feat: add semgrep code scanning and guarddog for package installations #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ericrallen
force-pushed
the
feature/code-scanning
branch
from
f4285d1 to
b116c3b
Compare
Collaborator
Author
|
Here are some screenshots of these flags in action:
|
ericrallen
force-pushed
the
feature/code-scanning
branch
3 times, most recently
from
794ae28 to
90be3bc
Compare
QosmosTheQ
approved these changes
Sep 5, 2023
Collaborator
Author
|
Sorry I haven’t rebased and resolved the conflict yet. Once I’m back from vacation and have access to my laptop again, I’ll get it fixed up. |
ericrallen
force-pushed
the
feature/code-scanning
branch
2 times, most recently
from
e321e7f to
abc7688
Compare
Collaborator
Author
|
@KillianLucas I've resolved the conflicts and rebased to make sure the latest updates are all picked up. |
ericrallen
force-pushed
the
feature/code-scanning
branch
from
abc7688 to
da659fa
Compare
ericrallen
changed the title
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 23, 2023
This reintroduces the --scan functionality from openinterpreter#24. --scan has 3 possible values auto, ask, and off Code scanning is opt-in.
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 23, 2023
This reintroduces the --scan functionality from openinterpreter#24. --scan has 3 possible values auto, ask, and off Code scanning is opt-in.
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 23, 2023
This reintroduces the --scan functionality from openinterpreter#24. --scan has 3 possible values auto, ask, and off Code scanning is opt-in.
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 23, 2023
This reintroduces the --scan functionality from openinterpreter#24. --scan has 3 possible values auto, ask, and off Code scanning is opt-in.
10 tasks
Collaborator
Author
|
Closing this in favor of #484 which adds semgrep via |
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 24, 2023
This reintroduces the --scan functionality from openinterpreter#24. --scan has 3 possible values auto, ask, and off Code scanning is opt-in.
This was referenced Sep 25, 2023
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 27, 2023
This reintroduces the --scan functionality from openinterpreter#24. --scan has 3 possible values auto, ask, and off Code scanning is opt-in.
ericrallen
added a commit
to InterwebAlchemy/open-interpreter
that referenced
this pull request
Sep 28, 2023
This reintroduces the --safe functionality from openinterpreter#24. --safe has 3 possible values auto, ask, and off Code scanning is opt-in.
unaidedelf8777
added a commit
to unaidedelf8777/open-interpreter
that referenced
this pull request
Sep 29, 2023
…he base interpreter class or anything in the core folder was needed. Update README from base/main merge rebased branch to main. (#2) * fix: stop overwriting boolean config values Without the default set to None, any boolean CLI flag that isn't passed reverts to its default state even if it is configured in the config.yaml file. * The Generator Update (English docs) * Improved --conversations, --config --------- quality of life and error messages errors and stuff again re-add readline method because doc formatting removed it somehow fix readline method of wrapper added file upload and download functionality finalized upload and download commands. tested stuff visual Improved --conversations, --config The Generator Update (English docs) fix: stop overwriting boolean config values Without the default set to None, any boolean CLI flag that isn't passed reverts to its default state even if it is configured in the config.yaml file. Update WINDOWS.md Warns the user to re-launch cmd windows after installing llama locally Fix ARM64 llama-cpp-python Install on Apple Silicon This commit updates the `MACOS.md` documentation to include detailed steps for correctly installing `llama-cpp-python` with ARM64 architecture support on Apple Silicon-based macOS systems. The update provides: - A prerequisite check for Xcode Command Line Tools. - Step-by-step installation instructions for `llama-cpp-python` with ARM64 and Metal support. - A verification step to confirm the correct installation of `llama-cpp-python` for ARM64 architecture. - An additional step for installing server components for `llama-cpp-python`. This commit resolves the issue described in `ARM64 Installation Issue with llama-cpp-python on Apple Silicon Macs for interpreter --local openinterpreter#503`. Broken empty message response fix crash on unknwon command on call to display help message removed unnecessary spaces Update get_relevant_procedures.py Fixed a typo in the instructions to the model The Generator Update The Generator Update The Generator Update - Azure fix The Generator Update - Azure function calling The Generator Update - Azure fix Better debugging Better debugging Proper TokenTrimming for new models Generator Update Fixes (Updated Version) Generator Update Quick Fixes Added example JARVIS Colab Notebook Added example JARVIS Colab Notebook Skip wrap_in_trap on Windows fix: allow args to have choices and defaults This allows non-boolean args to define possible options and default values, which were ignored previously. feat: add semgrep code scanning via --safe flag This reintroduces the --safe functionality from openinterpreter#24. --safe has 3 possible values auto, ask, and off Code scanning is opt-in. fix: default to 'off' for scan_code attribute fix: toggle code_scan based on auto_run setting; update --scan docs revert: undo default and choices change to cli.py This is being removed from this PR in favor of a standalone fix in openinterpreter#511 feat: cleanup code scanning and convert to safe mode docs: fix naming of safe_mode flag in README fix: pass debug_mode flag into file cleanup for code scan fix: remove extra tempfile import from scan_code util Fixed first message inturruption error Holding `--safe` docs for pip release fix: stop overwriting safe_mode config.yaml setting with default in args Fixed `%load` magic command But I think we should deprecate it in favor of `--conversations`. Generalized API key error message Better model validation, better config debugging Better config debugging Better config debugging Better config debugging Better --config Cleaned up initial message Generator Update Quick Fixes II Force then squashing (#3)
joshuavial
pushed a commit
to joshuavial/open-interpreter
that referenced
this pull request
Nov 16, 2023
This reintroduces the --safe functionality from openinterpreter#24. --safe has 3 possible values auto, ask, and off Code scanning is opt-in. Former-commit-id: 76a220e Former-commit-id: 10a02876e5a3588c4010dfd82caaac4ca1373fed Former-commit-id: dc87f41d0765188561a014d640558dbc05783882 [formerly 72392ceafac644321d83ca2e1eff47720051f992] Former-commit-id: fb53233f2d339c2b95a299703274a60de6cdd077
joshuavial
pushed a commit
to joshuavial/open-interpreter
that referenced
this pull request
Nov 16, 2023
This reintroduces the --safe functionality from openinterpreter#24. --safe has 3 possible values auto, ask, and off Code scanning is opt-in.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces some tools to help verify that code might be safe to execute.
It adds a
--scanflag that can be used to enable code scanning via semgrep and a--guarddogflag that can be used to enable scanning PyPI and npm packages with guarddog before installing them.--scanhas 3 possible values:auto(always scan code with semgrep before asking to execute),ask(ask the user if they want to scan a code snippet before asking to execute), andoff(don't ask to scan code).Both the
--scanand--guarddogoptions are disabled by default and are entirely opt-in.This is a super interesting project, and while I know this won't make it 100% safe to execute Open Interpreter code, I hope it can start to provide some extra assurance and help mitigate some common threats.
Once datadog/guarddog #249 is resolved we can make some slight adjustments and include
guarddogin thepyproject.tomldependencies, but for now the version of semgrep that it is pinned at has issues with scanning individual files like this with the automatic configuration based on returntocorp/semgrep-rules #2894Just as a note, I was actually impressed that while testing some vulnerable files that should trigger semgrep's rules Open Interpreter tried to save me from myself:
I had to let it know that I was working on a code scanning implementation for Open Interpreter and needed it to try to execute this kind of code for testing purposes.