Remove use of old bandit.yaml

The bandit.yaml in use by Barbican was very old. This patch removes it and just uses the default provided by Bandit itself. Some issues needed to be fixed or ignored as a result. Change-Id: If35c5d8173b9d86617647028a30b0548bb03d3c0
2016-03-08 11:21:44 -08:00 · 2016-03-08 11:21:44 -08:00 · 15256e42ad
commit 15256e42ad
parent 032da9612a
5 changed files with 8 additions and 142 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -1,135 +0,0 @@
-# optional: after how many files to update progress
-#show_progress_every: 100
-
-# optional: plugins directory name
-#plugins_dir: 'plugins'
-
-# optional: plugins discovery name pattern
-plugin_name_pattern: '*.py'
-
-# optional: terminal escape sequences to display colors
-#output_colors:
-#    DEFAULT: '\033[0m'
-#    HEADER: '\033[95m'
-#    INFO: '\033[94m'
-#    WARN: '\033[93m'
-#    ERROR: '\033[91m'
-
-# optional: log format string
-#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
-
-# globs of files which should be analyzed
-include:
-    - '*.py'
-    - '*.pyw'
-
-# a list of strings, which if found in the path will cause files to be excluded
-# for example /tests/ - to remove all all files in tests directory
-# exclude_dirs:
-#    - '/tests/'
-
-profiles:
-    barbican_conservative:
-        include:
-            - blacklist_functions
-            - blacklist_imports
-            - request_with_no_cert_validation
-            - exec_used
-            - set_bad_file_permissions
-            - subprocess_popen_with_shell_equals_true
-            - linux_commands_wildcard_injection
-            - ssl_with_bad_version
-
-
-    barbican_verbose:
-        include:
-            - blacklist_functions
-            - blacklist_imports
-            - request_with_no_cert_validation
-            - exec_used
-            - set_bad_file_permissions
-            - hardcoded_tmp_directory
-            - subprocess_popen_with_shell_equals_true
-            - any_other_function_with_shell_equals_true
-            - linux_commands_wildcard_injection
-            - ssl_with_bad_version
-            - ssl_with_bad_defaults
-
-blacklist_functions:
-    bad_name_sets:
-        - pickle:
-            qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
-                        cPickle.loads, cPickle.load, cPickle.Unpickler]
-            message: "Pickle library appears to be in use, possible security issue."
-        - marshal:
-            qualnames: [marshal.load, marshal.loads]
-            message: "Deserialization with the marshal module is possibly dangerous."
-        - md5:
-            qualnames: [hashlib.md5]
-            message: "Use of insecure MD5 hash function."
-        - mktemp_q:
-            qualnames: [tempfile.mktemp]
-            message: "Use of insecure and deprecated function (mktemp)."
-        - eval:
-            qualnames: [eval]
-            message: "Use of possibly insecure function - consider using safer ast.literal_eval."
-        - mark_safe:
-            names: [mark_safe]
-            message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed."
-        - httpsconnection:
-            qualnames: [httplib.HTTPSConnection]
-            message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
-        - yaml_load:
-            qualnames: [yaml.load]
-            message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()."
-        - urllib_urlopen:
-            qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
-            message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
-
-shell_injection:
-    # Start a process using the subprocess module, or one of its wrappers.
-    subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
-                 subprocess.check_output, utils.execute, utils.execute_with_timeout]
-    # Start a process with a function vulnerable to shell injection.
-    shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
-            popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
-            popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-    # Start a process with a function that is not vulnerable to shell injection.
-    no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
-               os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
-               os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
-               os.startfile]
-
-blacklist_imports:
-    bad_import_sets:
-        - telnet:
-            imports: [telnetlib]
-            level: ERROR
-            message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
-
-hardcoded_password:
-    word_list: "wordlist/default-passwords"
-
-ssl_with_bad_version:
-    bad_protocol_versions:
-        - 'PROTOCOL_SSLv2'
-        - 'SSLv2_METHOD'
-        - 'SSLv23_METHOD'
-        - 'PROTOCOL_SSLv3'  # strict option
-        - 'PROTOCOL_TLSv1'  # strict option
-        - 'SSLv3_METHOD'    # strict option
-        - 'TLSv1_METHOD'    # strict option
-
-password_config_option_not_marked_secret:
-    function_names:
-        - oslo.config.cfg.StrOpt
-        - oslo_config.cfg.StrOpt
-
-execute_with_run_as_root_equals_true:
-    function_names:
-        - ceilometer.utils.execute
-        - cinder.utils.execute
-        - neutron.agent.linux.utils.execute
-        - nova.utils.execute
-        - nova.utils.trycmd
-
--- a/barbican/api/controllers/containers.py
+++ b/barbican/api/controllers/containers.py
@ -100,7 +100,7 @@ class ContainerController(controllers.ACLMixin):
            try:
                self.consumer_repo.delete_entity_by_id(
                    consumer.id, external_project_id)
-            except exception.NotFound:
+            except exception.NotFound:  # nosec
                pass


--- a/barbican/plugin/snakeoil_ca.py
+++ b/barbican/plugin/snakeoil_ca.py
@ -18,6 +18,7 @@ import datetime
 import fnmatch
 import os
 import re
+import subprocess  # nosec
 from tempfile import mkstemp
 import uuid

@ -259,9 +260,8 @@ class SnakeoilCA(object):
        fout, temp_out = mkstemp()
        os.close(fout)

-        command = ("openssl crl2pkcs7 -nocrl -out " + temp_out +
-                   " -certfile " + temp_in)
-        os.system(command)
+        subprocess.call(['/usr/bin/openssl', 'crl2pkcs7', '-nocrl',  # nosec
+                         '-out', temp_out, '-certfile', temp_in], shell=False)
        with open(temp_out) as pkcs7_fh:
            pkcs7 = pkcs7_fh.read()

--- a/barbican/queue/retry_scheduler.py
+++ b/barbican/queue/retry_scheduler.py
@ -40,7 +40,8 @@ def _compute_next_periodic_interval():
    )

    # Return +- 20% of interval.
-    return random.uniform(0.8 * periodic_interval, 1.2 * periodic_interval)
+    return random.uniform(0.8 * periodic_interval,  # nosec
+                          1.2 * periodic_interval)


 class PeriodicServer(service.Service):
--- a/tox.ini
+++ b/tox.ini
@ -66,7 +66,7 @@ sitepackages = False
 commands =
  flake8 {posargs}
  # Run security linter
-  bandit -c bandit.yaml -r barbican -n5 -p barbican_conservative
+  bandit -r barbican -x tests -n5

 [testenv:venv]
 commands = {posargs}
@ -102,4 +102,4 @@ exclude = .git,.idea,.tox,bin,dist,debian,rpmbuild,tools,*.egg-info,*.eggs,*open

 [testenv:bandit]
 deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -c bandit.yaml -r barbican -n5 -p barbican_conservative
+commands = bandit -r barbican -x tests -n5