Handle deprecated libs, PD docs, bandit (#119)

- Replace imp with importlib
- Replace ibm_security_advisor_findings_api_sdk with ibm_cloud_security_advisor
- Add PagerDuty notifier clarifying doc content
- Add bandit to the pre-commit workflow

Author: alfinkel

.github/workflows/python-test.yml

@@ -1,4 +1,4 @@
-name: format | lint | test
+name: format | lint | security | test
 on: [push, pull_request]
 jobs:
   lint_unit_tests_coverage:
@@ -21,6 +21,9 @@ jobs:
     - name: Run linter
       run: |
         make code-lint
+    - name: Run security check
+      run: |
+        make code-security
     - name: Run unit tests with coverage
       run: |
         git config --global user.email "you@example.com"

.pre-commit-config.yaml

@@ -34,3 +34,10 @@ repos:
         ]
         files: "^(compliance|test)"
         stages: [commit]
+-   repo: https://github.com/PyCQA/bandit
+    rev: 1.7.0
+    hooks:
+    -   id: bandit
+        args: [--recursive]
+        files: "^(compliance|test)"
+        stages: [commit]

CHANGES.md

@@ -1,3 +1,11 @@
+# [1.19.0](https://github.com/ComplianceAsCode/auditree-framework/releases/tag/v1.19.0)
+
+- [ADDED] Pre-commit hook for running `bandit` as part of CI/CD was added.
+- [CHANGED] Replaced the deprecated `imp` library with `importlib`.
+- [CHANGED] Replaced the deprecated `ibm_security_advisor_findings_api_sdk` library with `ibm_cloud_security_advisor`.
+- [FIXED] Added clarifying PagerDuty notifier documentation content.
+- [FIXED] Addressed `bandit` (minor) security issue findings.
+
 # [1.18.0](https://github.com/ComplianceAsCode/auditree-framework/releases/tag/v1.18.0)
 
 - [CHANGED] Now using `pathlib` exclusively for operating system filepath and file functionality.

Makefile

@@ -34,6 +34,9 @@ code-format:
 code-lint:
 	pre-commit run flake8 --all-files
 
+code-security:
+	pre-commit run bandit --all-files
+
 test::
 	pytest --cov compliance test -v
 

README.md

@@ -1,7 +1,7 @@
 [![OS Compatibility][platform-badge]](#prerequisites)
 [![Python Compatibility][python-badge]][python]
 [![pre-commit][pre-commit-badge]][pre-commit]
-[![Code validation](https://github.com/ComplianceAsCode/auditree-framework/workflows/format%20%7C%20lint%20%7C%20test/badge.svg)][lint-test]
+[![Code validation](https://github.com/ComplianceAsCode/auditree-framework/workflows/format%20%7C%20lint%20%7C%20security%20%7C%20test/badge.svg)][lint-test]
 [![Upload Python Package](https://github.com/ComplianceAsCode/auditree-framework/workflows/PyPI%20upload/badge.svg)][pypi-upload]
 
 # auditree-framework

compliance/__init__.py

@@ -14,4 +14,4 @@
 # limitations under the License.
 """Compliance automation package."""
 
-__version__ = '1.18.0'
+__version__ = '1.19.0'

compliance/notify.py

@@ -28,9 +28,10 @@
 from compliance.utils.services.github import Github
 from compliance.utils.test import parse_test_id
 
+from ibm_cloud_sdk_core.api_exception import ApiException
 from ibm_cloud_sdk_core.authenticators import IAMAuthenticator
 
-from ibm_security_advisor_findings_api_sdk import ApiException, FindingsApiV1
+from ibm_cloud_security_advisor import FindingsApiV1
 
 import requests
 

compliance/utils/path.py

@@ -14,11 +14,12 @@
 # limitations under the License.
 """Compliance automation path formatting utilities module."""
 
-import imp
+import importlib
 import sys
 from pathlib import Path
 
 from compliance.config import get_config
+from compliance.utils.data_parse import get_sha256_hash
 
 FETCH_PREFIX = 'fetch_'
 CHECK_PREFIX = 'test_'
@@ -49,20 +50,22 @@ def load_evidences_modules(path):
     """
     Load all evidences modules found within the ``path`` directory structure.
 
-    This function prevents double loading.
-
     :param path: absolute path to a top level directory.
     """
-    subdirs = [p.parent for p in Path(path).rglob('evidences') if p.is_dir()]
-    for subdir in subdirs:
+    for ev_mod in [p for p in Path(path).rglob('evidences') if p.is_dir()]:
+        module_name = f'evidences.{get_sha256_hash(ev_mod.parts, size=10)}'
+        spec = None
         try:
-            mod_data = imp.find_module('evidences', [str(subdir)])
+            spec = importlib.util.spec_from_file_location(
+                module_name, str(Path(ev_mod, '__init__.py'))
+            )
         except ImportError:
             continue
-        module_name = f'{subdir.name}.evidences'
-        if module_name in sys.modules:
+        if spec is None or module_name in sys.modules:
             continue
-        imp.load_module(module_name, *mod_data)
+        module = importlib.util.module_from_spec(spec)
+        sys.modules[module_name] = module
+        spec.loader.exec_module(module)
 
 
 def substitute_config(path_tmpl):

compliance/utils/services/github.py

@@ -15,7 +15,7 @@
 """Compliance Github service helper."""
 
 import json
-import random
+import secrets
 from collections import OrderedDict
 from urllib.parse import parse_qs, urlparse
 
@@ -332,9 +332,9 @@ def creates_for_project(self, url, data, org=False):
     def rand_color(self):
         """Generate a random color for labels."""
         return (
-            f'{random.randint(0, 255):02X}'
-            f'{random.randint(0, 255):02X}'
-            f'{random.randint(0, 255):02X}'
+            f'{secrets.randbelow(255):02X}'
+            f'{secrets.randbelow(255):02X}'
+            f'{secrets.randbelow(255):02X}'
         )
 
     def create_label(self, repo, name, org=False):

doc-source/notifiers.rst

@@ -124,7 +124,7 @@ channel monitoring rotation management::
 
 
 This notifier also needs to know the credentials for sending message
-to your Slack organisation. Include the following in your credentials
+to your Slack organization. Include the following in your credentials
 file::
 
   [slack]
@@ -161,7 +161,7 @@ option when executing your compliance checks.
 
 Note that you have two options to configure the PagerDuty notifier:
 
-* Provide a list of checks by class path within an accreditation. This allows you 
+* Provide a list of checks by class path within an accreditation. This allows you
 to define which checks within the accreditation will trigger PageDuty notifications::
 
   {
@@ -181,13 +181,22 @@ accreditations::
 
   {
     "pagerduty": {
-      "my.accred1": "SERVICE_ID" 
+      "my.accred1": "SERVICE_ID"
     }
   }
 
 Note that the ``service_id`` field is the service id from PagerDuty, e.g. ``PABC123``.
 The PagerDuty notifier loads the active incidents to determine if
 it needs to create a new incident or update an existing one by using the ``service_id``.
+To get your service ID, go to your service in the PagerDuty dashboard and the
+service ID will be the last path element (7 characters) of the URL.  For example
+for ``https://my-service/PABC123``, the service ID is ``PABC123``.
+
+This notifier also needs to know the credentials for sending message to PagerDuty.
+Include the following in your credentials file::
+
+  [pagerduty]
+  events_integration_key=XXX
 
 GitHub Issue
 ------------