Browse Source

Remove broken bandit from testing

Change-Id: I415eed3096698c805d1f3ed3e23eeb87337471de
Erno Kuvaja 8 months ago
parent
commit
2142860353
4 changed files with 0 additions and 252 deletions
  1. 0
    245
      bandit.yaml
  2. 0
    1
      lower-constraints.txt
  3. 0
    1
      test-requirements.txt
  4. 0
    5
      tox.ini

+ 0
- 245
bandit.yaml View File

@@ -1,245 +0,0 @@
1
-# optional: after how many files to update progress
2
-#show_progress_every: 100
3
-
4
-# optional: plugins directory name
5
-#plugins_dir: 'plugins'
6
-
7
-# optional: plugins discovery name pattern
8
-plugin_name_pattern: '*.py'
9
-
10
-# optional: terminal escape sequences to display colors
11
-#output_colors:
12
-#    DEFAULT: '\033[0m'
13
-#    HEADER: '\033[95m'
14
-#    LOW: '\033[94m'
15
-#    MEDIUM: '\033[93m'
16
-#    HIGH: '\033[91m'
17
-
18
-# optional: log format string
19
-#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
20
-
21
-# globs of files which should be analyzed
22
-include:
23
-    - '*.py'
24
-    - '*.pyw'
25
-
26
-# a list of strings, which if found in the path will cause files to be excluded
27
-# for example /tests/ - to remove all all files in tests directory
28
-exclude_dirs:
29
-    - '/tests/'
30
-
31
-profiles:
32
-    gate:
33
-        include:
34
-
35
-            - any_other_function_with_shell_equals_true
36
-            - assert_used
37
-            - blacklist_calls
38
-            - blacklist_import_func
39
-
40
-            # One of the blacklisted imports is the subprocess module. Keystone
41
-            # has to import the subprocess module in a single module for
42
-            # eventlet support so in most cases bandit won't be able to detect
43
-            # that subprocess is even being imported. Also, Bandit's
44
-            # recommendation is just to check that the use is safe without any
45
-            # documentation on what safe or unsafe usage is. So this test is
46
-            # skipped.
47
-            # - blacklist_imports
48
-
49
-            - exec_used
50
-
51
-            - execute_with_run_as_root_equals_true
52
-
53
-            # - hardcoded_bind_all_interfaces # TODO: enable this test
54
-
55
-            # Not working because wordlist/default-passwords file not bundled,
56
-            # see https://bugs.launchpad.net/bandit/+bug/1451575 :
57
-            # - hardcoded_password
58
-
59
-            # Not used because it's prone to false positives:
60
-            # - hardcoded_sql_expressions
61
-
62
-            # - hardcoded_tmp_directory # TODO: enable this test
63
-
64
-            - jinja2_autoescape_false
65
-
66
-            - linux_commands_wildcard_injection
67
-
68
-            - paramiko_calls
69
-
70
-            - password_config_option_not_marked_secret
71
-            - request_with_no_cert_validation
72
-            - set_bad_file_permissions
73
-            - subprocess_popen_with_shell_equals_true
74
-            # - subprocess_without_shell_equals_true # TODO: enable this test
75
-            - start_process_with_a_shell
76
-            # - start_process_with_no_shell # TODO: enable this test
77
-            - start_process_with_partial_path
78
-            - ssl_with_bad_defaults
79
-            - ssl_with_bad_version
80
-            - ssl_with_no_version
81
-            # - try_except_pass # TODO: enable this test
82
-
83
-            - use_of_mako_templates
84
-
85
-blacklist_calls:
86
-    bad_name_sets:
87
-        # - pickle:
88
-        #     qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
89
-        #                 cPickle.loads, cPickle.load, cPickle.Unpickler]
90
-        #     message: "Pickle library appears to be in use, possible security issue."
91
-        # TODO: enable this test
92
-        - marshal:
93
-            qualnames: [marshal.load, marshal.loads]
94
-            message: "Deserialization with the marshal module is possibly dangerous."
95
-        # - md5:
96
-        #     qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
97
-        #     message: "Use of insecure MD2, MD4, or MD5 hash function."
98
-        # TODO: enable this test
99
-        - mktemp_q:
100
-            qualnames: [tempfile.mktemp]
101
-            message: "Use of insecure and deprecated function (mktemp)."
102
-        - eval:
103
-            qualnames: [eval]
104
-            message: "Use of possibly insecure function - consider using safer ast.literal_eval."
105
-        - mark_safe:
106
-            names: [mark_safe]
107
-            message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed."
108
-        - httpsconnection:
109
-            qualnames: [httplib.HTTPSConnection]
110
-            message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
111
-        - yaml_load:
112
-            qualnames: [yaml.load]
113
-            message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()."
114
-        - urllib_urlopen:
115
-            qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
116
-            message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
117
-        - random:
118
-            qualnames: [random.random, random.randrange, random.randint, random.choice, random.uniform, random.triangular]
119
-            message: "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
120
-            level: "LOW"
121
-
122
-        # Most of this is based off of Christian Heimes' work on defusedxml:
123
-        #   https://pypi.org/project/defusedxml/#defusedxml-sax
124
-
125
-        # TODO(jaegerandi): Enable once defusedxml is in global requirements.
