From bcd58d404da8593e60f09dcbc928cda88ad50028 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 06:37:55 +0000 Subject: [PATCH 01/12] Fix typos in BUILD.md --- BUILD.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/BUILD.md b/BUILD.md index dd2d70ee..46c91eb6 100644 --- a/BUILD.md +++ b/BUILD.md @@ -2,22 +2,22 @@ There are several ways to build and run TAD. -1. poetry -2. container +1. Poetry +2. Container ## Building TAD with Poetry -Poetry is a python package and dependency manager. Before you can install poetry you first need to install python. Please follow [these](https://github.com/pyenv/pyenv?tab=readme-ov-file#installation) instructions. +Poetry is a Python package and dependency manager. Before you can install Poetry you first need to install Python. Please follow [these](https://github.com/pyenv/pyenv?tab=readme-ov-file#installation) instructions. Once you have python available you can install poetry. See [here](https://python-poetry.org/docs/#installation). -Once you have poetry and python install you can start installing the dependencies with the following shell command. +Once you have Poetry and Python installed you can start installing the dependencies with the following shell command. ```shell poetry install ``` -when poetry is done installing all dependencies you can start using the tool. +When poetry is done installing all dependencies you can start using the tool. ```shell poetry run python -m tad @@ -25,15 +25,15 @@ poetry run python -m tad ## Building TAD with Containers -Containers allow use to package software and make it portable and isolated. Before you can run container you first need a container runtime. There are several available but allot of users use [docker desktop](https://www.docker.com/products/docker-desktop/). +Containers allows to package software, make it portable, and isolated. Before you can run a container you first need a container runtime. There are several available, but al lot of users use [docker desktop](https://www.docker.com/products/docker-desktop/). -Once you install a docker runtime like docker desktop you can start building the applications with this command: +After installing a Docker runtime like Docker Desktop you can start building the applications with this command: ```shell docker compose build ``` -to run the application you use this command: +To run the application you use this command: ```shell docker compose up @@ -50,4 +50,4 @@ For testing, linting and other feature we use several tools. You can look up the ## Devcontainers -[VSCode](https://code.visualstudio.com/) has great support for devcontainers. If your editor had support for devcontainers you can also use them to start the devcontainer. Devcontaines offer great standardized environments for development. +[VSCode](https://code.visualstudio.com/) has great support for devcontainers. If your editor has support for devcontainers you can also use them to start the devcontainer. Devcontaines offer a great standardized environments for development. From f33e9ab6f58b9450645666de0dbda1c941b918f7 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 06:43:50 +0000 Subject: [PATCH 02/12] Add sonarcloud analysis --- .github/workflows/ci.yml | 6 ++++++ sonar-project.properties | 13 +++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 sonar-project.properties diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a652a142..35029955 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,6 +43,12 @@ jobs: - name: run pyright run: poetry run pyright + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + security: runs-on: ubuntu-latest steps: diff --git a/sonar-project.properties b/sonar-project.properties new file mode 100644 index 00000000..2499b0ff --- /dev/null +++ b/sonar-project.properties @@ -0,0 +1,13 @@ +sonar.projectKey=ai-validation-team_tad +sonar.organization=ai-validation-team + +# This is the name and version displayed in the SonarCloud UI. +sonar.projectName=tad +sonar.projectVersion=0.1.0 + + +# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. +sonar.sources=. + +# Encoding of the source code. Default is default system encoding +sonar.sourceEncoding=UTF-8 From a85b6d50c612d39edcdc700bea79384097cff212 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 06:51:00 +0000 Subject: [PATCH 03/12] Comply to standardization for AS statement in Dockerfile --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 62beaf80..08ace8ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG PYTHON_VERSION=3.11.7-slim -FROM --platform=$BUILDPLATFORM python:${PYTHON_VERSION} as