fix: restore cross-platform nightly CI safety#1704
Merged
Conversation
Nightly CI runs integration and performance tests (-m "not performance" / -m performance) that the PR lane (-m "not slow and not integration") skips. A series of intentional detection-hardening changes merged between the last green nightly (2b46042) and the first red one (77b2295) made several nightly-only tests fail: they over-asserted result.success on inputs the scanner now correctly flags, or checked for now-redacted literals. These are test-only corrections. No scanner/product code changed and no detection is weakened; each rewritten test still asserts the real security signal (finding fires at the right severity, scan still discovers malicious content, scan completes without operational errors). - test_security_asset_integration: exclude malicious-by-design keras fixtures (loss/metric injection, custom-layer attack) from the safe-sample set; assert scan-ran / findings-present instead of success on exploit-laden inputs (agpl __main__ pickle, whole assets tree). - test_integration, file-type validation, inventory, lazy-loading: replace the success-as-"scan completed" proxy with has_errors / files_scanned plus explicit detection assertions (e.g. the fail-closed CRITICAL TF SavedModel finding, the import-only allowlisted-global WARNING). - test_network_comm_integration: assert the CRITICAL network finding still fires instead of the now-redacted "evil.com" literal; tolerate the correct absence of an INFO finding for inert benign metadata URLs while keeping the no-warning/no-critical invariant. - performance: assert operational health (no errors, files scanned) on the adversarial corpus; replace a brittle absolute validation-time threshold with a relative one measured against the underlying scan baseline. - picklescan future-pending-callback test: load concurrent.futures before the call-graph trust snapshot so the test deterministically exercises the lazy callback property. Late-loaded stdlib references correctly fail closed by design (covered by test_scan_bytes_fails_closed_for_late_loaded_stdlib_*), which is what intermittently flipped this test to SUSPICIOUS in CI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Performance BenchmarksCompared
|
…integration-tests
Require operational-error-free outcomes in the corrected nightly tests, narrow malicious Keras fixture exclusions to explicit files, and add the required pytest annotations.
Mock every trust decision path exercised by call graph enrichment so the benign raw-array fixture does not depend on ambient module origin state or test ordering.
Require the safe Joblib parser to close every MARK scope before STOP so embedded pickle streams cannot terminate trusted wrapper analysis early. Make Joblib trust fixtures deterministic and cover the fail-closed result.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
STOPopcodes inside Joblib NumPy wrappers so embedded pickles cannot terminate trusted-tail analysis earlyRoot causes
Nightly CI runs slow and integration tests skipped by the normal PR lane. Several expectations predated hardened detections and still required malicious fixtures to scan as clean. The first repaired nightly run then exposed three additional issues hidden by those early assertions:
The Windows audit found two implementation defects rather than test-only noise: MLflow's outside-hardlink check could miss NTFS aliases when relying on
stat().st_nlink, and protocol-relative report sources were probed as UNC paths before redaction.The second repaired nightly run passed all Python 3.10/3.12/3.13 jobs, Rust, performance, and Windows shard 1. Its remaining failures were two platform-dependent fail-closed picklescan outcomes plus three live Hugging Face requests that returned explicit HTTP 429 responses. The assertions now validate the actual fail-closed report semantics, and live tests skip only confirmed 429 rate limits; 404s and all other remote errors still fail.
The third nightly run passed all 11 other jobs and isolated its sole failure to a Windows report that correctly stayed suspicious and fail-closed as
INCONCLUSIVE, but did not emit the narrower source-unavailable notice the test used to predict that status. The final assertion accepts onlyCOMPLETEorINCONCLUSIVE, requiresanalysis_incompletemetadata for the latter, and still requires the exactNON_ALLOWLISTED_GLOBALfinding.The fourth nightly run passed all 13 jobs. Standard Windows then failed twice on different outcomes in the same synthetic Joblib wrapper family: one malformed tail was accepted, while one valid multi-array payload was rejected. Both failures occurred on
gw0; isolated execution and both nightly Windows shards passed. The scanner now normalizes any failed static wrapper validation to an explicit inconclusive result, and the synthetic fixtures patch wrapper-origin trust directly instead of depending on platform/source-cache state.Existing PR audit
Validation
os.*xattrstub errors in unchanged CLI filesmain4c8e384e: standard Python CI run 28233836558 passed all 16 applicable jobs (6 path-filtered jobs skipped), and nightly run 28233851478 passed all 13 jobs, including both Windows shards and performanceNo detection was weakened. Descriptor-only race tests skip only on platforms without descriptor-walk APIs; Windows fallback-path coverage remains active.