openstack/deb-python-magnumclient
Code Issues Proposed changes

Remove bandit.yaml in favor of defaults

Browse Source 
This patch removes the bandit.yaml and just uses whatever Bandit
defaults with in the scan. This cuts down on the maintenance of
the burdensome bandit.yaml file.

This patch also changes the severity level of the scan to just
medium and high issues.

Here are the results without the -ll to exclude low severity:
http://paste.openstack.org/show/489898/

Change-Id: Ia063db516175f518cfa1c68902b8b74734f294c0
This commit is contained in:
Eric Brown
2016-03-09 11:45:29 -08:00
parent a72a2f1dd0
commit a5381cdd2f
2 changed files with 2 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

134
bandit.yaml
View File

@@ -1,134 +0,0 @@
# optional: after how many files to update progress
#show_progress_every: 100
# optional: plugins directory name
#plugins_dir: 'plugins'
# optional: plugins discovery name pattern
plugin_name_pattern: '*.py'
# optional: terminal escape sequences to display colors
#output_colors:
# DEFAULT: '\033[0m'
# HEADER: '\033[95m'
# INFO: '\033[94m'
# WARN: '\033[93m'
# ERROR: '\033[91m'
# optional: log format string
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
# globs of files which should be analyzed
include:
- '*.py'
- '*.pyw'
# a list of strings, which if found in the path will cause files to be excluded
# for example /tests/ - to remove all all files in tests directory
exclude_dirs:
- '/tests/'
profiles:
python-magnumclient_conservative:
include:
- blacklist_functions
- blacklist_imports
- request_with_no_cert_validation
- exec_used
- set_bad_file_permissions
- subprocess_popen_with_shell_equals_true
- linux_commands_wildcard_injection
- ssl_with_bad_version
python-magnumclient_verbose:
include:
- blacklist_functions
- blacklist_imports
- request_with_no_cert_validation
- exec_used
- set_bad_file_permissions
- hardcoded_tmp_directory
- subprocess_popen_with_shell_equals_true
- any_other_function_with_shell_equals_true
- linux_commands_wildcard_injection
- ssl_with_bad_version
- ssl_with_bad_defaults
blacklist_functions:
bad_name_sets:
- pickle:
qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
cPickle.loads, cPickle.load, cPickle.Unpickler]
message: "Pickle library appears to be in use, possible security issue."
- marshal:
qualnames: [marshal.load, marshal.loads]
message: "Deserialization with the marshal module is possibly dangerous."
- md5:
qualnames: [hashlib.md5]
message: "Use of insecure MD5 hash function."
- mktemp_q:
qualnames: [tempfile.mktemp]
message: "Use of insecure and deprecated function (mktemp)."
- eval:
qualnames: [eval]
message: "Use of possibly insecure function - consider using safer ast.literal_eval."
- mark_safe:
names: [mark_safe]
message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed."
- httpsconnection:
qualnames: [httplib.HTTPSConnection]
message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
- yaml_load:
qualnames: [yaml.load]
message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()."
- urllib_urlopen:
qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
shell_injection:
# Start a process using the subprocess module, or one of its wrappers.
subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output, utils.execute, utils.execute_with_timeout]
# Start a process with a function vulnerable to shell injection.
shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
popen2.Popen4, commands.getoutput, commands.getstatusoutput]
# Start a process with a function that is not vulnerable to shell injection.
no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
os.startfile]
blacklist_imports:
bad_import_sets:
- telnet:
imports: [telnetlib]
level: ERROR
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
hardcoded_password:
word_list: "wordlist/default-passwords"
ssl_with_bad_version:
bad_protocol_versions:
- 'PROTOCOL_SSLv2'
- 'SSLv2_METHOD'
- 'SSLv23_METHOD'
- 'PROTOCOL_SSLv3' # strict option
- 'PROTOCOL_TLSv1' # strict option
- 'SSLv3_METHOD' # strict option
- 'TLSv1_METHOD' # strict option
password_config_option_not_marked_secret:
function_names:
- oslo.config.cfg.StrOpt
- oslo_config.cfg.StrOpt
execute_with_run_as_root_equals_true:
function_names:
- ceilometer.utils.execute
- cinder.utils.execute
- neutron.agent.linux.utils.execute
- nova.utils.execute
- nova.utils.trycmd

4
tox.ini
View File

@@ -17,7 +17,7 @@ commands =
[testenv:bandit]
deps = -r{toxinidir}/test-requirements.txt
commands = bandit -c bandit.yaml -r magnumclient -n5 -p python-magnumclient_conservative
commands = bandit -r magnumclient -x tests -n5 -ll
[testenv:pypy]
deps = setuptools<3.2
@@ -39,7 +39,7 @@ commands = oslo_debug_helper -t magnumclient/tests {posargs}
commands =
flake8
# Run security linter
bandit -c bandit.yaml -r magnumclient -n5 -p python-magnumclient_conservative
bandit -r magnumclient -x tests -n5 -ll
[testenv:venv]
commands = {posargs}