From 6f634c358b843bc30b0dc0b56e46a18f71fd226a Mon Sep 17 00:00:00 2001
From: Kaifeng Wang <kaifeng.w@gmail.com>
Date: Thu, 20 Jun 2019 11:39:42 +0800
Subject: [PATCH] Adds bandit template and exclude some of tests
Adds bandit configuration template and exclude some of
tests that we don't want to fix for the moment.
Keeping job unvoted so that we can keep an eye on possible
issues while not breaking gate.
Change-Id: I092d686ba38723d7951e8f06415f28cc809ad365
Story: 2005791
Task: 33563
---
ironic_python_agent/extensions/standby.py | 3 +-
.../tests/unit/extensions/test_standby.py | 6 +-
tools/bandit.yml | 401 ++++++++++++++++++
tox.ini | 3 +-
zuul.d/ironic-python-agent-jobs.yaml | 2 +-
5 files changed, 411 insertions(+), 4 deletions(-)
create mode 100644 tools/bandit.yml
diff --git a/ironic_python_agent/extensions/standby.py b/ironic_python_agent/extensions/standby.py
index d22f77be5..dd19c2005 100644
--- a/ironic_python_agent/extensions/standby.py
+++ b/ironic_python_agent/extensions/standby.py
@@ -14,6 +14,7 @@
import hashlib
import os
+import tempfile
import time
from ironic_lib import disk_utils
@@ -42,7 +43,7 @@ def _image_location(image_info):
:param image_info: Image information dictionary.
:returns: The full, absolute path to the image as a string.
"""
- return '/tmp/{}'.format(image_info['id'])
+ return os.path.join(tempfile.gettempdir(), image_info['id'])
def _path_to_script(script):
diff --git a/ironic_python_agent/tests/unit/extensions/test_standby.py b/ironic_python_agent/tests/unit/extensions/test_standby.py
index 06b354edf..9682aef5d 100644
--- a/ironic_python_agent/tests/unit/extensions/test_standby.py
+++ b/ironic_python_agent/tests/unit/extensions/test_standby.py
@@ -13,6 +13,7 @@
# limitations under the License.
import os
+import tempfile
import mock
from oslo_concurrency import processutils
@@ -144,7 +145,10 @@ class TestStandbyExtension(base.IronicAgentTest):
def test_image_location(self):
image_info = _build_fake_image_info()
location = standby._image_location(image_info)
- self.assertEqual('/tmp/fake_id', location)
+ # Can't hardcode /tmp here, each test is running in an isolated
+ # tempdir
+ expected_loc = os.path.join(tempfile.gettempdir(), 'fake_id')
+ self.assertEqual(expected_loc, location)
@mock.patch('six.moves.builtins.open', autospec=True)
@mock.patch('ironic_python_agent.utils.execute', autospec=True)
diff --git a/tools/bandit.yml b/tools/bandit.yml
new file mode 100644
index 000000000..f401e21ab
--- /dev/null
+++ b/tools/bandit.yml
@@ -0,0 +1,401 @@
+
+### Bandit config file generated from:
+# '/home/kaifeng/community/ironic-python-agent/.tox/bandit/bin/bandit-config-generator -o tools/config/bandit.yml'
+
+### This config may optionally select a subset of tests to run or skip by
+### filling out the 'tests' and 'skips' lists given below. If no tests are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is detected by
+### Bandit at runtime.
+
+# Available tests:
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B110 : try_except_pass
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B322 : input
+# B323 : unverified_context
+# B324 : hashlib_new_insecure_functions
+# B325 : tempnam
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B413 : import_pycrypto
+# B414 : import_pycryptodome
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B507 : ssh_no_host_key_verification
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B610 : django_extra_used
+# B611 : django_rawsql_used
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates
+# B703 : django_mark_safe
+
+# (optional) list included test IDs here, eg '[B101, B406]':
+tests:
+
+# (optional) list skipped test IDs here, eg '[B101, B406]':
+skips:
+ - B104
+ - B303
+ - B604
+
+### (optional) plugin settings - some test plugins require configuration data
+### that may be given here, per-plugin. All bandit test plugins have a built in
+### set of sensible defaults and these will be used if no configuration is
+### provided. It is not necessary to provide settings for every (or any) plugin
+### if the defaults are acceptable.
+
+any_other_function_with_shell_equals_true:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+hardcoded_tmp_directory:
+ tmp_dirs:
+ - /tmp
+ - /var/tmp
+ - /dev/shm
+linux_commands_wildcard_injection:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+ssl_with_bad_defaults:
+ bad_protocol_versions:
+ - PROTOCOL_SSLv2
+ - SSLv2_METHOD
+ - SSLv23_METHOD
+ - PROTOCOL_SSLv3
+ - PROTOCOL_TLSv1
+ - SSLv3_METHOD
+ - TLSv1_METHOD
+ssl_with_bad_version:
+ bad_protocol_versions:
+ - PROTOCOL_SSLv2
+ - SSLv2_METHOD
+ - SSLv23_METHOD
+ - PROTOCOL_SSLv3
+ - PROTOCOL_TLSv1
+ - SSLv3_METHOD
+ - TLSv1_METHOD
+start_process_with_a_shell:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+start_process_with_no_shell:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+start_process_with_partial_path:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+subprocess_popen_with_shell_equals_true:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+subprocess_without_shell_equals_true:
+ no_shell:
+ - os.execl
+ - os.execle
+ - os.execlp
+ - os.execlpe
+ - os.execv
+ - os.execve
+ - os.execvp
+ - os.execvpe
+ - os.spawnl
+ - os.spawnle
+ - os.spawnlp
+ - os.spawnlpe
+ - os.spawnv
+ - os.spawnve
+ - os.spawnvp
+ - os.spawnvpe
+ - os.startfile
+ shell:
+ - os.system
+ - os.popen
+ - os.popen2
+ - os.popen3
+ - os.popen4
+ - popen2.popen2
+ - popen2.popen3
+ - popen2.popen4
+ - popen2.Popen3
+ - popen2.Popen4
+ - commands.getoutput
+ - commands.getstatusoutput
+ subprocess:
+ - subprocess.Popen
+ - subprocess.call
+ - subprocess.check_call
+ - subprocess.check_output
+ - subprocess.run
+try_except_continue:
+ check_typed_exception: false
+try_except_pass:
+ check_typed_exception: false
+weak_cryptographic_key:
+ weak_key_size_dsa_high: 1024
+ weak_key_size_dsa_medium: 2048
+ weak_key_size_ec_high: 160
+ weak_key_size_ec_medium: 224
+ weak_key_size_rsa_high: 1024
+ weak_key_size_rsa_medium: 2048
+
diff --git a/tox.ini b/tox.ini
index 954801e18..59ecc3f73 100644
--- a/tox.ini
+++ b/tox.ini
@@ -118,4 +118,5 @@ deps =
[testenv:bandit]
basepython = python3
deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -r ironic_python_agent -x tests -n5 -ll
+commands = bandit -r ironic_python_agent -x tests -n5 -ll -c tools/bandit.yml
+
diff --git a/zuul.d/ironic-python-agent-jobs.yaml b/zuul.d/ironic-python-agent-jobs.yaml
index 1423a371d..c2913868a 100644
--- a/zuul.d/ironic-python-agent-jobs.yaml
+++ b/zuul.d/ironic-python-agent-jobs.yaml
@@ -157,7 +157,7 @@
- ^ironic_python_agent/tests/.*$
- ^releasenotes/.*$
- ^setup.cfg$
- - ^tools/.*$
+ - ^tools/(?!bandit.yml).*$
- ^tox.ini$
- job: