From 5c910512007349708342685e469fd7effd6741c5 Mon Sep 17 00:00:00 2001 From: Ryan Brown Date: Tue, 7 Jul 2015 18:14:15 -0400 Subject: [PATCH] tox environment for `bandit` Add a tox environment for bandit so it can be run as a gate job eventually. As-is, there are no high severity issues detected in heat. Change-Id: Iab098a1d8bac5c95d67e6867ad5249987c3a786e --- bandit.yaml | 131 ++++++++++++++++++++++++++++++++++++++++++ test-requirements.txt | 1 + tox.ini | 3 + 3 files changed, 135 insertions(+) create mode 100644 bandit.yaml diff --git a/bandit.yaml b/bandit.yaml new file mode 100644 index 0000000000..c7b57bbc61 --- /dev/null +++ b/bandit.yaml @@ -0,0 +1,131 @@ +# optional: after how many files to update progress +#show_progress_every: 100 + +# optional: plugins directory name +#plugins_dir: 'plugins' + +# optional: plugins discovery name pattern +plugin_name_pattern: '*.py' + +# optional: terminal escape sequences to display colors +#output_colors: +# DEFAULT: '\033[0m' +# HEADER: '\033[95m' +# INFO: '\033[94m' +# WARN: '\033[93m' +# ERROR: '\033[91m' + +# optional: log format string +#log_format: "[%(module)s]\t%(levelname)s\t%(message)s" + +# globs of files which should be analyzed +include: + - '*.py' + - '*.pyw' + +# a list of strings, which if found in the path will cause files to be excluded +# for example /tests/ - to remove all all files in tests directory +exclude_dirs: + - '/tests/' + +profiles: + heat_conservative: + include: + - blacklist_calls + - blacklist_imports + - request_with_no_cert_validation + - exec_used + - set_bad_file_permissions + - subprocess_popen_with_shell_equals_true + - linux_commands_wildcard_injection + - ssl_with_bad_version + + + heat_verbose: + include: + - blacklist_calls + - blacklist_imports + - request_with_no_cert_validation + - exec_used + - set_bad_file_permissions + - hardcoded_tmp_directory + - subprocess_popen_with_shell_equals_true + - any_other_function_with_shell_equals_true + - linux_commands_wildcard_injection + - ssl_with_bad_version + - ssl_with_bad_defaults + +blacklist_calls: + bad_name_sets: + - pickle: + qualnames: [pickle.loads, pickle.load, pickle.Unpickler, + cPickle.loads, cPickle.load, cPickle.Unpickler] + message: "Pickle library appears to be in use, possible security issue." + - marshal: + qualnames: [marshal.load, marshal.loads] + message: "Deserialization with the marshal module is possibly dangerous." + - md5: + qualnames: [hashlib.md5] + message: "Use of insecure MD5 hash function." + - mktemp_q: + qualnames: [tempfile.mktemp] + message: "Use of insecure and deprecated function (mktemp)." + - eval: + qualnames: [eval] + message: "Use of possibly insecure function - consider using safer ast.literal_eval." + - mark_safe: + names: [mark_safe] + message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." + - httpsconnection: + qualnames: [httplib.HTTPSConnection] + message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" + - urllib_urlopen: + qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] + message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." + +shell_injection: + # Start a process using the subprocess module, or one of its wrappers. + subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, + subprocess.check_output, utils.execute, utils.execute_with_timeout] + # Start a process with a function vulnerable to shell injection. + shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, + popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, + popen2.Popen4, commands.getoutput, commands.getstatusoutput] + # Start a process with a function that is not vulnerable to shell injection. + no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, + os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, + os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, + os.startfile] + +blacklist_imports: + bad_import_sets: + - telnet: + imports: [telnetlib] + level: ERROR + message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." + +hardcoded_password: + word_list: "wordlist/default-passwords" + +ssl_with_bad_version: + bad_protocol_versions: + - 'PROTOCOL_SSLv2' + - 'SSLv2_METHOD' + - 'SSLv23_METHOD' + - 'PROTOCOL_SSLv3' # strict option + - 'PROTOCOL_TLSv1' # strict option + - 'SSLv3_METHOD' # strict option + - 'TLSv1_METHOD' # strict option + +password_config_option_not_marked_secret: + function_names: + - oslo.config.cfg.StrOpt + - oslo_config.cfg.StrOpt + +execute_with_run_as_root_equals_true: + function_names: + - ceilometer.utils.execute + - cinder.utils.execute + - neutron.agent.linux.utils.execute + - nova.utils.execute + - nova.utils.trycmd diff --git a/test-requirements.txt b/test-requirements.txt index fde3cf22b4..4d04de72c9 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4,6 +4,7 @@ # Hacking already pins down pep8, pyflakes and flake8 hacking<0.11,>=0.10.0 +bandit>=0.10.1 coverage>=3.6 discover mock>=1.0 diff --git a/tox.ini b/tox.ini index 764eb778c9..f2b4815c8c 100644 --- a/tox.ini +++ b/tox.ini @@ -68,6 +68,9 @@ commands = find {toxinidir} -not -path '{toxinidir}/.tox/*' -name '*.pyc' -delete python setup.py testr --slowest --testr-args='--load-list py3-testlist' +[testenv:bandit] +deps = -r{toxinidir}/test-requirements.txt +commands = bandit -c bandit.yaml -r heat -n5 -p heat_conservative [flake8] # H404 multi line docstring should start with a summary