126
-        #- xml_bad_cElementTree:
127
-        #    qualnames: [xml.etree.cElementTree.parse,
128
-        #                xml.etree.cElementTree.iterparse,
129
-        #                xml.etree.cElementTree.fromstring,
130
-        #                xml.etree.cElementTree.XMLParser]
131
-        #    message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
132
-        #- xml_bad_ElementTree:
133
-        #    qualnames: [xml.etree.ElementTree.parse,
134
-        #                xml.etree.ElementTree.iterparse,
135
-        #                xml.etree.ElementTree.fromstring,
136
-        #                xml.etree.ElementTree.XMLParser]
137
-        #    message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
138
-        - xml_bad_expatreader:
139
-            qualnames: [xml.sax.expatreader.create_parser]
140
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
141
-        - xml_bad_expatbuilder:
142
-            qualnames: [xml.dom.expatbuilder.parse,
143
-                        xml.dom.expatbuilder.parseString]
144
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
145
-        - xml_bad_sax:
146
-            qualnames: [xml.sax.parse,
147
-                        xml.sax.parseString,
148
-                        xml.sax.make_parser]
149
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
150
-        - xml_bad_minidom:
151
-            qualnames: [xml.dom.minidom.parse,
152
-                        xml.dom.minidom.parseString]
153
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
154
-        - xml_bad_pulldom:
155
-            qualnames: [xml.dom.pulldom.parse,
156
-                        xml.dom.pulldom.parseString]
157
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
158
-        - xml_bad_etree:
159
-            qualnames: [lxml.etree.parse,
160
-                        lxml.etree.fromstring,
161
-                        lxml.etree.RestrictedElement,
162
-                        lxml.etree.GlobalParserTLS,
163
-                        lxml.etree.getDefaultParser,
164
-                        lxml.etree.check_docinfo]
165
-            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
166
-
167
-
168
-shell_injection:
169
-    # Start a process using the subprocess module, or one of its wrappers.
170
-    subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
171
-                 subprocess.check_output, utils.execute, utils.execute_with_timeout]
172
-    # Start a process with a function vulnerable to shell injection.
173
-    shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
174
-            popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
175
-            popen2.Popen4, commands.getoutput, commands.getstatusoutput]
176
-    # Start a process with a function that is not vulnerable to shell injection.
177
-    no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
178
-               os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
179
-               os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
180
-               os.startfile]
181
-
182
-blacklist_imports:
183
-    bad_import_sets:
184
-        - telnet:
185
-            imports: [telnetlib]
186
-            level: HIGH
187
-            message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
188
-        - info_libs:
189
-            imports: [pickle, cPickle, subprocess, Crypto]
190
-            level: LOW
191
-            message: "Consider possible security implications associated with {module} module."
192
-
193
-        # Most of this is based off of Christian Heimes' work on defusedxml:
194
-        #   https://pypi.org/project/defusedxml/#defusedxml-sax
195
-
196
-        - xml_libs:
197
-            imports: [xml.etree.cElementTree,
198
-                      xml.etree.ElementTree,
199
-                      xml.sax.expatreader,
200
-                      xml.sax,
201
-                      xml.dom.expatbuilder,
202
-                      xml.dom.minidom,
203
-                      xml.dom.pulldom,
204
-                      lxml.etree,
205
-                      lxml]
206
-            message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {module} with the equivilent defusedxml package."
207
-            level: LOW
208
-        - xml_libs_high:
209
-            imports: [xmlrpclib]
210
-            message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities."
211
-            level: HIGH
212
-
213
-hardcoded_tmp_directory:
214
-    tmp_dirs:  ['/tmp', '/var/tmp', '/dev/shm']
215
-
216
-hardcoded_password:
217
-    # Support for full path, relative path and special "%(site_data_dir)s"
218
-    # substitution (/usr/{local}/share)
219
-    word_list: "%(site_data_dir)s/wordlist/default-passwords"
220
-
221
-ssl_with_bad_version:
222
-    bad_protocol_versions:
223
-        - 'PROTOCOL_SSLv2'
224
-        - 'SSLv2_METHOD'
225
-        - 'SSLv23_METHOD'
226
-        - 'PROTOCOL_SSLv3'  # strict option
227
-        - 'PROTOCOL_TLSv1'  # strict option
228
-        - 'SSLv3_METHOD'    # strict option
229
-        - 'TLSv1_METHOD'    # strict option
230
-
231
-password_config_option_not_marked_secret:
232
-    function_names:
233
-        - oslo.config.cfg.StrOpt
234
-        - oslo_config.cfg.StrOpt
235
-
236
-execute_with_run_as_root_equals_true:
237
-    function_names:
238
-        - ceilometer.utils.execute
239
-        - cinder.utils.execute
240
-        - neutron.agent.linux.utils.execute
241
-        - nova.utils.execute
242
-        - nova.utils.trycmd
243
-
244
-try_except_pass:
245
-    check_typed_exception: True

