Merge "Remove bandit.yaml in favor of default config"
This commit is contained in:
		
							
								
								
									
										131
									
								
								bandit.yaml
									
									
									
									
									
								
							
							
						
						
									
										131
									
								
								bandit.yaml
									
									
									
									
									
								
							| @@ -1,131 +0,0 @@ | |||||||
| # optional: after how many files to update progress |  | ||||||
| #show_progress_every: 100 |  | ||||||
|  |  | ||||||
| # optional: plugins directory name |  | ||||||
| #plugins_dir: 'plugins' |  | ||||||
|  |  | ||||||
| # optional: plugins discovery name pattern |  | ||||||
| plugin_name_pattern: '*.py' |  | ||||||
|  |  | ||||||
| # optional: terminal escape sequences to display colors |  | ||||||
| #output_colors: |  | ||||||
| #    DEFAULT: '\033[0m' |  | ||||||
| #    HEADER: '\033[95m' |  | ||||||
| #    INFO: '\033[94m' |  | ||||||
| #    WARN: '\033[93m' |  | ||||||
| #    ERROR: '\033[91m' |  | ||||||
|  |  | ||||||
| # optional: log format string |  | ||||||
| #log_format: "[%(module)s]\t%(levelname)s\t%(message)s" |  | ||||||
|  |  | ||||||
| # globs of files which should be analyzed |  | ||||||
| include: |  | ||||||
|     - '*.py' |  | ||||||
|     - '*.pyw' |  | ||||||
|  |  | ||||||
| # a list of strings, which if found in the path will cause files to be excluded |  | ||||||
| # for example /tests/ - to remove all all files in tests directory |  | ||||||
| exclude_dirs: |  | ||||||
|     - '/tests/' |  | ||||||
|  |  | ||||||
| profiles: |  | ||||||
|     heat_conservative: |  | ||||||
|         include: |  | ||||||
|             - blacklist_calls |  | ||||||
|             - blacklist_imports |  | ||||||
|             - request_with_no_cert_validation |  | ||||||
|             - exec_used |  | ||||||
|             - set_bad_file_permissions |  | ||||||
|             - subprocess_popen_with_shell_equals_true |  | ||||||
|             - linux_commands_wildcard_injection |  | ||||||
|             - ssl_with_bad_version |  | ||||||
|  |  | ||||||
|  |  | ||||||
|     heat_verbose: |  | ||||||
|         include: |  | ||||||
|             - blacklist_calls |  | ||||||
|             - blacklist_imports |  | ||||||
|             - request_with_no_cert_validation |  | ||||||
|             - exec_used |  | ||||||
|             - set_bad_file_permissions |  | ||||||
|             - hardcoded_tmp_directory |  | ||||||
|             - subprocess_popen_with_shell_equals_true |  | ||||||
|             - any_other_function_with_shell_equals_true |  | ||||||
|             - linux_commands_wildcard_injection |  | ||||||
|             - ssl_with_bad_version |  | ||||||
|             - ssl_with_bad_defaults |  | ||||||
|  |  | ||||||
| blacklist_calls: |  | ||||||
|     bad_name_sets: |  | ||||||
|         - pickle: |  | ||||||
|             qualnames: [pickle.loads, pickle.load, pickle.Unpickler, |  | ||||||
|                         cPickle.loads, cPickle.load, cPickle.Unpickler] |  | ||||||
|             message: "Pickle library appears to be in use, possible security issue." |  | ||||||
|         - marshal: |  | ||||||
|             qualnames: [marshal.load, marshal.loads] |  | ||||||
|             message: "Deserialization with the marshal module is possibly dangerous." |  | ||||||
|         - md5: |  | ||||||
|             qualnames: [hashlib.md5] |  | ||||||
|             message: "Use of insecure MD5 hash function." |  | ||||||
|         - mktemp_q: |  | ||||||
|             qualnames: [tempfile.mktemp] |  | ||||||
|             message: "Use of insecure and deprecated function (mktemp)." |  | ||||||
|         - eval: |  | ||||||
|             qualnames: [eval] |  | ||||||
|             message: "Use of possibly insecure function - consider using safer ast.literal_eval." |  | ||||||
|         - mark_safe: |  | ||||||
|             names: [mark_safe] |  | ||||||
|             message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." |  | ||||||
|         - httpsconnection: |  | ||||||
|             qualnames: [httplib.HTTPSConnection] |  | ||||||
|             message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" |  | ||||||
|         - urllib_urlopen: |  | ||||||
|             qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] |  | ||||||
|             message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." |  | ||||||
|  |  | ||||||
| shell_injection: |  | ||||||
|     # Start a process using the subprocess module, or one of its wrappers. |  | ||||||
|     subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, |  | ||||||
|                  subprocess.check_output, utils.execute, utils.execute_with_timeout] |  | ||||||
|     # Start a process with a function vulnerable to shell injection. |  | ||||||
|     shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, |  | ||||||
|             popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, |  | ||||||
|             popen2.Popen4, commands.getoutput, commands.getstatusoutput] |  | ||||||
|     # Start a process with a function that is not vulnerable to shell injection. |  | ||||||
|     no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, |  | ||||||
|                os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, |  | ||||||
|                os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, |  | ||||||
|                os.startfile] |  | ||||||
|  |  | ||||||
| blacklist_imports: |  | ||||||
|     bad_import_sets: |  | ||||||
|         - telnet: |  | ||||||
|             imports: [telnetlib] |  | ||||||
|             level: ERROR |  | ||||||
|             message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." |  | ||||||
|  |  | ||||||
| hardcoded_password: |  | ||||||
|     word_list: "wordlist/default-passwords" |  | ||||||
|  |  | ||||||
| ssl_with_bad_version: |  | ||||||
|     bad_protocol_versions: |  | ||||||
|         - 'PROTOCOL_SSLv2' |  | ||||||
|         - 'SSLv2_METHOD' |  | ||||||
|         - 'SSLv23_METHOD' |  | ||||||
|         - 'PROTOCOL_SSLv3'  # strict option |  | ||||||
|         - 'PROTOCOL_TLSv1'  # strict option |  | ||||||
|         - 'SSLv3_METHOD'    # strict option |  | ||||||
|         - 'TLSv1_METHOD'    # strict option |  | ||||||
|  |  | ||||||
| password_config_option_not_marked_secret: |  | ||||||
|     function_names: |  | ||||||
|         - oslo.config.cfg.StrOpt |  | ||||||
|         - oslo_config.cfg.StrOpt |  | ||||||
|  |  | ||||||
| execute_with_run_as_root_equals_true: |  | ||||||
|     function_names: |  | ||||||
|         - ceilometer.utils.execute |  | ||||||
|         - cinder.utils.execute |  | ||||||
|         - neutron.agent.linux.utils.execute |  | ||||||
|         - nova.utils.execute |  | ||||||
|         - nova.utils.trycmd |  | ||||||
							
