Skip to content

Commit 2c18d74

Browse files
SecAI-HubSecAI-Hub
committed
Derive quarantine scanner pins from package metadata
1 parent e6f2ef9 commit 2c18d74

3 files changed

Lines changed: 24 additions & 15 deletions

File tree

services/quarantine/Containerfile

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
ARG ALLOW_MISSING_QUARANTINE_SCANNERS=false
22
ARG ENABLE_GARAK_SCANNER=false
3-
ARG MODELSCAN_PACKAGE=modelscan==0.8.8
4-
ARG FICKLING_PACKAGE=fickling==0.1.10
5-
ARG MODELAUDIT_PACKAGE=modelaudit==0.2.40
6-
ARG GARAK_PACKAGE=garak==0.14.1
3+
ARG MODELSCAN_PACKAGE=
4+
ARG FICKLING_PACKAGE=
5+
ARG MODELAUDIT_PACKAGE=
6+
ARG GARAK_PACKAGE=
77

88
FROM ghcr.io/ggml-org/llama.cpp:server@sha256:8d528edc02fd8332bed793a80c7bea0a5a38874409e80c1bb314d84b2abfd10b AS llama_server
99

@@ -44,6 +44,9 @@ RUN set -eu; \
4444
garak) scanner_package="$GARAK_PACKAGE" ;; \
4545
*) echo "ERROR: unknown quarantine scanner: $scanner"; exit 1 ;; \
4646
esac; \
47+
if [ -z "$scanner_package" ]; then \
48+
scanner_package="$(python -c 'import sys, tomllib; name = sys.argv[1]; data = tomllib.load(open("pyproject.toml", "rb")); group = "garak" if name == "garak" else "scan"; deps = data["project"]["optional-dependencies"][group]; matches = [dep for dep in deps if "==" in dep and dep.split("==", 1)[0] == name]; sys.exit(f"missing pinned scanner dependency: {name}") if len(matches) != 1 else print(matches[0])' "$scanner")"; \
49+
fi; \
4750
python -m venv "$venv" || { missing=$((missing + 1)); continue; }; \
4851
"$venv/bin/python" -m pip install --no-cache-dir --upgrade pip==26.0.1 setuptools==82.0.1 wheel==0.46.2 && \
4952
"$venv/bin/python" -m pip install --no-cache-dir "$scanner_package" && \

services/quarantine/Containerfile.sandbox

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
ARG ALLOW_MISSING_QUARANTINE_SCANNERS=false
22
ARG ENABLE_GARAK_SCANNER=false
3-
ARG MODELSCAN_PACKAGE=modelscan==0.8.8
4-
ARG FICKLING_PACKAGE=fickling==0.1.10
5-
ARG MODELAUDIT_PACKAGE=modelaudit==0.2.40
6-
ARG GARAK_PACKAGE=garak==0.14.1
3+
ARG MODELSCAN_PACKAGE=
4+
ARG FICKLING_PACKAGE=
5+
ARG MODELAUDIT_PACKAGE=
6+
ARG GARAK_PACKAGE=
77

88
FROM ghcr.io/ggml-org/llama.cpp:server@sha256:8d528edc02fd8332bed793a80c7bea0a5a38874409e80c1bb314d84b2abfd10b AS llama_server
99

@@ -17,6 +17,7 @@ ARG MODELAUDIT_PACKAGE
1717
ARG GARAK_PACKAGE
1818

1919
WORKDIR /app
20+
COPY services/quarantine/pyproject.toml .
2021
COPY services/quarantine/requirements.lock .
2122
COPY services/common/ /app/services/common/
2223
COPY services/quarantine/quarantine/ /app/quarantine/
@@ -43,6 +44,9 @@ RUN set -eu; \
4344
garak) scanner_package="$GARAK_PACKAGE" ;; \
4445
*) echo "ERROR: unknown quarantine scanner: $scanner"; exit 1 ;; \
4546
esac; \
47+
if [ -z "$scanner_package" ]; then \
48+
scanner_package="$(python -c 'import sys, tomllib; name = sys.argv[1]; data = tomllib.load(open("pyproject.toml", "rb")); group = "garak" if name == "garak" else "scan"; deps = data["project"]["optional-dependencies"][group]; matches = [dep for dep in deps if "==" in dep and dep.split("==", 1)[0] == name]; sys.exit(f"missing pinned scanner dependency: {name}") if len(matches) != 1 else print(matches[0])' "$scanner")"; \
49+
fi; \
4650
python -m venv "$venv" || { missing=$((missing + 1)); continue; }; \
4751
"$venv/bin/python" -m pip install --no-cache-dir --upgrade pip==26.0.1 setuptools==82.0.1 wheel==0.46.2 && \
4852
"$venv/bin/python" -m pip install --no-cache-dir "$scanner_package" && \

tests/test_release_artifacts.py

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -150,9 +150,9 @@ def test_quarantine_scan_extra_keeps_garak_opt_in(self):
150150
dependencies = data["project"]["dependencies"]
151151
assert "garak" in optional
152152
assert all(not dep.startswith("garak") for dep in scan_deps)
153-
assert "modelscan==0.8.8" in scan_deps
154-
assert "fickling==0.1.10" in scan_deps
155-
assert "modelaudit==0.2.40" in scan_deps
153+
for package in ("modelscan", "fickling", "modelaudit"):
154+
matches = [dep for dep in scan_deps if "==" in dep and dep.split("==", 1)[0] == package]
155+
assert len(matches) == 1
156156
assert "yara-python==4.5.4" in dependencies
157157

158158
def test_quarantine_container_scanners_are_pinned(self):
@@ -162,10 +162,12 @@ def test_quarantine_container_scanners_are_pinned(self):
162162
):
163163
content = (REPO_ROOT / rel_path).read_text(encoding="utf-8")
164164
assert "ARG ENABLE_GARAK_SCANNER=false" in content
165-
assert "ARG MODELSCAN_PACKAGE=modelscan==0.8.8" in content
166-
assert "ARG FICKLING_PACKAGE=fickling==0.1.10" in content
167-
assert "ARG MODELAUDIT_PACKAGE=modelaudit==0.2.40" in content
168-
assert "ARG GARAK_PACKAGE=garak==0.14.1" in content
165+
assert "ARG MODELSCAN_PACKAGE=" in content
166+
assert "ARG FICKLING_PACKAGE=" in content
167+
assert "ARG MODELAUDIT_PACKAGE=" in content
168+
assert "ARG GARAK_PACKAGE=" in content
169+
assert "tomllib.load" in content
170+
assert "missing pinned scanner dependency" in content
169171
assert 'scanners="modelscan fickling modelaudit"' in content
170172

171173
def test_appsec_scanners_are_wired_into_ci(self):

0 commit comments

Comments
 (0)