From e09c00d44ffa14e59469afe08c9477f5a212a3d7 Mon Sep 17 00:00:00 2001 From: Andreas Jaeger Date: Sun, 21 Feb 2016 18:33:40 +0100 Subject: [PATCH] Move bandit into pep8 Run security linter bandit as part of pep8. Pep8 is the usual linter target and thus let's use it there instead of starting another node for this short-running job. Move bandit requirement to test-requirements. Disable temporarily some tests in bandit.yaml since they advocate using defusedxml which is not in global-requirements.txt and thus cannot be used inside bandit (bug#1550161). Change-Id: Ie3c9f4ee6e061ea090fa882f4f029f2761706951 --- bandit.yaml | 25 +++++++++++++------------ setup.cfg | 4 ---- test-requirements.txt | 1 + tox.ini | 3 ++- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/bandit.yaml b/bandit.yaml index c99c2a11e8..2e7b18718d 100644 --- a/bandit.yaml +++ b/bandit.yaml @@ -122,18 +122,19 @@ blacklist_calls: # Most of this is based off of Christian Heimes' work on defusedxml: # https://pypi.python.org/pypi/defusedxml/#defusedxml-sax - - xml_bad_cElementTree: - qualnames: [xml.etree.cElementTree.parse, - xml.etree.cElementTree.iterparse, - xml.etree.cElementTree.fromstring, - xml.etree.cElementTree.XMLParser] - message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." - - xml_bad_ElementTree: - qualnames: [xml.etree.ElementTree.parse, - xml.etree.ElementTree.iterparse, - xml.etree.ElementTree.fromstring, - xml.etree.ElementTree.XMLParser] - message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + # TODO(jaegerandi): Enable once defusedxml is in global requirements. + #- xml_bad_cElementTree: + # qualnames: [xml.etree.cElementTree.parse, + # xml.etree.cElementTree.iterparse, + # xml.etree.cElementTree.fromstring, + # xml.etree.cElementTree.XMLParser] + # message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." + #- xml_bad_ElementTree: + # qualnames: [xml.etree.ElementTree.parse, + # xml.etree.ElementTree.iterparse, + # xml.etree.ElementTree.fromstring, + # xml.etree.ElementTree.XMLParser] + # message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." - xml_bad_expatreader: qualnames: [xml.sax.expatreader.create_parser] message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function." diff --git a/setup.cfg b/setup.cfg index e0c56ee244..ac2e0cd5c9 100644 --- a/setup.cfg +++ b/setup.cfg @@ -86,7 +86,3 @@ output_file = glance/locale/glance.pot [pbr] warnerrors = True - -[extras] -bandit = - bandit>=0.17.3 # Apache-2.0 diff --git a/test-requirements.txt b/test-requirements.txt index 7cb80109fd..c9f6c378a1 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -9,6 +9,7 @@ hacking<0.11,>=0.10.0 Babel>=1.3 # BSD # Needed for testing +bandit>=0.17.3 # Apache-2.0 coverage>=3.6 # Apache-2.0 fixtures>=1.3.1 # Apache-2.0/BSD mox3>=0.7.0 # Apache-2.0 diff --git a/tox.ini b/tox.ini index 583510a6f9..4569a49576 100644 --- a/tox.ini +++ b/tox.ini @@ -30,6 +30,8 @@ commands = [testenv:pep8] commands = flake8 {posargs} + # Run security linter + bandit -c bandit.yaml -r glance -n5 -p gate # Check that .po and .pot files are valid: bash -c "find glance -type f -regex '.*\.pot?' -print0|xargs -0 -n 1 msgfmt --check-format -o /dev/null" @@ -57,7 +59,6 @@ commands = commands = python setup.py build_sphinx [testenv:bandit] -deps = .[bandit] commands = bandit -c bandit.yaml -r glance -n5 -p gate [flake8]