diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..86357362a1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + + - package-ecosystem: docker + directory: / + schedule: + interval: weekly + + - package-ecosystem: pip + directory: /docs + schedule: + interval: weekly + + - package-ecosystem: pip + directory: / + schedule: + interval: weekly \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..3cfec7b486 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,28 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: Dependency review + +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 \ No newline at end of file diff --git a/.github/workflows/pip-install.yml b/.github/workflows/pip-install.yml deleted file mode 100644 index 216a99d77a..0000000000 --- a/.github/workflows/pip-install.yml +++ /dev/null @@ -1,69 +0,0 @@ -name: Install with pip - -on: - pull_request: - paths: - - .github/workflows/pip-install.yml - - requirements.txt - - setup.py - push: - paths: - - .github/workflows/pip-install.yml - - requirements.txt - - setup.py - workflow_dispatch: - -env: - TESTING: 1 - -permissions: # added using https://github.com/step-security/secure-repo - contents: read - -jobs: - pip-install: - strategy: - matrix: - os: - - ubuntu-latest - - windows-latest - python-version: - - "3.12" - - "3.11" - - "3.10" - - "3.9" - - "3.8" - limited-dependencies: - - "" - - "TRUE" - include: - - os: macos-latest - python-version: "3.12" - - os: macos-latest - python-version: "3.12" - limited-dependencies: "TRUE" - - os: macos-latest - python-version: "3.8" - - os: macos-latest - python-version: "3.8" - limited-dependencies: "TRUE" - - runs-on: ${{ matrix.os }} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.python-version }} - cache: pip - - name: Install dependencies - env: - PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} - run: | - pip install -r requirements-dev.txt - pip install -e .[all] diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml new file mode 100644 index 0000000000..dfbb5c3a14 --- /dev/null +++ b/.github/workflows/python-checks.yml @@ -0,0 +1,168 @@ +name: Python checks + +on: + push: + branches: [ "main", "major-release" ] + pull_request: + branches: [ "main", "major-release" ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + test: + strategy: + fail-fast: false + matrix: + python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] + os: ["ubuntu-latest", "windows-latest", "macos-latest"] + limited-dependencies: ["", "TRUE"] + + runs-on: ${{ matrix.os }} + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: ${{ matrix.python-version }} + + - name: Install uv + uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1 # 0.4.12 + + - name: Install dependencies + env: + PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} + run: | + uv pip install --system -e .[all] + uv pip install --system -r requirements-dev.txt + + - name: Test with pytest + run: | + pytest + + ruff-format: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Python 3.12 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: "3.12" + + - name: Install uv + uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1 # 0.4.12 + + - name: Install dependencies + run: | + uv pip install --system -r requirements-dev.txt + + - name: Run ruff format + run: | + ruff format --diff --target-version=py38 . + + ruff: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Python 3.12 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: "3.12" + + - name: Install uv + uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1 # 0.4.12 + + - name: Install dependencies + run: | + uv pip install --system -r requirements-dev.txt + + - name: Run ruff + run: | + ruff check --output-format=github . + + bandit: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Python 3.12 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: "3.12" + + - name: Install uv + uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1 # 0.4.12 + + - name: Install bandit + run: | + uv pip install --system -r requirements-dev.txt + + - name: Run bandit scan + run: | + bandit -c pyproject.toml -r . -ll -ii + + coverage: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Python 3.12 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: "3.12" + + - name: Install uv + uses: install-pinned/uv@de03c60d508703a83d3f8f49afcf1249590ecda1 # 0.4.12 + + - name: Install dependencies + run: | + uv pip install --system -e .