known vulnerabilities
-      command: |
-        set -e
-        cd proxy
-        poetry update safety
-        make safety
-
 version: 2.1
 
 jobs:
@@ -286,16 +264,6 @@ jobs:
       - *client_install_testing_dependencies
       - *client_check_security
 
-  client_check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - *client_install_poetry
-      - checkout
-      - *client_install_testing_dependencies
-      - *client_check_python_dependencies_for_vulnerabilities
-
-
   client_check-internationalization:
     parameters: *parameters
     docker: *docker
@@ -335,15 +303,6 @@ jobs:
       - *export_install_testing_dependencies
       - *export_check_security
 
-  export_check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - *export_install_poetry
-      - checkout
-      - *export_install_testing_dependencies
-      - *export_check_python_dependencies_for_vulnerabilities
-
   log_test-bullseye:
     docker:
       - image: debian:bullseye
@@ -373,15 +332,6 @@ jobs:
       - *proxy_install_testing_dependencies
       - *proxy_run_lint
 
-  proxy_check-python-security:
-    parameters: *parameters
-    docker: *docker
-    steps:
-      - checkout
-      - *proxy_install_poetry
-      - *proxy_install_testing_dependencies
-      - *proxy_check_python_dependencies_for_vulnerabilities
-
 
 workflows:
   securedrop_client_ci:
@@ -400,8 +350,6 @@ workflows:
           matrix: *matrix
       - client_check-security:
           matrix: *matrix
-      - client_check-python-security:
-          matrix: *matrix
       - client_check-internationalization:
           matrix: *matrix
 
@@ -413,8 +361,6 @@ workflows:
           matrix: *matrix
       - export_check-security:
           matrix: *matrix
-      - export_check-python-security:
-          matrix: *matrix
 
   securedrop_log_ci:
     jobs:
@@ -426,10 +372,6 @@ workflows:
           matrix: *matrix
       - proxy_lint:
           matrix: *matrix
-      - proxy_check-security:
-          matrix: *matrix
-      - proxy_check-python-security:
-          matrix: *matrix
 
   client_nightly:
     triggers:

.github/workflows/ci.yml

@@ -51,3 +51,16 @@ jobs:
           poetry install
       - name: Run lint
         run: make lint
+
+  safety:
+    runs-on: ubuntu-latest
+    container: debian:bookworm
+    steps:
+      - run: |
+          apt-get update && apt-get install --yes git make python3-poetry
+      - uses: actions/checkout@v4
+      - name: Run safety
+        run: |
+          poetry install
+          poetry update safety
+          make safety

Makefile

@@ -12,6 +12,14 @@ lint: bandit ## Run linters and formatters
 bandit: ## Run bandit security checks
 	@poetry run bandit -c pyproject.toml -r . --severity-level medium
 
+safety:  ## Run safety dependency checks on build dependencies
+	find . -name build-requirements.txt | xargs -n1 poetry run safety check --full-report \
+		--ignore 51668 \
+		--ignore 61601 \
+		--ignore 61893 \
+		--ignore 62044 \
+ 		-r
+
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
 # 2. Use sed-like syntax to remove the make targets

client/Makefile

@@ -113,16 +113,6 @@ test-sdk: ## Run just the sdk tests
 lint: ## Run the linters
 	@poetry run flake8 securedrop_client tests
 
-.PHONY: safety
-safety: ## Runs `safety check` to check python dependencies for vulnerabilities
-	@echo "Checking build-requirements.txt with safety"
-	@poetry run safety check --full-report \
-		--ignore 51668 \
-		--ignore 61601 \
-		--ignore 61893 \
-		--ignore 62044 \
-		-r build-requirements.txt
-
 .PHONY: check
 check: clean check-black check-isort semgrep lint mypy test-random test-integration test-functional ## Run the full CI test suite
 

client/pyproject.toml

@@ -44,7 +44,6 @@ pytest-qt = "^4.2.0"
 pytest-random-order = "*"
 pytest-vcr = "*"
 pytest-xdist = "^3.0.2"
-safety = "*"
 semgrep = "*"
 translate-toolkit = "*"
 types-polib = "*"

export/Makefile

@@ -1,11 +1,6 @@
 .PHONY: all
 all: help
 
-.PHONY: safety
-safety: ## Runs `safety check` to check python dependencies for vulnerabilities
-	@echo "Running safety against build requirements…"
-	@poetry run safety check --full-report -r build-requirements.txt
-
 .PHONY: check
 check: lint mypy semgrep test check-black ## Run linter and tests