openstack
/
bandit
Code Issues Proposed changes
bandit/bandit.yaml

125 lines
4.3 KiB
YAML
Raw Blame History

# optional: after how many files to update progress
#show_progress_every: 100
# optional: plugins directory name
#plugins_dir: 'plugins'
# optional: plugins discovery name pattern
plugin_name_pattern: '*.py'
# optional: terminal escape sequences to display colors
#output_colors:
# DEFAULT: '\033[0m'
# HEADER: '\033[95m'
# INFO: '\033[94m'
# WARN: '\033[93m'
# ERROR: '\033[91m'
# optional: log format string
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
# globs of files which should be analyzed
include:
- '*.py'
- '*.pyw'
# a list of strings, which if found in the path will cause files to be excluded
# for example /tests/ - to remove all all files in tests directory
exclude_dirs:
profiles:
XSS:
include:
- jinja2_autoescape_false
- use_of_mako_templates
ShellInjection:
include:
- subprocess_popen_with_shell_equals_true
- any_other_function_with_shell_equals_true
exclude:
SqlInjection:
include:
- hardcoded_sql_expressions
blacklist_functions:
bad_name_sets:
- pickle:
qualname: pickle.loads, pickle.dumps
message: "Pickle library appears to be in use, possible security issue."
- md5:
qualname: hashlib.md5
message: "Use of insecure MD5 hash function."
- subprocess_popen:
qualname: subprocess.Popen
message: "Use of possibly insecure system call function (subprocess.Popen)."
- subprocess_call:
qualname: subprocess.call
message: "Use of possibly insecure system call function (subprocess.call)."
- os_exec:
qualname: os.exec, os.spawn
params: l, le, lp, lpe, v, ve, vp, vpe
message: "Use of possibly insecure system call function (os.exec or os.spawn)."
- os_popen:
qualname: os.popen
message: "Use of insecure / deprecated system call function (os.popen)."
- os_startfile_q:
qualname: os.startfile
message: "Use of insecure system function (os.startfile)."
- mktemp_q:
qualname: tempfile.mktemp
message: "Use of insecure and deprecated function (mktemp)."
- eval:
name: eval
message: "Use of possibly insecure function - consider using safer ast.literal_eval."
- mark_safe:
name: mark_safe
message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed."
- httpsconnection:
qualname: httplib.HTTPSConnection
message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
- yaml_load:
qualname: yaml.load
message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()."
- urllib_urlopen:
qualname: urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request
message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
blacklist_imports:
bad_import_sets:
- telnet:
import: telnetlib
level: ERROR
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
- info_libs:
import: pickle, subprocess, Crypto
level: INFO
message: "Consider possible security implications associated with {module} module."
hardcoded_password:
word_list: "wordlist/default-passwords"
ssl_with_bad_version:
bad_protocol_versions:
- 'PROTOCOL_SSLv2'
- 'SSLv2_METHOD'
- 'SSLv23_METHOD'
- 'PROTOCOL_SSLv3' # strict option
- 'PROTOCOL_TLSv1' # strict option
- 'SSLv3_METHOD' # strict option
- 'TLSv1_METHOD' # strict option
password_config_option_not_marked_secret:
function_names:
- oslo.config.cfg.StrOpt
- oslo_config.cfg.StrOpt
execute_with_run_as_root_equals_true:
function_names:
- ceilometer.utils.execute
- cinder.utils.execute
- neutron.agent.linux.utils.execute
- nova.utils.execute
- nova.utils.trycmd
View Git Blame Copy Permalink