[all] + uv pip install --system -r requirements-dev.txt + + - name: Test with pytest + run: | + coverage run -m pytest + + - name: Check coverage + run: | + coverage report -m --skip-covered --fail-under=75 + + pip-install: + strategy: + fail-fast: false + matrix: + python-version: ["3.8", "3.9", "3.10", "3.11", "3.12"] + os: ["ubuntu-latest", "windows-latest", "macos-latest"] + limited-dependencies: ["", "TRUE"] + + runs-on: ${{ matrix.os }} + + steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 + with: + python-version: ${{ matrix.python-version }} + cache: pip + + - name: Install dependencies + env: + PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} + run: | + pip install -r requirements-dev.txt + pip install -e .[all] diff --git a/.github/workflows/security_scorecard.yml b/.github/workflows/security_scorecard.yml index f6c9580595..3519c61bd0 100644 --- a/.github/workflows/security_scorecard.yml +++ b/.github/workflows/security_scorecard.yml @@ -3,6 +3,7 @@ # policy, and support documentation. name: Scorecard supply-chain security + on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -10,7 +11,7 @@ on: # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained pull_request: - branches: [ "main" ] + branches: [ "main", "major-release" ] schedule: - cron: '45 16 * * 2' @@ -31,6 +32,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -59,7 +65,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif @@ -68,6 +74,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: - sarif_file: results.sarif + sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml deleted file mode 100644 index 176fa5245d..0000000000 --- a/.github/workflows/test.yml +++ /dev/null @@ -1,81 +0,0 @@ -name: Pytest and ruff - -on: - pull_request: - paths: - - .github/workflows/test.yml - - requirements*.txt - - "**.py" - push: - paths: - - .github/workflows/test.yml - - requirements*.txt - - "**.py" - workflow_dispatch: - -env: - TESTING: 1 - -permissions: # added using https://github.com/step-security/secure-repo - contents: read - -jobs: - test_and_lint: - strategy: - matrix: - os: - - ubuntu-latest - - windows-latest - python-version: - - "3.12" - - "3.11" - - "3.10" - - "3.9" - - "3.8" - limited-dependencies: - - "" - - "TRUE" - include: - - os: macos-latest - python-version: "3.12" - - os: macos-latest - python-version: "3.12" - limited-dependencies: "TRUE" - - os: macos-latest - python-version: "3.8" - - os: macos-latest - python-version: "3.8" - limited-dependencies: "TRUE" - - runs-on: ${{ matrix.os }} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - egress-policy: audit - - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 - with: - python-version: ${{ matrix.python-version }} - cache: pip - - name: Install uv - run: | - pip install -U pip uv - - name: Install dependencies - env: - PARSONS_LIMITED_DEPENDENCIES: ${{ matrix.limited-dependencies }} - run: | - uv pip install --system -e .[all] - uv pip install --system -r requirements-dev.txt - - name: Lint - run: | - ruff check --output-format=github parsons/ test/ useful_resources/ - - name: Tests - run: pytest -rf test/ - - name: Format - run: | - ruff format --check --diff parsons/ test/ useful_resources/ - diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8b09c6e831..895355120f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,7 +1,6 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit - # Ruff version. - rev: v0.5.3 + rev: v0.6.9 hooks: # Run the linter. - id: ruff diff --git a/parsons/etl/etl.py b/parsons/etl/etl.py index 25c696f192..84563a4a88 100644 --- a/parsons/etl/etl.py +++ b/parsons/etl/etl.py @@ -1,4 +1,5 @@ import logging +import sys import petl @@ -658,10 +659,20 @@ def unpack_nested_columns_as_rows(self, column, key="id", expand_original=False) orig.concat(melted_list) # Add unique id column by hashing all the other fields if "uid" not in self.columns: - orig.add_column( - "uid", - lambda row: hashlib.md5(str.encode("".join([str(x) for x in row]))).hexdigest(), - ) + if sys.version_info.minor >= 9: + orig.add_column( + "uid", + lambda row: hashlib.md5( + str.encode("".join([str(x) for x in row])), usedforsecurity=False + ).hexdigest(), + ) + elif sys.version_info.minor < 9: + orig.add_column( + "uid", + lambda row: hashlib.md5( # nosec B324 + str.encode("".join([str(x) for x in row])) + ).hexdigest(), + ) orig.move_column("uid", 0) # Rename value column in case this is done again to this Table @@ -673,10 +684,18 @@ def unpack_nested_columns_as_rows(self, column, key="id", expand_original=False) else: orig = self.remove_column(column) # Add unique id column by hashing all the other fields - melted_list.add_column( - "uid", - lambda row: hashlib.md5(str.encode("".join([str(x) for x in row]))).hexdigest(), - ) + if sys.version_info.minor >= 9: + melted_list.add_column( + "uid", + lambda row: hashlib.md5( + str.encode("".join([str(x) for x in row])), usedforsecurity=False + ).hexdigest(), + ) + elif sys.version_info.minor < 9: + melted_list.add_column( + "uid", + lambda row: hashlib.md5(str.encode("".join([str(x) for x in row]))).hexdigest(), # nosec B324 + ) melted_list.move_column("uid", 0) output = melted_list diff --git a/parsons/scytl/scytl.py b/parsons/scytl/scytl.py index 0df28ba079..cbd8f1dd4c 100644 --- a/parsons/scytl/scytl.py +++ b/parsons/scytl/scytl.py @@ -1,7 +1,7 @@ import zipfile import csv import requests -import xml.etree.ElementTree as ET +import defusedxml.ElementTree as ET import typing as t from datetime import datetime from dateutil.parser import parse as parsedate diff --git a/parsons/targetsmart/targetsmart_automation.py b/parsons/targetsmart/targetsmart_automation.py index b23273cd97..2673c29c96 100644 --- a/parsons/targetsmart/targetsmart_automation.py +++ b/parsons/targetsmart/targetsmart_automation.py @@ -25,12 +25,12 @@ from parsons.etl.table import Table from parsons.utilities.files import create_temp_file from parsons.utilities import check_env -import xml.etree.ElementTree as ET import uuid import time import logging -import xmltodict +import defusedxml.ElementTree as ET +import xmltodict TS_STFP_HOST = "transfer.targetsmart.com" TS_SFTP_PORT = 22 diff --git a/pyproject.toml b/pyproject.toml index feca19eff1..e51bdeb3ed 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,5 +1,10 @@ [tool.ruff] # Exclude a variety of commonly ignored directories. +include = [ + "parsons/**/*.py", + "test/**/*.py", + "useful_resources/**/*.py" +] exclude = [ ".bzr", ".direnv", @@ -83,4 +88,17 @@ testpaths = [ filterwarnings = [ # Warnings triggered by libraries we use (not our own code) "ignore:invalid escape sequence:DeprecationWarning" +] + +[tool.bandit] +exclude_dirs = [ + ".venv/" +] + +[tool.isort] +profile = "hug" +src_paths = [ + "parsons/", + "test/", + "useful_resources/" ] \ No newline at end of file diff --git a/requirements-dev.txt b/requirements-dev.txt index 5702ed94dc..20a822bfc6 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,8 +1,10 @@ # Testing Requirements -pycodestyle==2.11.1 +bandit[toml]==1.7.10 +coverage==7.6.1 +pycodestyle==2.12.1 pytest-datadir==1.5.0 -pytest-mock==3.12.0 -pytest==8.1.1 -requests-mock==1.11.0 -ruff==0.5.5 -testfixtures==8.1.0 \ No newline at end of file +pytest-mock==3.14.0 +pytest==8.3.3 +requests-mock==1.12.1 +ruff==0.6.9 +testfixtures==8.3.0 \ No newline at end of file diff --git a/requirements.txt b/requirements.txt index bafa063f1d..5b749fb8f6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -9,6 +9,7 @@ civis==1.16.1 curlify==2.2.1 dbt_redshift==1.4.0 docutils<0.18,>=0.14 +defusedxml>=0.7.1, <=0.8.0 facebook-business==13.0.0 google-api-core==2.19.2 google-api-python-client==1.7.7 @@ -35,7 +36,7 @@ setuptools==70.0.0 simple-salesforce==1.11.6 simplejson==3.16.0 slackclient==1.3.0 -sqlalchemy >= 1.4.22, != 1.4.33, < 2.0.0 # Prefect does not work with 1.4.33 and >3.0.0 has breaking changes +sqlalchemy >= 1.4.22, != 1.4.33, < 2.0.0 # Prefect does not work with 1.4.33 and >=2.0.0 has breaking changes suds-py3==1.4.4.1 surveygizmo==1.2.3 twilio==8.2.1 diff --git a/setup.py b/setup.py index be049f9518..706b360a7f 100644 --- a/setup.py +++ b/setup.py @@ -58,10 +58,11 @@ def main(): ], "s3": ["boto3"], "salesforce": ["simple-salesforce"], + "scytl": ["defusedxml", "pytz"], "sftp": ["paramiko"], "slack": ["slackclient<2"], "smtp": ["validate-email"], - "targetsmart": ["xmltodict"], + "targetsmart": ["xmltodict", "defusedxml"], "twilio": ["twilio"], "ssh": [ "sshtunnel",