								
								
									
										29
									
								
								tox.ini
									
									
									
									
									
								
							
							
						
						
									
										29
									
								
								tox.ini
									
									
									
									
									
								
							| @@ -29,6 +29,20 @@ commands = | |||||||
| commands = | commands = | ||||||
|     flake8 heat bin/heat-api bin/heat-api-cfn bin/heat-api-cloudwatch bin/heat-engine bin/heat-manage contrib heat_integrationtests doc/source |     flake8 heat bin/heat-api bin/heat-api-cfn bin/heat-api-cloudwatch bin/heat-engine bin/heat-manage contrib heat_integrationtests doc/source | ||||||
|     python tools/custom_guidelines.py --exclude heat/engine/resources/aws |     python tools/custom_guidelines.py --exclude heat/engine/resources/aws | ||||||
|  |     # The following bandit tests are being skipped: | ||||||
|  |     # B101: Test for use of assert | ||||||
|  |     # B104: Test for binding to all interfaces | ||||||
|  |     # B107: Test for use of hard-coded password argument defaults | ||||||
|  |     # B110: Try, Except, Pass detected. | ||||||
|  |     # B310: Audit url open for permitted schemes | ||||||
|  |     # B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes | ||||||
|  |     # B404: Import of subprocess module | ||||||
|  |     # B410: Import of lxml module | ||||||
|  |     # B504: Test for SSL use with no version specified | ||||||
|  |     # B506: Test for use of yaml load | ||||||
|  |     # B603: Test for use of subprocess with shell equals true | ||||||
|  |     # B607: Test for starting a process with a partial path | ||||||
|  |     bandit -r heat -x tests --skip B101,B104,B107,B110,B310,B311,B404,B410,B504,B506,B603,B607 | ||||||
|  |  | ||||||
| [testenv:venv] | [testenv:venv] | ||||||
| commands = {posargs} | commands = {posargs} | ||||||
| @@ -59,7 +73,20 @@ commands = | |||||||
|  |  | ||||||
| [testenv:bandit] | [testenv:bandit] | ||||||
| deps = -r{toxinidir}/test-requirements.txt | deps = -r{toxinidir}/test-requirements.txt | ||||||
| commands = bandit -c bandit.yaml -r heat -n5 -p heat_conservative | # The following bandit tests are being skipped: | ||||||
|  | # B101: Test for use of assert | ||||||
|  | # B104: Test for binding to all interfaces | ||||||
|  | # B107: Test for use of hard-coded password argument defaults | ||||||
|  | # B110: Try, Except, Pass detected. | ||||||
|  | # B310: Audit url open for permitted schemes | ||||||
|  | # B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes | ||||||
|  | # B404: Import of subprocess module | ||||||
|  | # B410: Import of lxml module | ||||||
|  | # B504: Test for SSL use with no version specified | ||||||
|  | # B506: Test for use of yaml load | ||||||
|  | # B603: Test for use of subprocess with shell equals true | ||||||
|  | # B607: Test for starting a process with a partial path | ||||||
|  | commands = bandit -r heat -x tests --skip B101,B104,B107,B110,B310,B311,B404,B410,B504,B506,B603,B607 | ||||||
|  |  | ||||||
| [flake8] | [flake8] | ||||||
| show-source = true | show-source = true | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Jenkins
					Jenkins