Get Latest in main to v2m1m0

.github/workflows/ash.yml

@@ -0,0 +1,30 @@
+name: ASH
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  ash:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: [3.8]
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install
+        run: git clone https://github.com/aws-samples/automated-security-helper.git /tmp/ash
+      - name: ASH
+        run: /tmp/ash/ash --source-dir .
+      - name: Upload Artifact
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: ash-report
+          path: aggregated_results.txt

.github/workflows/bandit.yml

@@ -0,0 +1,32 @@
+name: Bandit
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+permissions:
+  contents: read
+
+jobs:
+  bandit:
+    strategy:
+      matrix:
+        python-version: [3.8]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install
+        run: |
+          python -m pip install --upgrade pip
+          python -m pip install bandit
+      - name: Bandit
+        run: bandit -r -lll -ii .

.github/workflows/cdk-nag.yml

@@ -0,0 +1,48 @@
+name: CDK Nag
+
+on:
+  workflow_dispatch:
+  push:
+    paths:
+    - "deploy/**"
+    branches:
+    - main
+  pull_request:
+    paths:
+    - "deploy/**"
+    branches:
+    - main
+
+permissions:
+  contents: read
+
+jobs:
+  cdk-nag:
+    strategy:
+      matrix:
+        python-version: [3.8]
+    env:
+      CDK_DEFAULT_REGION: eu-west-1
+      CDK_DEFAULT_ACCOUNT: 111111111111
+      GITHUB_ACTIONS: true
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone
+        uses: actions/checkout@v3
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+      - name: Install CDK 
+        run: |
+          npm install -g aws-cdk cdk-nag
+          cdk --version
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Upgrade Pip
+        run: python -m pip install --upgrade pip
+      - name: Install Requirements
+        run: python -m pip install -r deploy/requirements.txt
+      - name: CDK Synth
+        run: |
+          npx cdk synth

.github/workflows/eslint.yml

@@ -0,0 +1,37 @@
+name: Run eslint
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - release/*
+    - main-v2
+
+permissions:
+  contents: read
+
+jobs:
+  es-lint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [16.x]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache-dependency-path: |
+            ./frontend/package-lock.json
+            ./frontend/package.json
+      - run: npm install
+        working-directory: frontend
+      - run: npm run lint
+        working-directory: frontend

.github/workflows/minimal-security-check.yml → .github/workflows/lint.yml

@@ -1,19 +1,20 @@
-name: "Minimal Security checks"
+name: Run Lint
 
 on:
   workflow_dispatch:
   pull_request:
     branches:
-    - main
-    - release/*
-    - main-v2
+      - main
+      - release/*
+      - main-v2
 
 jobs:
-  build:
+  lint:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [ 3.8 ]
+        python-version: [3.8]
+
     steps:
       - uses: actions/checkout@v2
       - name: Set up Python ${{ matrix.python-version }}
@@ -24,5 +25,7 @@ jobs:
       - name: Install Requirements
         run: |
           python -m pip install --upgrade pip
-      - name: Security check
-        run: make check-security
+          python -m pip install isort
+          python -m pip install flake8
+      - name: Lint
+        run: python -m flake8 --exclude cdk.out,blueprints --ignore E402,E501,F841,W503,F405,F403,F401,E712,E203 backend/

.github/workflows/npm-audit.yml

@@ -0,0 +1,37 @@
+name: Run npm-audit
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - release/*
+    - main-v2
+
+permissions:
+  contents: read
+
+jobs:
+  npm-audit:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        node-version: [16.x]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache-dependency-path: |
+            ./frontend/package-lock.json
+            ./frontend/package.json
+      - run: npm ci
+        working-directory: frontend
+      - run: npm run audit
+        working-directory: frontend

.github/workflows/semgrep-schedule.yml

@@ -0,0 +1,35 @@
+name: Run Semgrep-full
+
+on:
+  workflow_dispatch:
+    branches:
+      - main
+  schedule:
+    - cron:  '0 1 * * 2'
+
+permissions:
+  contents: read
+
+jobs:
+  semgrep-full:
+    runs-on: ubuntu-latest
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v3
+      - run: semgrep ci --verbose --metrics=off --sarif --output=semgrep.sarif
+        env:
+           # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
+           SEMGREP_RULES: p/default # more at semgrep.dev/explore
+
+      - name: Upload SARIF file for GitHub Advanced Security Dashboard
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: semgrep.sarif
+        if: always()

.github/workflows/semgrep.yml

@@ -0,0 +1,35 @@
+name: Run Semgrep
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+    - release/*
+    - main-v2
+
+permissions:
+  contents: read
+
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+
+    container:
+      # A Docker image with Semgrep installed. Do not change this.
+      image: returntocorp/semgrep
+
+    # Skip any PR created by dependabot to avoid permission issues:
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      # Fetch project source with GitHub Actions Checkout.
+      - uses: actions/checkout@v3
+      # Run the "semgrep ci" command on the command line of the docker image.
+      - run: semgrep scan --error --verbose --metrics=off
+        env:
+           # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
+           SEMGREP_RULES: p/default # more at semgrep.dev/explore

.semgrepignore

@@ -0,0 +1,32 @@
+# Items added to this file will be ignored by Semgrep.
+#
+# This file uses .gitignore syntax:
+#
+# To ignore a file anywhere it occurs in your project, enter a
+# glob pattern here. E.g. "*.min.js".
+#
+# To ignore a directory anywhere it occurs in your project, add
+# a trailing slash to the file name. E.g. "dist/".
+#
+# To ignore a file or directory only relative to the project root,
+# include a slash anywhere except the last character. E.g.
+# "/dist/", or "src/generated".
+#
+# Some parts of .gitignore syntax are not supported, and patterns
+# using this syntax will be dropped from the ignore list:
+# - Explicit "include syntax", e.g. "!kept/".
+# - Multi-character expansion syntax, e.g. "*.py[cod]"
+# To include ignore patterns from another file, start a line
+# with ':include', followed by the path of the file. E.g.
+# ":include path/to/other/ignore/file".
+# UPDATE: this will not be be needed in osemgrep which supports
+# all of the .gitignore syntax (!kept/, *.py[cod])
+#
+# To ignore a file with a literal ':' character, escape it with
+# a backslash, e.g. "\:foo".
+
+/backend/local_cdkapi_server.py
+/backend/local_graphql_server.py
+/backend/docker/dev/*
+/frontend/docker/dev/*
+.github/*

backend/dataall/base/aws/sts.py

@@ -128,7 +128,9 @@ def get_console_access_url(cls, boto3_session, region='eu-west-1', bucket=None):
         request_parameters += '&Session=' + urllib.parse.quote_plus(json_string_with_temp_credentials)
         request_url = 'https://signin.aws.amazon.com/federation' + request_parameters
 
-        r = urllib.request.urlopen(request_url).read()
+        r = urllib.request.urlopen(request_url).read()  # nosemgrep
+        # The request parameters and url does not include any upstream input from data.all users.
+        # there is no danger of malicious actors introducing values
 
         signin_token = json.loads(r)
         request_parameters = '?Action=login'
@@ -339,7 +341,9 @@ def generate_console_url(credentials, session_duration=None, region='eu-west-1',
         request_parameters += '&Session=' + quote_plus(json_string_with_temp_credentials)
         request_url = 'https://signin.aws.amazon.com/federation' + request_parameters
 
-        r = urlopen(request_url).read()
+        r = urlopen(request_url).read()  # nosemgrep
+        # The request parameters and url does not include any upstream input from data.all users.
+        # there is no danger of malicious actors introducing values
 
         signin_token = json.loads(r)
         request_parameters = '?Action=login'