Add rules for pytorch config best practices

generic/pytorch-allowed-urls.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: pytorch-allowed-urls
+    message: Allowing URLs via environment variables is enabled
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    pattern: "use_env_allowed_urls=true"

generic/pytorch-auto-install-deps.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: pytorch-auto-install-deps
+    message: Automatic installation of model dependencies is enabled
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    pattern: "install_py_dep_per_model=true"
+"

generic/pytorch-bound-to-all-interfaces.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: pytorch-bound-to-all-interfaces
+    message: Pytorch binds to all interfaces
+    languages: [generic]
+    severity: ERROR
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    pattern-either:
+      - pattern-regex: (grpc_)?(inference|management|metrics)_address=https?://0\.0\.0\.0:\d+

generic/pytorch-cors.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: pytorch-cors
+    message: CORS settings are specified but all origins are allowed
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    pattern-not:
+      - pattern: "cors_allowed_origin=*"

generic/pytorch-defaults-job-queue-size.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: pytorch-defaults-job-queue-size
+    message: No specified job queue size in Pytorch config (default 100)
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    patterns:
+      - pattern-regex: |
+          (?s)(.*)
+      - pattern-not-regex: .*job_queue_size=

generic/pytorch-defaults-max-request-size.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: pytorch-defaults-max-request-size
+    message: No specified maximum request size in Pytorch config
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    patterns:
+      - pattern-regex: |
+          (?s)(.*)
+      - pattern-not-regex: .*max_request_size=

generic/pytorch-defaults-max-response-size.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: pytorch-defaults-max-response-size
+    message: No specified maximum response size in Pytorch config
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    patterns:
+      - pattern-regex: |
+          (?s)(.*)
+      - pattern-not-regex: .*max_response_size=

generic/pytorch-defaults-number-of-gpu.yaml

@@ -0,0 +1,21 @@
+rules:
+  - id: pytorch-defaults-number-of-gpu
+    message: No GPU usage limits in Pytorch config (defaults to all available)
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    patterns:
+      - pattern-regex: |
+          (?s)(.*)
+      - pattern-not-regex: .*number_of_gpu=

generic/pytorch-limit-max-image-pixels.yaml

@@ -0,0 +1,18 @@
+rules:
+  - id: pytorch-limit-max-image-pixels
+    message: Image size limit disabled in Pytorch config
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: MEDIUM
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    pattern: "limit-max-image-pixels=false"

generic/pytorch-unsecured-http.yaml

@@ -0,0 +1,19 @@
+rules:
+  - id: pytorch-unsecured-http
+    message: Pytorch interface is exposed without TLS
+    languages: [generic]
+    severity: WARNING
+    metadata:
+      category: security
+      subcategory: [audit]
+      technology: [shell]
+      confidence: HIGH
+      likelihood: MEDIUM
+      impact: HIGH
+      references:
+        - https://pytorch.org/serve/configuration.html
+    paths:
+      include:
+        - 'config.properties'
+    pattern-either:
+      - pattern-regex: (grpc_)?(inference|management|metrics)_address=http://