project-base +FROM --platform=$BUILDPLATFORM python:${PYTHON_VERSION} AS project-base LABEL maintainer=ai-validatie@minbzk.nl \ organization=MinBZK \ @@ -27,7 +27,7 @@ COPY ./poetry.lock ./pyproject.toml ./ RUN poetry install --without dev,test ENV PATH="/app/.venv/bin:$PATH" -FROM project-base as development +FROM project-base AS development COPY . . RUN poetry install @@ -42,7 +42,7 @@ FROM development AS test RUN coverage run -m pytest ./tests RUN coverage report -FROM project-base as production +FROM project-base AS production COPY ./tad /app/tad From bcc40f2174873db3f65093cf82e17d4700d9b022 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 07:10:58 +0000 Subject: [PATCH 04/12] Make test coverage available in sonarcloud --- .github/workflows/ci.yml | 17 +++++++++++------ sonar-project.properties | 4 ++++ 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 35029955..70c4d21b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,12 +43,6 @@ jobs: - name: run pyright run: poetry run pyright - - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@master - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - security: runs-on: ubuntu-latest steps: @@ -130,6 +124,17 @@ jobs: overwrite: true + - name: run coverage xml + run: poetry run coverage xml + + - name: SonarCloud Scan + if: matrix.python-version == '3.11' + uses: SonarSource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + build: needs: test runs-on: ubuntu-latest diff --git a/sonar-project.properties b/sonar-project.properties index 2499b0ff..bdd24016 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -11,3 +11,7 @@ sonar.sources=. # Encoding of the source code. Default is default system encoding sonar.sourceEncoding=UTF-8 + +sonar.python.version=3.11 + +sonar.python.coverage.reportPaths=coverage.xml From dcb1321a0d2c77cbe055e65f657a900e57c5e8bb Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 07:29:43 +0000 Subject: [PATCH 05/12] Fix security issues in Dockerfile --- Dockerfile | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 08ace8ff..1db7f339 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,7 +29,10 @@ ENV PATH="/app/.venv/bin:$PATH" FROM project-base AS development -COPY . . +COPY ./tad/ ./tad/ +COPY ./tests/ ./tests/ +COPY ./script/ ./script/ +COPY ./README.md ./README.md RUN poetry install FROM development AS lint @@ -44,7 +47,9 @@ RUN coverage report FROM project-base AS production -COPY ./tad /app/tad +USER tad + +COPY --chown=root:root --chmod=755 ./tad /app/tad # change this to a usefull command CMD ["python", "-m", "tad" ] From 65253e70624877c48ca8801fd8d782a72d0ed0f6 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 07:53:42 +0000 Subject: [PATCH 06/12] Update longDescription in publiccode.yml --- publiccode.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index 023452e2..14c547b8 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -14,9 +14,13 @@ description: - Algorithm genericName: tad longDescription: | - TAD is a modern tool to apply technical and non-technical tests for an AI model. + TAD is the acronym for Transparency of Algorithmic Decision making. TAD has the goal to make algorithmic systems more transparent; it achieves this by generating standardized reports on the algorithmic system which encompasses both technical aspects in addition to descriptive information about the system and regulatory assessments. For both the system and the model the lifecycle is important and this needs to be taken into account. The definition for an algorithm is derived from the Algoritmeregister. - TAD is a tool for Transparency Algorithm Decision making. + On the one hand the TAD project is focused on building a standardized format of reporting on a algorithmic system by developing a Reporting Standard. This Reporting Standard consists out of a System Card which contains Model Cards and Assessment Cards. + + On the other hand the project is focused on filling in the System, Model and Assessment Cards with both performance metrics and technical measurements on fairness and bias of the model, assessments on the system where the specific algorithm resides, and descriptive information about the system. The requirements and instruments are dictated by the Algoritmekader. + + link: https://minbzk.github.io/ai-validation/Projects/TAD/ shortDescription: TAD is a tool for Transparency Algorithm Decision making developmentStatus: concept From 884eb9125278aaec560791c5cc0142927a843c68 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 08:11:02 +0000 Subject: [PATCH 07/12] Disable shallow clone for sonarcloud analysis --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 70c4d21b..32317d84 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -92,6 +92,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Install poetry run: pipx install poetry From 0aac31daa3447e9e7f076a07e38c57de030b765d Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 08:21:36 +0000 Subject: [PATCH 08/12] Add relative files for codecoverage --- pyproject.