SDGym/static_code_analysis.txt at main · sdv-dev/SDGym · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
Run started:2026-03-23 16:26:39.586082+00:00

Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b608_hardcoded_sql_expressions.html
   Location: ./sdgym/_benchmark/benchmark.py:161:12
160	    return textwrap.dedent(
161	        f"""\
162	        #!/bin/bash
163	        set -e
164
165	        LOG_FILE=/var/log/user-data.log
166	        exec >> "$LOG_FILE" 2>&1
167
168	        log() {{
169	          echo "$@"
170	        }}
171
172	        {upload_logs_fn}
173	        {terminate_fn}
174
175	        # Always cleanup on exit
176	        trap cleanup EXIT
177
178	        log "======== Instance: {instance_name} =========="
179
180	        log "======== Configure kernel OOM behavior =========="
181	        sudo sysctl -w vm.panic_on_oom=1
182	        sudo sysctl -w kernel.panic=0
183
184	        log "======== Update and Install Dependencies =========="
185	        sudo apt update -y
186	        sudo apt install -y python3-pip python3-venv awscli git jq
187
188	        log "======== Setting up swap ({swap_gb}G) =========="
189	        sudo fallocate -l {swap_gb}G /swapfile || \
190	          sudo dd if=/dev/zero of=/swapfile bs=1M count=$(({swap_gb}*1024))
191	        sudo chmod 600 /swapfile
192	        sudo mkswap /swapfile
193	        sudo swapon /swapfile
194
195	        log "======== Configure AWS CLI =========="
196	        aws configure set aws_access_key_id '{aws_key}'
197	        aws configure set aws_secret_access_key '{aws_secret}'
198	        aws configure set default.region '{S3_REGION}'
199
200	        log "======== Create Virtual Environment =========="
201	        python3 -m venv ~/env
202	        source ~/env/bin/activate
203
204	        log "======== Install Dependencies =========="
205	        pip install --upgrade pip
206	        {sdv_install}
207	        pip install "sdgym[all]"
208
209	        {gpu_block}
210
211	        log "======== Write Script =========="
212	        cat << 'EOF' > ~/sdgym_script.py
213	{script_content}
214	EOF
215
216	        log "======== Run Script =========="
217	        python -u ~/sdgym_script.py | tee -a /var/log/sdgym.log
218
219	        log "======== Complete =========="
220	        """
221	    ).strip()

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b101_assert_used.html
   Location: ./sdgym/benchmark.py:417:8
416	    if isinstance(synthesizer, type):
417	        assert issubclass(synthesizer, BaselineSynthesizer), (
418	            '`synthesizer` must be a synthesizer class'
419	        )
420	        synthesizer = synthesizer()

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b101_assert_used.html
   Location: ./sdgym/benchmark.py:422:8
421	    else:
422	        assert issubclass(type(synthesizer), BaselineSynthesizer), (
423	            '`synthesizer` must be an instance of a synthesizer class.'
424	        )
425

--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b608_hardcoded_sql_expressions.html
   Location: ./sdgym/benchmark.py:1345:31
1344	def _get_user_data_script(access_key, secret_key, region_name, script_content):
1345	    return textwrap.dedent(f"""\
1346	        #!/bin/bash
1347	        set -e
1348
1349	        # Always terminate the instance when the script exits (success or failure)
1350	        trap '
1351	        INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id);
1352	        echo "======== Terminating EC2 instance: $INSTANCE_ID ==========";
1353	        aws ec2 terminate-instances --instance-ids $INSTANCE_ID;
1354	        ' EXIT
1355
1356	        exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1
1357	        echo "======== Update and Install Dependencies ============"
1358	        sudo apt update -y
1359	        sudo apt install -y python3-pip python3-venv awscli
1360	        echo "======== Configure AWS CLI ============"
1361	        aws configure set aws_access_key_id '{access_key}'
1362	        aws configure set aws_secret_access_key '{secret_key}'
1363	        aws configure set default.region '{region_name}'
1364
1365	        echo "======== Create Virtual Environment ============"
1366	        python3 -m venv ~/env
1367	        source ~/env/bin/activate
1368
1369	        echo "======== Install Dependencies in venv ============"
1370	        pip install --upgrade pip
1371	        pip install sdgym[all]
1372	        pip install s3fs
1373
1374	        echo "======== Write Script ==========="
1375	        cat << 'EOF' > ~/sdgym_script.py
1376	{script_content}
1377	EOF
1378
1379	        echo "======== Run Script ==========="
1380	        python ~/sdgym_script.py
1381	        echo "======== Complete ==========="
1382	        INSTANCE_ID=$(curl -s http://169.254.169.254/latest/meta-data/instance-id)
1383	        aws ec2 terminate-instances --instance-ids $INSTANCE_ID
1384	    """).strip()
1385

--------------------------------------------------
>> Issue: [B615:huggingface_unsafe_download] Unsafe Hugging Face Hub download without revision pinning in load_dataset()
   Severity: Medium   Confidence: High
   CWE: CWE-494 (https://cwe.mitre.org/data/definitions/494.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b615_huggingface_unsafe_download.html
   Location: ./sdgym/cli/utils.py:112:18
111	    for dataset_path in datasets_path.iterdir():
112	        dataset = load_dataset(dataset_path)
113	        datasets.append({

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b110_try_except_pass.html
   Location: ./sdgym/result_writer.py:130:12
129
130	            except Exception:
131	                pass  # If the file does not exist, we will create it
132

--------------------------------------------------
>> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'https://oauth2.googleapis.com/token'
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b106_hardcoded_password_funcarg.html
   Location: ./sdgym/run_benchmark/upload_benchmark_results.py:131:12
130	    creds_dict = json.loads(os.environ['PYDRIVE_TOKEN'])
131	    creds = OAuth2Credentials(
132	        access_token=creds_dict['access_token'],
133	        client_id=creds_dict.get('client_id'),
134	        client_secret=creds_dict.get('client_secret'),
135	        refresh_token=creds_dict.get('refresh_token'),
136	        token_expiry=None,
137	        token_uri='https://oauth2.googleapis.com/token',
138	        user_agent=None,
139	    )
140	    gauth = GoogleAuth()

--------------------------------------------------
>> Issue: [B403:blacklist] Consider possible security implications associated with pickle module.
   Severity: Low   Confidence: High
   CWE: CWE-502 (https://cwe.mitre.org/data/definitions/502.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/blacklists/blacklist_imports.html#b403-import-pickle
   Location: ./sdgym/s3.py:5:0
4	import logging
5	import pickle
6	from urllib.parse import urlparse

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: ./sdgym/utils.py:5:0
4	import os
5	import subprocess
6	import sys

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./sdgym/utils.py:145:17
144	        command = ['nvidia-smi', '--query-gpu=utilization.gpu', '--format=csv,noheader,nounits']
145	        output = subprocess.run(command, stdout=subprocess.PIPE)
146	        return len(output.stdout.decode().split())

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b603_subprocess_without_shell_equals_true.html
   Location: ./sdgym/utils.py:161:17
160	        command = ['nvidia-smi', '--query-gpu=utilization.gpu', '--format=csv,noheader,nounits']
161	        output = subprocess.run(command, stdout=subprocess.PIPE)
162	        loads = np.array(output.stdout.decode().split()).astype(float)

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'sdgym['
   Severity: Low   Confidence: Medium
   CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
   More Info: https://bandit.readthedocs.io/en/1.9.2/plugins/b105_hardcoded_password_string.html
   Location: ./tasks.py:102:18
101	    extra_dependencies = []
102	    start_token = 'sdgym['
103	    for dep in test_dependencies:

--------------------------------------------------

Code scanned:
	Total lines of code: 6739
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 9
		Medium: 3
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 2
		Medium: 2
		High: 8
Files skipped (0):