Merge pull request #1 from intel/main

Changes

Author: joydeep049

.github/workflows/codeql-analysis.yml

@@ -51,7 +51,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,4 +76,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4

.github/workflows/cve_scan.yml

@@ -22,7 +22,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
           cache-dependency-path: '**/requirements.txt'
       - name: Get date

.github/workflows/formatting.yml

@@ -26,7 +26,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
       - name: Install cve-bin-tool
         run: |

.github/workflows/fuzzing.yml

@@ -0,0 +1,61 @@
+name: Fuzzing
+
+on:
+  schedule:
+    - cron: '0 7 * * 1'  # Runs at 07:00 on monday every week
+
+  workflow_dispatch: 
+
+permissions:
+  contents: read
+
+jobs:
+  fuzzing:
+    name: Fuzzing
+    runs-on: ubuntu-22.04
+    if: github.event.repository.fork == false   
+    steps:
+      - name: Check out code  
+        uses: actions/checkout@v2
+
+      - name: Set up Python 
+        uses: actions/setup-python@v2
+        with:
+          python-version: 3.9  
+
+      - name: Install Bazel  
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget -c https://github.com/bazelbuild/bazelisk/releases/download/v1.18.0/bazelisk-linux-amd64
+          chmod +x bazelisk-linux-amd64
+          sudo mv bazelisk-linux-amd64 /usr/local/bin/bazel
+          bazel --version
+
+      - name: Install Fuzzing Dependencies  
+        run: |
+          pip install --upgrade atheris
+          pip install --upgrade atheris-libprotobuf-mutator
+          pip install --upgrade protobuf
+      - name: Install Cve-bin-tool
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install --upgrade setuptools
+          python -m pip install --upgrade -r dev-requirements.txt
+          python -m pip install --upgrade .
+
+      - name: Run Fuzzing 
+        id: fuzzing
+        env:
+          PYTHONPATH: ${{ github.workspace }}
+        run: |
+          cd fuzz
+          export PYTHONPATH="$PYTHONPATH:/generated"
+          fuzzing_scripts=($(ls *.py))
+          echo "Found Fuzzing scripts: ${fuzzing_scripts[@]}"
+          current_week=($(date -u +%U))
+          echo "Current week number: $current_week"
+          at_index=$((($(date -u +%U) % ${#fuzzing_scripts[@]})))
+          selected_script="${fuzzing_scripts[$at_index]}"
+          echo "Selected script: $selected_script"
+          timeout --preserve-status --signal=SIGINT 60m python $selected_script

.github/workflows/linting.yml

@@ -27,7 +27,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
       - name: Install pre-commit
         run: |

.github/workflows/scorecard.yml

@@ -32,7 +32,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif

.github/workflows/testing.yml

@@ -42,7 +42,7 @@ jobs:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
           cache: 'pip'
           cache-dependency-path: 'doc/requirements.txt'
       - name: Install doc dependencies
@@ -58,19 +58,11 @@ jobs:
 
