Merge pull request #59 from mlinfra-io/update-pyproject-toml

Added bandit to pre-commit to check for vulerable code

.pre-commit-config.yaml

@@ -2,13 +2,10 @@ default_language_version:
   python: python3.10
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    # Ruff version.
-    rev: v0.1.9
+    rev: v0.1.14
     hooks:
-      # Run the linter.
       - id: ruff
-        args: [--fix]
-      # Run the formatter.
+        args: [--fix, --exit-non-zero-on-fix]
       - id: ruff-format
   - repo: https://github.com/PyCQA/isort
     rev: 5.12.0
@@ -17,12 +14,12 @@ repos:
         args: ["--profile", "black"]
         types: [python]
         files: "deploy/devops"
-  # - repo: https://github.com/PyCQA/bandit
-  #   rev: 1.7.7
-  #   hooks:
-  #     - id: bandit
-  #       args: [-c, pyproject.toml]
-  #       additional_dependencies: ["bandit[toml]"]
+  - repo: https://github.com/PyCQA/bandit
+    rev: 1.7.7
+    hooks:
+      - id: bandit
+        args: [-c, pyproject.toml]
+        additional_dependencies: ["bandit[toml]"]
   - repo: https://github.com/gruntwork-io/pre-commit
     rev: v0.1.17
     hooks:
@@ -67,6 +64,7 @@ repos:
       - id: pip-compile
         name: pip-compile requirements-dev.txt
         args:
+          - --extra=dev
           - --output-file=requirements-dev.txt
           - pyproject.toml
         files: ^(pyproject\.toml|requirements-dev\.txt)$

pyproject.toml

@@ -35,8 +35,7 @@ dependencies = [
     "pytest",
     "mypy",
     "getmac",
-    "requests",
-    "pre-commit>=3.3.3"
+    "requests"
 ]
 
 [tool.setuptools]
@@ -51,6 +50,9 @@ Repository = "https://github.com/mlinfra-io/mlinfra.git"
 Documentation = "https://mlinfra.io/"
 
 [project.optional-dependencies]
+dev = [
+    "pre-commit>=3.3.3"
+]
 docs = [
     "mkdocs-material",
     "mkdocs-git-revision-date-localized-plugin",

requirements-dev.txt

@@ -2,7 +2,7 @@
 # This file is autogenerated by pip-compile with Python 3.10
 # by the following command:
 #
-#    pip-compile --output-file=requirements-dev.txt pyproject.toml
+#    pip-compile --extra=dev --output-file=requirements-dev.txt pyproject.toml
 #
 boto3==1.34.11
     # via mlinfra (pyproject.toml)

requirements-docs.txt

@@ -16,20 +16,14 @@ botocore==1.34.31
     #   s3transfer
 certifi==2023.11.17
     # via requests
-cfgv==3.4.0
-    # via pre-commit
 charset-normalizer==3.3.2
     # via requests
 click==8.1.7
     # via mkdocs
 colorama==0.4.6
     # via mkdocs-material
-distlib==0.3.8
-    # via virtualenv
 exceptiongroup==1.2.0
     # via pytest
-filelock==3.13.1
-    # via virtualenv
 getmac==0.9.4
     # via mlinfra (pyproject.toml)
 ghp-import==2.1.0
@@ -40,8 +34,6 @@ gitpython==3.1.41
     # via
     #   mkdocs-git-revision-date-localized-plugin
     #   mlinfra (pyproject.toml)
-identify==2.5.33
-    # via pre-commit
 idna==3.6
     # via requests
 importlib-metadata==7.0.1
@@ -92,8 +84,6 @@ mypy==1.8.0
     # via mlinfra (pyproject.toml)
 mypy-extensions==1.0.0
     # via mypy
-nodeenv==1.8.0
-    # via pre-commit
 packaging==23.2
     # via
     #   mkdocs
@@ -103,13 +93,9 @@ paginate==0.5.6
 pathspec==0.12.1
     # via mkdocs
 platformdirs==4.1.0
-    # via
-    #   mkdocs
-    #   virtualenv
+    # via mkdocs
 pluggy==1.3.0
     # via pytest
-pre-commit==3.6.0
-    # via mlinfra (pyproject.toml)
 pygments==2.17.2
     # via mkdocs-material
 pymdown-extensions==10.7
@@ -129,7 +115,6 @@ pyyaml==6.0.1
     #   mike
     #   mkdocs
     #   mlinfra (pyproject.toml)
-    #   pre-commit
     #   pymdown-extensions
     #   pyyaml-env-tag
 pyyaml-env-tag==0.1
@@ -158,12 +143,7 @@ urllib3==2.0.7
     #   requests
 verspec==0.1.0
     # via mike
-virtualenv==20.25.0
-    # via pre-commit
 watchdog==3.0.0
     # via mkdocs
 zipp==3.17.0
     # via importlib-metadata
-
-# The following packages are considered to be unsafe in a requirements file:
-# setuptools

src/mlinfra/amplitude.py

@@ -97,6 +97,7 @@ def send_event(
                     params={},
                     headers=headers,
                     json=body,
+                    timeout=10,
                 )
                 if r.status_code != codes.ok:
                     raise Exception(

src/mlinfra/terraform/terraform.py

@@ -12,7 +12,10 @@
 
 import json
 import os
-import subprocess
+
+# TODO: Update this section to run it more secure and
+# remove the comment
+import subprocess  # nosec
 
 # import hashlib
 import boto3
@@ -56,7 +59,11 @@ def __init__(self, stack_config_path: str):
     def check_terraform_installed(self):
         """This function is responsible for checking if terraform is installed"""
         try:
-            version = subprocess.check_output(["terraform", "--version"], universal_newlines=True)
+            # TODO: Update this section to run it more secure and
+            # remove the comment
+            version = subprocess.check_output(  # nosec
+                ["terraform", "--version"], universal_newlines=True, timeout=30
+            )
             installed_version = version.split("\n")[0]
             if installed_version in terraform_tested_version:
                 return 0

src/mlinfra/utils/constants.py

@@ -24,3 +24,5 @@
 SESSION_ID: Final = int(time() * 1000)
 
 VERSION: Final = version("mlinfra")
+
+EXECUTABLE_PATH = "/usr/local/bin"

src/mlinfra/utils/utils.py

@@ -14,7 +14,10 @@
 import os
 import re
 import shutil
-import subprocess
+
+# TODO: Update this section to run it more secure and
+# remove the comment
+import subprocess  # nosec
 import sys
 
 from .constants import TF_PATH
@@ -32,9 +35,14 @@ def generate_tf_json(module_name: str, json_module: json):
 
 def check_terraform_version():
     try:
-        # Run 'terraform version' command in the shell
-        result = subprocess.run(
-            ["terraform", "version"], capture_output=True, text=True, check=True
+        # TODO: Update this section to run it more secure and
+        # remove the comment
+        result = subprocess.run(  # nosec
+            ["terraform", "version"],
+            capture_output=True,
+            text=True,
+            check=True,
+            timeout=30,
         )
 
         # Extract the version information from the output