![]() The three lines of code in pegleg.engine.errorcodes, and pegleg.engine.util.pegleg_secret_management are giving false positive bandit errors. This patchset address these by adding # nosec label to each line, instructing Bandit to ignore that line of code. The three errors detected are all B105, details below from Bandit: >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'P009' Severity: Low Confidence: Medium Location: pegleg/engine/errorcodes.py:22 20 FILE_CONTAINS_INVALID_YAML = 'P007' 21 DOCUMENT_LAYER_MISMATCH = 'P008' 22 SECRET_NOT_ENCRYPTED_POLICY = 'P009' 23 24 ALL_CODES = ( 25 SCHEMA_STORAGE_POLICY_MISMATCH_FLAG, # nosec reasoning: The variable 'SECRET_NOT_ENCRYPTED_POLICY' does not map to a hardcoded password. -------------------------------------------------- >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: '^.{24,}$' Severity: Low Confidence: Medium Location: pegleg/engine/util/pegleg_secret_management.py:30 28 29 LOG = logging.getLogger(__name__) 30 PASSPHRASE_PATTERN = '^.{24,}$' 31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' 32 ENV_SALT = 'PEGLEG_SALT' # nosec reasoning: The variable 'PASSPHRASE_PATTERN' does not map to a hardcoded password -------------------------------------------------- >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'PEGLEG_PASSPHRASE' Severity: Low Confidence: Medium Location: pegleg/engine/util/pegleg_secret_management.py:31 29 LOG = logging.getLogger(__name__) 30 PASSPHRASE_PATTERN = '^.{24,}$' 31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' 32 ENV_SALT = 'PEGLEG_SALT' 33 # nosec reasoning: The variable 'ENV_PASSPHRASE' does not map to a hardcoded password. This is setting the environment variable name that passwords are stored in as 'PEGLEG_PASSPHRASE'. The passphrases are not hardcoded on disk, but retrieved from environment variables later via os.environ.get(ENV_PASSPHRASE) Change-Id: I4508b30b763f25e4466c2e2159fbaf3c7df68b5b |
||
---|---|---|
.. | ||
catalog | ||
catalogs | ||
common | ||
generators | ||
util | ||
__init__.py | ||
bundle.py | ||
errorcodes.py | ||
exceptions.py | ||
lint.py | ||
repository.py | ||
secrets.py | ||
site.py | ||
type.py |