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pyproject.toml b/pyproject.toml index ae6ce98e..a4391799 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -73,6 +73,8 @@ reportMissingTypeStubs = true [tool.coverage.run] branch = true command_line = "-m pytest ./tests" +relative_files = true + [tool.coverage.report] fail_under = 95 From bb6ccd3dbc0b5d427db926189eaa4f117075696b Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 08:31:36 +0000 Subject: [PATCH 09/12] Change CI to not push images on PRs --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 32317d84..85b539ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -171,12 +171,13 @@ jobs: uses: docker/build-push-action@v5 with: context: . - push: true + push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} platforms: linux/amd64,linux/arm64,darwin/amd64 - name: Run Trivy vulnerability scanner + if: github.event_name != 'pull_request' uses: aquasecurity/trivy-action@master with: image-ref: ${{ steps.meta.outputs.tags }} @@ -190,6 +191,7 @@ jobs: TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab + if: github.event_name != 'pull_request' uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' @@ -200,6 +202,7 @@ jobs: if: ${{ always() && contains(needs.*.result, 'failure') }} steps: - uses: mattermost/action-mattermost-notify@master + if: github.event_name != 'pull_request' || github.event.pull_request.draft == false with: MATTERMOST_WEBHOOK_URL: ${{ secrets.MM_WEBHOOK_URL }} MATTERMOST_CHANNEL: dev From b00651b9a7aca02748f79bac6074f7a2da0319ae Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Wed, 1 May 2024 08:41:12 +0000 Subject: [PATCH 10/12] Add git graph to devcontainer --- .devcontainer/devcontainer.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 40684f43..c7e6669c 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -16,14 +16,17 @@ "streetsidesoftware.code-spell-checker", "redhat.vscode-yaml", "charliermarsh.ruff", - "github.vscode-github-actions" + "github.vscode-github-actions", + "mhutchie.git-graph" ], "settings": { "editor.formatOnPaste": false, "editor.formatOnSave": true, "editor.formatOnType": true, + "editor.renderWhitespace": "boundary", "files.trimTrailingWhitespace": true, "terminal.integrated.inheritEnv": true, + "debug.toolBarLocation": "commandCenter", "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" From 4a661162676a58bbbdb7efeb7f4970fcb46ec2b0 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Mon, 6 May 2024 10:22:44 +0200 Subject: [PATCH 11/12] Update publiccode.yml Co-authored-by: Robbert Uittenbroek <159022774+uittenbroekrobbert@users.noreply.github.com> Signed-off-by: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> --- publiccode.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index 14c547b8..b4e031bb 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -14,11 +14,7 @@ description: - Algorithm genericName: tad longDescription: | - TAD is the acronym for Transparency of Algorithmic Decision making. TAD has the goal to make algorithmic systems more transparent; it achieves this by generating standardized reports on the algorithmic system which encompasses both technical aspects in addition to descriptive information about the system and regulatory assessments. For both the system and the model the lifecycle is important and this needs to be taken into account. The definition for an algorithm is derived from the Algoritmeregister. - - On the one hand the TAD project is focused on building a standardized format of reporting on a algorithmic system by developing a Reporting Standard. This Reporting Standard consists out of a System Card which contains Model Cards and Assessment Cards. - - On the other hand the project is focused on filling in the System, Model and Assessment Cards with both performance metrics and technical measurements on fairness and bias of the model, assessments on the system where the specific algorithm resides, and descriptive information about the system. The requirements and instruments are dictated by the Algoritmekader. +TAD is the acronym for Transparency of Algorithmic Decision