Merge pull request #186 from razorpay/semgrep_integration

semgrep integration
razorpay · Mar 7, 2022 · 0352f2d · 0352f2d
2 parents 104718b + 12b73b7
commit 0352f2d
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 7 deletions.
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -13,8 +13,7 @@ on:
 
 jobs:
   deploy:
-
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
     strategy:
       max-parallel: 4
       matrix:
@@ -30,4 +29,4 @@ jobs:
         pip install responses
         python3 setup.py install
     - name: Run Tests
-      run: python3 -m unittest
+      run: python3 -m unittest
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,51 @@
+name: SecurityChecks
+on:
+  pull_request: {}
+  push:
+    branches: ["master"]
+  schedule:
+    - cron: '30 20 * * *'
+jobs:
+  semgrep:
+    name: Scan
+    runs-on: [ubuntu-latest]                               # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
+    steps:
+      - uses: actions/checkout@v2
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          publishToken: ${{ secrets.SEMGREP_APP_TOKEN }}
+          publishDeployment: 339
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  workflow_status:
+    runs-on: [ ubuntu-latest ]                               # nosemgrep : semgrep.dev/s/swati31196:github_provided_runner
+    name: Update Status Check
+    needs: [ semgrep ]
+    if: always()
+    env:
+      githubCommit: ${{ github.event.pull_request.head.sha }}
+    steps:
+      - name: Set github commit id
+        run: |
+          if [ "${{ github.event_name }}" = "push" ] || [ "${{ github.event_name }}" = "schedule" ]; then
+            echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV
+          fi
+          exit 0
+      - name: Failed
+        id: failed
+        if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/master'
+        run: |
+          echo 'Failing the workflow for github security status check.'
+          curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \
+          -d '{ "state" : "failure" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \
+          https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }}
+          exit 1
+      - name: Success
+        if: steps.failed.conclusion == 'skipped' || github.ref != 'refs/heads/master'
+        run: |
+          echo 'Status check has passed!'
+          curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \
+          -d '{ "state" : "success" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \
+          https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }}
+          exit 0
diff --git a/razorpay/client.py b/razorpay/client.py
@@ -83,7 +83,7 @@ def _update_user_agent_header(self, options):
 
     def _get_version(self):
         version = ""
-        try:
+        try: # nosemgrep : gitlab.bandit.B110
             version = pkg_resources.require("razorpay")[0].version
         except DistributionNotFound:  # pragma: no cover
             pass
@@ -137,7 +137,7 @@ def request(self, method, path, **options):
                 raise BadRequestError(msg)
             elif str.upper(code) == ERROR_CODE.GATEWAY_ERROR:
                 raise GatewayError(msg)
-            elif str.upper(code) == ERROR_CODE.SERVER_ERROR:
+            elif str.upper(code) == ERROR_CODE.SERVER_ERROR: # nosemgrep : python.lang.maintainability.useless-ifelse.useless-if-body
                 raise ServerError(msg)
             else:
                 raise ServerError(msg)

diff --git a/razorpay/resources/payment.py b/razorpay/resources/payment.py
@@ -34,7 +34,7 @@ def fetch(self, payment_id, data={}, **kwargs):
         """
         return super(Payment, self).fetch(payment_id, data, **kwargs)
 
-    def capture(self, payment_id, amount, data={}, **kwargs):
+    def capture(self, payment_id, amount, data={}, **kwargs): # nosemgrep : python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict
         """"
         Capture Payment for given Id
 
@@ -49,7 +49,7 @@ def capture(self, payment_id, amount, data={}, **kwargs):
         data['amount'] = amount
         return self.post_url(url, data, **kwargs)
 
-    def refund(self, payment_id, amount, data={}, **kwargs):  # pragma: no cover
+    def refund(self, payment_id, amount, data={}, **kwargs):  # pragma: no cover # nosemgrep : python.lang.correctness.common-mistakes.default-mutable-dict.default-mutable-dict
         """"
         Refund Payment for given Id