Address review comments

freedomofpress · Sep 29, 2023 · 0206e6c · 0206e6c
1 parent 4ae8d1f
commit 0206e6c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 63 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -1,32 +1,36 @@
 ---
 common-steps:
-  - &install_poetry_bullseye
+  - &install_poetry
     run:
-      name: Install Poetry on Debian Bullseye (PyPI package)
+      name: Install Poetry
       command: |
         set -e
-        apt update && apt install -y --no-install-recommends python3-pip
-        pip install poetry==1.6.1
-
-  - &install_poetry_bookworm
-    run:
-      name: Install Poetry on Debian Bookworm (system package)
-      command: |
-        apt update && apt install -y --no-install-recommends python3-poetry
+        source /etc/os-release
+        if [[ "$VERSION_CODENAME" == "bullseye" ]]; then
+            # Install Poetry via PyPI
+            apt-get update && apt-get install --yes --no-install-recommends python3-pip
+            pip install poetry==1.6.1
+        elif [[ "$VERSION_CODENAME" == "bookworm" ]]; then
+            # Install Poetry via system package
+            apt-get update && apt-get install --yes --no-install-recommends python3-poetry
+        else
+            echo "Unsupported Debian version: $VERSION_CODENAME"
+            exit 1
+        fi
 
   - &install_testing_dependencies
     run:
       name: Install testing dependencies
       command: |
-        apt install -y --no-install-recommends git gnupg make
+        apt-get install --yes --no-install-recommends git gnupg make
         poetry install --no-ansi
 
   - &install_build_dependencies
     run:
       name: Install build dependencies
       command: |
         set -e
-        apt update && apt install -y git make sudo
+        apt-get update && apt-get install --yes git make sudo
 
   - &run_unit_tests
     run:
@@ -45,12 +49,16 @@ common-steps:
     run:
       name: Run static analysis on source code to find security issues
       command: |
+        set -e
+        poetry update bandit
         make bandit
 
   - &check_python_dependencies_for_vulnerabilities
     run:
       name: Check Python dependencies for known vulnerabilities
       command: |
+        set -e
+        poetry update safety
         make safety
 
   - &install_packaging_dependencies
@@ -110,16 +118,7 @@ jobs:
     docker: *docker
     steps:
       - checkout
-      - when:
-          condition:
-            equal: [ bullseye, << parameters.image >> ]
-          steps:
-            - *install_poetry_bullseye
-      - when:
-          condition:
-            equal: [ bookworm, << parameters.image >> ]
-          steps:
-            - *install_poetry_bookworm
+      - *install_poetry
       - *install_testing_dependencies
       - *run_unit_tests
       - store_test_results:
@@ -130,16 +129,7 @@ jobs:
     docker: *docker
     steps:
       - checkout
-      - when:
-          condition:
-            equal: [ bullseye, << parameters.image >> ]
-          steps:
-            - *install_poetry_bullseye
-      - when:
-          condition:
-            equal: [ bookworm, << parameters.image >> ]
-          steps:
-            - *install_poetry_bookworm
+      - *install_poetry
       - *install_testing_dependencies
       - *run_lint
 
@@ -148,16 +138,7 @@ jobs:
     docker: *docker
     steps:
       - checkout
-      - when:
-          condition:
-            equal: [ bullseye, << parameters.image >> ]
-          steps:
-            - *install_poetry_bullseye
-      - when:
-          condition:
-            equal: [ bookworm, << parameters.image >> ]
-          steps:
-            - *install_poetry_bookworm
+      - *install_poetry
       - *install_testing_dependencies
       - *check_security
 
@@ -166,16 +147,7 @@ jobs:
     docker: *docker
     steps:
       - checkout
-      - when:
-          condition:
-            equal: [ bullseye, << parameters.image >> ]
-          steps:
-            - *install_poetry_bullseye
-      - when:
-          condition:
-            equal: [ bookworm, << parameters.image >> ]
-          steps:
-            - *install_poetry_bookworm
+      - *install_poetry
       - *install_testing_dependencies
       - *check_python_dependencies_for_vulnerabilities
 

diff --git a/Makefile b/Makefile
@@ -5,22 +5,13 @@ all: help
 
 .PHONY: bandit
 bandit: ## Run bandit with medium level excluding test-related folders
-	@echo "Installing latest version of Bandit in virtual environment…"
-	@poetry update bandit
 	@echo "Running bandit security checks…"
 	@poetry run bandit -ll --recursive securedrop_proxy
 
 .PHONY: safety
 safety: ## Runs `safety check` to check python dependencies for vulnerabilities
-	@echo "Installing latest version of safety in virtual environment…"
-	@poetry update safety
-	@echo "Running safety against requirements files in this repository…"
-	for req_file in `find . -type f -name '*requirements.txt'`; do \
-		echo "Checking file $$req_file" \
-		&& poetry run safety check --full-report -r $$req_file \
-		&& echo -e '\n' \
-		|| exit 1; \
-	done
+	@echo "Running safety against build requirements…"
+	@poetry run safety check --full-report -r build-requirements.txt
 
 .PHONY: lint
 lint: check-isort check-black mypy ## Run isort, black and flake8 and mypy