Move bandit into pep8

Run security linter bandit as part of pep8. Pep8 is the usual linter
target and thus let's use it there instead of starting another node for
this short-running job.

Move bandit requirement to test-requirements.

Disable temporarily some tests in bandit.yaml since they advocate using
defusedxml which is not in global-requirements.txt and thus cannot be
used inside bandit (bug#1550161).

Change-Id: Ie3c9f4ee6e061ea090fa882f4f029f2761706951
This commit is contained in:
Andreas Jaeger 2016-02-21 18:33:40 +01:00
parent 6c64bc1b6a
commit e09c00d44f
4 changed files with 16 additions and 17 deletions

View File

@ -122,18 +122,19 @@ blacklist_calls:
# Most of this is based off of Christian Heimes' work on defusedxml: # Most of this is based off of Christian Heimes' work on defusedxml:
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
- xml_bad_cElementTree: # TODO(jaegerandi): Enable once defusedxml is in global requirements.
qualnames: [xml.etree.cElementTree.parse, #- xml_bad_cElementTree:
xml.etree.cElementTree.iterparse, # qualnames: [xml.etree.cElementTree.parse,
xml.etree.cElementTree.fromstring, # xml.etree.cElementTree.iterparse,
xml.etree.cElementTree.XMLParser] # xml.etree.cElementTree.fromstring,
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." # xml.etree.cElementTree.XMLParser]
- xml_bad_ElementTree: # message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
qualnames: [xml.etree.ElementTree.parse, #- xml_bad_ElementTree:
xml.etree.ElementTree.iterparse, # qualnames: [xml.etree.ElementTree.parse,
xml.etree.ElementTree.fromstring, # xml.etree.ElementTree.iterparse,
xml.etree.ElementTree.XMLParser] # xml.etree.ElementTree.fromstring,
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." # xml.etree.ElementTree.XMLParser]
# message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
- xml_bad_expatreader: - xml_bad_expatreader:
qualnames: [xml.sax.expatreader.create_parser] qualnames: [xml.sax.expatreader.create_parser]
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."

View File

@ -86,7 +86,3 @@ output_file = glance/locale/glance.pot
[pbr] [pbr]
warnerrors = True warnerrors = True
[extras]
bandit =
bandit>=0.17.3 # Apache-2.0

View File

@ -9,6 +9,7 @@ hacking<0.11,>=0.10.0
Babel>=1.3 # BSD Babel>=1.3 # BSD
# Needed for testing # Needed for testing
bandit>=0.17.3 # Apache-2.0
coverage>=3.6 # Apache-2.0 coverage>=3.6 # Apache-2.0
fixtures>=1.3.1 # Apache-2.0/BSD fixtures>=1.3.1 # Apache-2.0/BSD
mox3>=0.7.0 # Apache-2.0 mox3>=0.7.0 # Apache-2.0

View File

@ -30,6 +30,8 @@ commands =
[testenv:pep8] [testenv:pep8]
commands = commands =
flake8 {posargs} flake8 {posargs}
# Run security linter
bandit -c bandit.yaml -r glance -n5 -p gate
# Check that .po and .pot files are valid: # Check that .po and .pot files are valid:
bash -c "find glance -type f -regex '.*\.pot?' -print0|xargs -0 -n 1 msgfmt --check-format -o /dev/null" bash -c "find glance -type f -regex '.*\.pot?' -print0|xargs -0 -n 1 msgfmt --check-format -o /dev/null"
@ -57,7 +59,6 @@ commands =
commands = python setup.py build_sphinx commands = python setup.py build_sphinx
[testenv:bandit] [testenv:bandit]
deps = .[bandit]
commands = bandit -c bandit.yaml -r glance -n5 -p gate commands = bandit -c bandit.yaml -r glance -n5 -p gate
[flake8] [flake8]