diff --git a/.github/workflows/ci_cd.yml b/.github/workflows/ci_cd.yml index a459a6c6f..a8f44dbc8 100644 --- a/.github/workflows/ci_cd.yml +++ b/.github/workflows/ci_cd.yml @@ -140,9 +140,20 @@ jobs: operating-system: ${{ matrix.os }} python-version: ${{ matrix.python-version }} + check-vulnerabilities: + name: "Check library vulnerabilities" + runs-on: ubuntu-latest + steps: + - uses: ansys/actions/check-vulnerabilities@v10 + with: + python-version: ${{ env.MAIN_PYTHON_VERSION }} + token: ${{ secrets.PYANSYS_CI_BOT_TOKEN }} + python-package-name: 'ansys-hps-client' + dev-mode: ${{ github.ref != 'refs/heads/main' }} + package: name: Package library - needs: [tests, docs, smoke-tests] + needs: [tests, docs, smoke-tests, check-vulnerabilities] runs-on: ubuntu-latest steps: - name: Build library source and wheel artifacts diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..2752e13de --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ +# Security Policy + +## Reporting a vulnerability + +> [!CAUTION] +> Do not use GitHub issues to report any security vulnerabilities. + +If you detect a vulnerability, contact the [PyAnsys Core team](mailto:pyansys.core@ansys.com), +mentioning the repository and the details of your finding. The team will address it as soon as possible. + +Provide the PyAnsys Core team with this information: + +- Any specific configuration settings needed to reproduce the problem +- Step-by-step guidance to reproduce the problem +- The exact location of the problematic source code, including tag, branch, commit, or a direct URL +- The potential consequences of the vulnerability, along with a description of how an attacker could take advantage of the issue \ No newline at end of file diff --git a/src/ansys/hps/client/common/base_resource.py b/src/ansys/hps/client/common/base_resource.py index 32f3db209..4765ded0a 100644 --- a/src/ansys/hps/client/common/base_resource.py +++ b/src/ansys/hps/client/common/base_resource.py @@ -99,7 +99,9 @@ def __str__(self): try: value = field_obj.serialize(attr_name, self, accessor=schema.get_attribute) except Exception: - pass + # if the field cannot be serialized, we skip it and leave it marked as missing + pass # nosec B110 + if value is missing: continue key = field_obj.data_key if field_obj.data_key is not None else attr_name diff --git a/src/ansys/hps/client/common/restricted_value.py b/src/ansys/hps/client/common/restricted_value.py index fe7755e03..e66746327 100644 --- a/src/ansys/hps/client/common/restricted_value.py +++ b/src/ansys/hps/client/common/restricted_value.py @@ -41,11 +41,13 @@ def __init__(self): def _deserialize(self, value, attr, obj, **kwargs): """Convert string to restricted value object.""" + # try each restricted field type until one succeeds + # if none succeed, raise a validation error for field in self.restricted_fields: try: return field._deserialize(value, attr, obj, **kwargs) except Exception: - pass + pass # nosec B110 self.raise_validation_error()