diff --git a/RELEASE.md b/RELEASE.md index afbd571d9e..27652de328 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -1,6 +1,7 @@ # Upcoming Release 0.19.4 ## Major features and improvements +* Cookiecutter errors are shown in short format without the `--verbose` flag. * Kedro commands now work from any subdirectory within a Kedro project. * Kedro CLI now provides a better error message when project commands are run outside of a project i.e. `kedro run` * Adds the `--telemetry` flag to `kedro new`, allowing the user to register consent to have user analytics collected as the project is created. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..f283d26b64 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,32 @@ +# Security policy + +Kedro and its community take security bugs seriously. We appreciate efforts to improve the security of all Kedro products +and follow the [GitHub coordinated disclosure of security vulnerabilities](https://docs.github.com/en/code-security/security-advisories/about-coordinated-disclosure-of-security-vulnerabilities#about-reporting-and-disclosing-vulnerabilities-in-projects-on-github) +for responsible disclosure and prompt mitigation. We are committed to working with security researchers to +resolve the vulnerabilities they discover. + +## Supported versions + +The latest versions of [Kedro](https://github.com/kedro-org/kedro), [Kedro-Viz](https://github.com/kedro-org/kedro-viz/), [Kedro Starters](https://github.com/kedro-org/kedro-starters) and the [Kedro plugins](https://github.com/kedro-org/kedro-plugins) have continued support. Any critical vulnerability will be fixed and a release will be done for the affected project as soon as possible. + +## Reporting a vulnerability + +When finding a security vulnerability in [Kedro](https://github.com/kedro-org/kedro), [Kedro-Viz](https://github.com/kedro-org/kedro-viz/), [Kedro Starters](https://github.com/kedro-org/kedro-starters) or any of the official [Kedro plugins](https://github.com/kedro-org/kedro-plugins), perform the following actions: + +- [Open an issue](https://github.com/kedro-org/kedro/issues/new?assignees=&labels=Issue%3A%20Bug%20Report%20%F0%9F%90%9E&template=bug-report.md&title=%28security%29%20Security%20Vulnerability) on the Kedro repository. Ensure that you use `(security) Security Vulnerability` as the title and _do not_ mention any vulnerability details in the issue post. +- Send a notification [email](mailto:kedro-framework@mckinsey.com) to the Kedro Framework maintainers that contains, at a minimum: + - The link to the filed issue stub. + - Your GitHub handle. + - Detailed information about the security vulnerability, evidence that supports the relevance of the finding and any reproducibility instructions for independent confirmation. + +This first stage of reporting is to ensure that a rapid validation can occur without wasting the time and effort of a reporter. Future communication and vulnerability resolution will be conducted after validating +the veracity of the reported issue. + +A Kedro maintainer will, after validating the report: + +- Acknowledge the bug +- Mark the issue with a `Blockerđź“›` priority +- Open a draft [GitHub Security Advisory](https://docs.github.com/en/code-security/security-advisories/creating-a-security-advisory) + to discuss the vulnerability details in private. + +The private Security Advisory will be used to confirm the issue, prepare a fix, and publicly disclose it after the fix has been released. diff --git a/docs/source/contribution/index.md b/docs/source/contribution/index.md index a3e1aee36d..1b621bc84f 100644 --- a/docs/source/contribution/index.md +++ b/docs/source/contribution/index.md @@ -7,6 +7,7 @@ We welcome any and all contributions to Kedro, at whatever level you can manage. - Start a conversation about the Kedro project on [GitHub discussions](https://github.com/kedro-org/kedro/discussions) - Make a pull request on the [`awesome-kedro` GitHub repo](https://github.com/kedro-org/awesome-kedro) to update the curated list of Kedro community content - Report a bug or propose a new feature on [GitHub issues](https://github.com/kedro-org/kedro/issues) +- View the Kedro [security policy](https://github.com/kedro-org/kedro/blob/main/SECURITY.md) to report a security vulnerability. - [Review other contributors' PRs](https://github.com/kedro-org/kedro/pulls) - [Contribute code](https://github.com/kedro-org/kedro/wiki/Guidelines-for-contributing-developers), for example to fix a bug or add a feature - [Contribute to the documentation](https://github.com/kedro-org/kedro/wiki/Contribute-to-the-Kedro-documentation) diff --git a/kedro/framework/cli/utils.py b/kedro/framework/cli/utils.py index 46fc5bdc62..194b244b5f 100644 --- a/kedro/framework/cli/utils.py +++ b/kedro/framework/cli/utils.py @@ -265,15 +265,21 @@ class KedroCliError(click.exceptions.ClickException): VERBOSE_ERROR = False VERBOSE_EXISTS = True + COOKIECUTTER_EXCEPTIONS_PREFIX = "cookiecutter.exceptions" def show(self, file: IO | None = None) -> None: if self.VERBOSE_ERROR: click.secho(traceback.format_exc(), nl=False, fg="yellow") elif self.VERBOSE_EXISTS: - etype, value, _ = sys.exc_info() + etype, value, tb = sys.exc_info() formatted_exception = "".join(traceback.format_exception_only(etype, value)) + cookiecutter_exception = "" + for ex_line in traceback.format_exception(etype, value, tb): + if self.COOKIECUTTER_EXCEPTIONS_PREFIX in ex_line: + cookiecutter_exception = ex_line + break click.secho( - f"{formatted_exception}Run with --verbose to see the full exception", + f"{cookiecutter_exception}{formatted_exception}Run with --verbose to see the full exception", fg="yellow", ) else: diff --git a/tests/framework/cli/test_cli.py b/tests/framework/cli/test_cli.py index c1e5ce51ec..d147a6a0d1 100644 --- a/tests/framework/cli/test_cli.py +++ b/tests/framework/cli/test_cli.py @@ -691,6 +691,7 @@ def test_run_with_invalid_config( "Key `node-names` in provided configuration is not valid. \n\nDid you mean one of " "these?\n node_names\n to_nodes\n namespace" in result.stdout ) + KedroCliError.VERBOSE_EXISTS = True @mark.parametrize( "fake_run_config_with_params,expected", diff --git a/tests/framework/cli/test_starters.py b/tests/framework/cli/test_starters.py index a98a1c26eb..b4fb54d552 100644 --- a/tests/framework/cli/test_starters.py +++ b/tests/framework/cli/test_starters.py @@ -490,6 +490,15 @@ def test_fail_if_dir_exists(self, fake_kedro_cli): assert result.exit_code != 0 assert "directory already exists" in result.output + def test_cookiecutter_exception_if_no_verbose(self, fake_kedro_cli): + """Check if the original cookiecutter exception is present in the output + if no verbose flag is provided.""" + Path("new-kedro-project").mkdir() + result = CliRunner().invoke( + fake_kedro_cli, ["new"], input=_make_cli_prompt_input() + ) + assert "cookiecutter.exceptions" in result.output + def test_prompt_no_title(self, fake_kedro_cli): shutil.copytree(TEMPLATE_PATH, "template") _write_yaml(Path("template") / "prompts.yml", {"repo_name": {}})