   tests:
     name: Linux tests
-    if: |
-      ! github.event.pull_request.user.login == 'github-actions[bot]' ||
-      ! (
-        startsWith(github.head_ref, 'chore-sbom-py') ||
-        contains(
-          fromJSON('["chore-update-table","chore-precommit-config","chore-spdx-header"]'),
-          github.head_ref
-        )
-      )
     runs-on: ubuntu-22.04
     strategy:
       matrix:
         python: ['3.8', '3.9', '3.11']
+        # python 3.12 throws aiohttp package install errors
     timeout-minutes: 60
     steps:
       - name: Harden Runner
@@ -83,6 +75,19 @@ jobs:
         with:
           python-version: ${{ matrix.python }}
           cache: 'pip'
+
+      - name: "Skip tests if this is an automated sbom job"
+        env:
+          COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
+        run: |
+          if ${COMMIT_VAR} == true; then
+            echo "sbom=true" >> $GITHUB_ENV
+            echo "sbom set to true"
+          else
+            echo "sbom=false" >> $GITHUB_ENV
+            echo "sbom set to false"
+          fi
+
       - name: Get date
         id: get-date
         run: |
@@ -105,10 +110,13 @@ jobs:
           path: cache
           key: Linux-cve-bin-tool-${{ steps.get-date.outputs.yesterday }}
       - name: Install cabextract
+        if: env.sbom == false
         run: sudo apt-get update && sudo apt-get install cabextract
       - name: Install OS dependencies for testing PDF
+        if: env.sbom == false
         run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev
       - name: Install pdftotext, reportlab and cve-bin-tool
+        if: env.sbom == false
         run: |
           python -m pip install --upgrade pip
           python -m pip install --upgrade setuptools
@@ -118,11 +126,13 @@ jobs:
           python -m pip install --upgrade -r dev-requirements.txt
           python -m pip install --upgrade .
       - name: Try single CLI run of tool
+        if: env.sbom == false
         run: |
           [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
           NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
           cp -r ~/.cache/cve-bin-tool cache
       - name: Run async tests
+        if: env.sbom == false
         run: >
           pytest -n 4 -v
           --ignore=test/test_cli.py
@@ -131,6 +141,7 @@ jobs:
           --ignore=test/test_html.py
           --ignore=test/test_json.py
       - name: Run synchronous tests
+        if: env.sbom == false
         run: >
           pytest -v
           test/test_cli.py
@@ -162,6 +173,19 @@ jobs:
         with:
           python-version: '3.10'
           cache: 'pip'
+
+      - name: "Skip tests if this is an automated sbom job"
+        env:
+          COMMIT_VAR: ${{ startsWith(github.head_ref, 'chore-sbom-py') && github.event.pull_request.user.login == 'github-actions[bot]' }}
+        run: |
+          if ${COMMIT_VAR} == true; then
+            echo "sbom=true" >> $GITHUB_ENV
+            echo "sbom set to true"
+          else
+            echo "sbom=false" >> $GITHUB_ENV
+            echo "sbom set to false"
+          fi
+
       - name: Get date
         id: get-date
         run: |
@@ -200,10 +224,13 @@ jobs:
           if_true: '1'
           if_false: '0'
       - name: Install cabextract
+        if: env.sbom == false
         run: sudo apt-get update && sudo apt-get install cabextract
       - name: Install OS dependencies for testing PDF
+        if: env.sbom == false
         run: sudo apt-get install build-essential libpoppler-cpp-dev pkg-config python3-dev
       - name: Install pdftotext, reportlab and cve-bin-tool
+        if: env.sbom == false
         run: |
           python -m pip install --upgrade pip
           python -m pip install --upgrade setuptools
@@ -213,11 +240,13 @@ jobs:
           python -m pip install --upgrade -r dev-requirements.txt
           python -m pip install --editable .
       - name: Try single CLI run of tool
+        if: env.sbom == false
         run: |
           [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool
           NO_EXIT_CVE_NUM=1 python -m cve_bin_tool.cli test/assets/test-kerberos-5-1.15.1.out
           cp -r ~/.cache/cve-bin-tool cache
       - name: Run async tests
+        if: env.sbom == false
         env:
           LONG_TESTS: ${{ steps.git-diff.outputs.value }}
         run: >
@@ -228,13 +257,15 @@ jobs:
           --ignore=test/test_html.py
           --ignore=test/test_json.py
       - name: Run synchronous tests
+        if: env.sbom == false
         env:
           LONG_TESTS: ${{ steps.git-diff.outputs.value }}
         run: >
           pytest -v --cov --cov-append --cov-report=xml
           test/test_cli.py
           test/test_cvedb.py
       - name: Upload code coverage to codecov
+        if: env.sbom == false
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         with:
           files: ./coverage.xml

.github/workflows/update-js-dependencies.yml

@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
 
       - name: Update JS dependencies
         run: python .github/workflows/update_js_dependencies.py

.github/workflows/update-pre-commit.yml

@@ -30,7 +30,7 @@ jobs:
 
       - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
-          python-version: '3.x'
+          python-version: '3.11'
 
       - name: Install pre-commit
         run: |

.pre-commit-config.yaml

@@ -3,16 +3,19 @@ repos:
     rev: 5.12.0
     hooks:
     - id: isort
+      exclude: ^fuzz/generated/
 
 -   repo: https://github.com/psf/black-pre-commit-mirror
     rev: 23.9.1
     hooks:
     - id: black
+      exclude: ^fuzz/generated/
 
 -   repo: https://github.com/asottile/pyupgrade
     rev: v3.10.1
     hooks:
     - id: pyupgrade
+      exclude: ^fuzz/generated/
       args: ["--py38-plus"]
 
 -   repo: https://github.com/pycqa/flake8
@@ -25,6 +28,7 @@ repos:
     rev: 1.7.5
     hooks:
     - id: bandit
+      exclude: ^fuzz/generated/
       args: ["-c", "bandit.conf"]
 
 -   repo: https://github.com/jorisroovers/gitlint
@@ -66,3 +70,11 @@ repos:
             test/test_version.py|
             test/utils.py|
         )$
+
+-   repo: https://github.com/econchick/interrogate
+    rev: 1.5.0
+    hooks:
+      - id: interrogate
+        verbose: True
+        exclude: ^(locales|presentation)
+        args: ["-vv", "-i", "-I", "-M", "-C", "-n", "-p", "-f", "60.0"]