diff --git a/.bandit.yaml b/.bandit.yaml new file mode 100644 index 0000000..676d75b --- /dev/null +++ b/.bandit.yaml @@ -0,0 +1,15 @@ +--- +# Bandit config file. +# BEWARE: Bandit does not use any configuration file by default +# so you need to specify it using -c. +# If you have lines in your code triggering vulnerability errors +# and you are certain that this is acceptable, they can be individually +# silenced by appending # nosec to the line: +exclude_dirs: + - .tox + - .git + - .mypy_cache + - .pytest_cache + - .github + - venv + - tests diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..d92fc5a --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,32 @@ +# Run the SuperLinter action with some custom setup. + +name: Lint + +on: + push: + branches: ["2.x"] + pull_request: + branches: ["2.x"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +jobs: + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + - name: Super-Linter + uses: github/super-linter@v3.15.5 + env: + VALIDATE_MARKDOWN: false + # Disabled for conflicts with the isort version used in pre-commit + # you can re-enable it if you align your local isort with + # the one in the super-linter image. + VALIDATE_PYTHON_ISORT: false + VALIDATE_XML: false + VALIDATE_NATURAL_LANGUAGE: false diff --git a/.github/workflows/security-bandit.yml b/.github/workflows/security-bandit.yml new file mode 100644 index 0000000..a4d39d9 --- /dev/null +++ b/.github/workflows/security-bandit.yml @@ -0,0 +1,30 @@ +# This is a basic workflow to help you get started with Actions + +name: "security-bandit" + +# Controls when the action will run. Triggers the workflow on push or pull request +# events but only for the master branch +on: + push: + branches: [ "2.x" ] + pull_request: + branches: [ "2.x" ] + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v2 + + # Runs a single command using the runners shell + - name: Python security check using Bandit + uses: ioggstream/bandit-report-artifacts@v0.0.2 + with: + project_path: . + config_file: .bandit.yaml diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..f0d47d9 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,48 @@ +# This workflow template runs: +# - a tox container with tests +# - a service container (eg. a database) to be used by tox tests. + +name: Test + +on: + push: + branches: [ 2.x ] + pull_request: + branches: [ 2.x ] + + workflow_dispatch: + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + + test-tox-job: + runs-on: ubuntu-latest + container: python:3.9-slim + + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + # IMPORTANT!! By default `actions/checkout` just checkouts HEAD, so if you want + # to checkout tags and branches too (eg. to auto-version your deployments) + # you need to pass the `fetch-depth: 0` option. eg + # + # uses: actions/checkout@v2 + # with: + # fetch-depth: 0 + - uses: actions/checkout@v2 + + - name: Run tests. + run: | + pip3 install tox + tox + test-pre-commit: + # The type of runner that the job will run on + runs-on: ubuntu-latest + container: python:3.9 + steps: + - uses: actions/checkout@v2 + + - name: Run commit hooks. + run: | + pip3 --no-cache-dir install pre-commit + git --version + pre-commit run -a diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..4edd792 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,64 @@ +# +# Run pre-commit hooks. You can run them without installing +# the hook with +# +# $ pre-commit run --all-files +# +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-xml + - id: detect-private-key + - id: check-yaml + args: [--allow-multiple-documents] + - id: check-added-large-files +- repo: https://github.com/myint/autoflake + rev: b330072a26bb13aea8843f8083cee5332d71f78f + hooks: + - id: autoflake + args: + - --in-place + - --remove-unused-variables + - --remove-all-unused-imports +- repo: https://github.com/psf/black + rev: 22.3.0 + hooks: + - id: black +- repo: https://github.com/pycqa/isort + rev: 5.8.0 + hooks: + - id: isort + name: isort (python) + # Use black profile for isort to avoid conflicts + # see https://github.com/PyCQA/isort/issues/1518 + args: ["--profile", "black"] + - id: isort + name: isort (cython) + types: [cython] + - id: isort + name: isort (pyi) + types: [pyi] +- repo: https://gitlab.com/pycqa/flake8 + rev: 3.9.0 + hooks: + - id: flake8 +- repo: https://github.com/PyCQA/bandit + rev: 1.7.0 + hooks: + - id: bandit + name: bandit + args: ["-c", ".bandit.yaml"] + description: 'Bandit is a tool for finding common security issues in Python code' + entry: bandit + language: python + language_version: python3 + types: [python] +- repo: https://github.com/Lucas-C/pre-commit-hooks-safety + rev: v1.2.1 + hooks: + - id: python-safety-dependencies-check diff --git a/pylode/cli.py b/pylode/cli.py index d0c5eff..b8865fe 100644 --- a/pylode/cli.py +++ b/pylode/cli.py @@ -160,7 +160,7 @@ def main(args=None): # args are present so getting RDF from input file or uri into an rdflib Graph if args.inputfile: - logger.log(logging.DEBUG, f"args.inputfile: {args.inputfile.name}") + logger.log(logging.DEBUG, f"args.inputfile: {args.inputfile}") h = MakeDocco( input_data_file=args.inputfile, outputformat=args.outputformat, @@ -171,7 +171,7 @@ def main(args=None): get_curies_online=get_curies_online, ) elif args.url: - logger.log(logging.DEBUG, f"args.url: {args.url.name}") + logger.log(logging.DEBUG, f"args.url: {args.url}") h = MakeDocco( input_uri=args.url, outputformat=args.outputformat, diff --git a/requirements.txt b/requirements.txt index 7468b83..4a67af2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -jinja2 -markdown -rdflib>=6.1.1,<7.0.0 -requests +Jinja2>=3.1.2 +Markdown>=3.4.1 +rdflib>=6.2.0,<7.0.0 +requests>=2.28.1 diff --git a/tox.ini b/tox.ini new file mode 100644 index 0000000..a03cb40 --- /dev/null +++ b/tox.ini @@ -0,0 +1,70 @@ +[tox] +envlist = py3, safety +skipsdist=True + +[testenv] +deps = + -rrequirements.txt + -rrequirements.dev.txt + +# Uncomment here to set an extra PIP_INDEX_URL +# setenv = +# PIP_EXTRA_INDEX_URL = https://mypypiserver.org + +setenv = + PYTHONPATH=:.: + +# To show pytest logs in console, use +# tox -- --log-cli-level=DEBUG +commands = + pytest {posargs} + +[testenv:safety] +deps = + -rrequirements.txt + -rrequirements.dev.txt + safety + +setenv = + PYTHONPATH=:.: + +commands = + safety check --short-report -r requirements.txt + +[flake8] +# Ignore long lines in flake8 because +# they are managed by black and we +# want to support links. +max-line-length = 150 + +[testenv:release] +# Release with tox via: +# +# tox -e release -- $PARAMETERS +# +# passing the repo references you would set via +# twine, eg: +# --repository-url https://test.pypi.org/legacy/ +# +# To pass +deps = + wheel + twine + +# Limit TWINE_* to this section. +passenv = + TWINE_USERNAME + TWINE_PASSWORD + TWINE_REPOSITORY_URL + +commands = +# rm dist -rf + python setup.py bdist_wheel # sdist, or whatever + twine upload {posargs} dist/* + + +# Uncomment the following section if you want to +# test the installation on the test pypi +# [testenv:test-release] +#commands = +# pip install --index-url=https://test.pypi.org/simple