+ 0
- 1
lower-constraints.txt View File

@@ -5,7 +5,6 @@ appdirs==1.4.3
5 5
 asn1crypto==0.24.0
6 6
 automaton==1.14.0
7 7
 Babel==2.3.4
8
-bandit==1.1.0
9 8
 cachetools==2.0.1
10 9
 castellan==0.17.0
11 10
 certifi==2018.1.18

+ 0
- 1
test-requirements.txt View File

@@ -9,7 +9,6 @@ hacking!=0.13.0,<0.14,>=0.12.0 # Apache-2.0
9 9
 Babel!=2.4.0,>=2.3.4 # BSD
10 10
 
11 11
 # Needed for testing
12
-bandit>=1.1.0 # Apache-2.0
13 12
 coverage!=4.4,>=4.0 # Apache-2.0
14 13
 ddt>=1.0.1 # MIT
15 14
 fixtures>=3.0.0 # Apache-2.0/BSD

+ 0
- 5
tox.ini View File

@@ -67,7 +67,6 @@ basepython = python3
67 67
 commands =
68 68
   flake8 {posargs}
69 69
   # Run security linter
70
-  bandit -c bandit.yaml -r glance -n5 -p gate
71 70
   # Check that .po and .pot files are valid:
72 71
   bash -c "find glance -type f -regex '.*\.pot?' -print0|xargs -0 -n 1 msgfmt --check-format -o /dev/null"
73 72
   doc8 {posargs}
@@ -135,10 +134,6 @@ commands =
135 134
 basepython = python3
136 135
 commands = {posargs}
137 136
 
138
-[testenv:bandit]
139
-basepython = python3
140
-commands = bandit -c bandit.yaml -r glance -n5 -p gate
141
-
142 137
 [testenv:releasenotes]
143 138
 basepython = python3
144 139
 deps =

Loading…
Cancel
Save