making. The goal is to make algorithmic systems more transparant. It achieves this by generating standardized reports. These reports consist of both technical aspects as well as descriptive information about the system and regulatory assessments. For both the system and the model the lifecycle is important, so this is incorporated in both the tool as well as the reports. The definition for an algorithm is derived from the Algoritmeregister. link: https://minbzk.github.io/ai-validation/Projects/TAD/ From 01145840517ac67ad707823ece19a8f842b0f515 Mon Sep 17 00:00:00 2001 From: Berry den Hartog <38954346+berrydenhartog@users.noreply.github.com> Date: Tue, 7 May 2024 07:23:59 +0000 Subject: [PATCH 12/12] Fix typos --- .github/workflows/ci.yml | 9 ++++----- BUILD.md | 2 +- README.md | 2 +- publiccode.yml | 8 ++++---- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 85b539ac..b8267c31 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,10 +37,10 @@ jobs: - name: run ruff run: poetry run ruff check --output-format=github - - name: run format + - name: Run format run: poetry run ruff format --check - - name: run pyright + - name: Run pyright run: poetry run pyright security: @@ -63,7 +63,7 @@ jobs: - name: Generate SBOM run: poetry run cyclonedx-py poetry > sbom.json - - name: Generace licenses file + - name: Generate licenses file run: | poetry run pip-licenses --order=license --format=json --with-description > licenses.txt @@ -107,7 +107,7 @@ jobs: - name: Install dependencies run: poetry install - - name: run pytest + - name: Run pytest run: poetry run coverage run -m pytest - name: run coverage report @@ -125,7 +125,6 @@ jobs: if-no-files-found: error overwrite: true - - name: run coverage xml run: poetry run coverage xml diff --git a/BUILD.md b/BUILD.md index 46c91eb6..8b959ace 100644 --- a/BUILD.md +++ b/BUILD.md @@ -9,7 +9,7 @@ There are several ways to build and run TAD. Poetry is a Python package and dependency manager. Before you can install Poetry you first need to install Python. Please follow [these](https://github.com/pyenv/pyenv?tab=readme-ov-file#installation) instructions. -Once you have python available you can install poetry. See [here](https://python-poetry.org/docs/#installation). +Once you have Python available you can install Poetry. See [here](https://python-poetry.org/docs/#installation). Once you have Poetry and Python installed you can start installing the dependencies with the following shell command. diff --git a/README.md b/README.md index d2459b2b..e72892f8 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Transparency for Algorithm Decision making (TAD) +# Transparency of Algorithmic Decision making (TAD) ![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/minbzk/tad/ci.yml) ![Codecov (with branch)](https://img.shields.io/codecov/c/github/minbzk/tad/main) diff --git a/publiccode.yml b/publiccode.yml index b4e031bb..a61845f9 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -2,7 +2,7 @@ # metadata file that makes public software easily discoverable. # More info at https://github.com/italia/publiccode.yml -publiccodeYmlVersion: '0.2' +publiccodeYmlVersion: "0.2" categories: - it-development description: @@ -14,7 +14,7 @@ description: - Algorithm genericName: tad longDescription: | -TAD is the acronym for Transparency of Algorithmic Decision making. The goal is to make algorithmic systems more transparant. It achieves this by generating standardized reports. These reports consist of both technical aspects as well as descriptive information about the system and regulatory assessments. For both the system and the model the lifecycle is important, so this is incorporated in both the tool as well as the reports. The definition for an algorithm is derived from the Algoritmeregister. + TAD is the acronym for Transparency of Algorithmic Decision making. The goal is to make algorithmic systems more transparant. It achieves this by generating standardized reports. These reports consist of both technical aspects as well as descriptive information about the system and regulatory assessments. For both the system and the model the lifecycle is important, so this is incorporated in both the tool as well as the reports. The definition for an algorithm is derived from the Algoritmeregister. link: https://minbzk.github.io/ai-validation/Projects/TAD/ @@ -34,6 +34,6 @@ maintenance: name: tad platforms: - web -releaseDate: '2024-04-25' +releaseDate: "2024-04-25" softwareType: standalone/web -url: 'https://github.com/MinBZK/tad' +url: "https://github.com/MinBZK/tad"