Update bandit.yaml to the latest

The existing bandit.yaml was based on 0.10.1 version of bandit.
Commit I9504c44ac575b47b256496e833dd53a9dce113d2 adopts version
0.13.2 of bandit.  As a result, the bandit.yaml needs to be synced
with the standard version.

Also, with the newest bandit, some #nosec tags can be removed.

Change-Id: I503cd33d401b104aa502e7909f949c438a6248e6

bandit.yaml

@@ -11,9 +11,9 @@ plugin_name_pattern: '*.py'
 #output_colors:
 #    DEFAULT: '\033[0m'
 #    HEADER: '\033[95m'
-#    INFO: '\033[94m'
+#    LOW: '\033[94m'
-#    WARN: '\033[93m'
+#    MEDIUM: '\033[93m'
-#    ERROR: '\033[91m'
+#    HIGH: '\033[91m'
 
 # optional: log format string
 #log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
@@ -21,6 +21,7 @@ plugin_name_pattern: '*.py'
 # globs of files which should be analyzed
 include:
     - '*.py'
+    - '*.pyw'
 
 # a list of strings, which if found in the path will cause files to be excluded
 # for example /tests/ - to remove all all files in tests directory
@@ -28,6 +29,36 @@ exclude_dirs:
     - '/tests/'
 
 profiles:
+    All:
+        include:
+            - any_other_function_with_shell_equals_true
+            - assert_used
+            - blacklist_calls
+            - blacklist_import_func
+            - blacklist_imports
+            - exec_used
+            - execute_with_run_as_root_equals_true
+            - hardcoded_bind_all_interfaces
+            - hardcoded_password
+            - hardcoded_sql_expressions
+            - hardcoded_tmp_directory
+            - jinja2_autoescape_false
+            - linux_commands_wildcard_injection
+            - paramiko_calls
+            - password_config_option_not_marked_secret
+            - request_with_no_cert_validation
+            - set_bad_file_permissions
+            - subprocess_popen_with_shell_equals_true
+            - subprocess_without_shell_equals_true
+            - start_process_with_a_shell
+            - start_process_with_no_shell
+            - start_process_with_partial_path
+            - ssl_with_bad_defaults
+            - ssl_with_bad_version
+            - ssl_with_no_version
+            - try_except_pass
+            - use_of_mako_templates
+
     XSS:
         include:
             - jinja2_autoescape_false
@@ -40,6 +71,7 @@ profiles:
             - any_other_function_with_shell_equals_true
             - start_process_with_a_shell
             - start_process_with_no_shell
+            - start_process_with_partial_path
         exclude:
 
     SqlInjection:
@@ -56,8 +88,8 @@ blacklist_calls:
             qualnames: [marshal.load, marshal.loads]
             message: "Deserialization with the marshal module is possibly dangerous."
         - md5:
-            qualnames: [hashlib.md5]
+            qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
-            message: "Use of insecure MD5 hash function."
+            message: "Use of insecure MD2, MD4, or MD5 hash function."
         - mktemp_q:
             qualnames: [tempfile.mktemp]
             message: "Use of insecure and deprecated function (mktemp)."
@@ -76,6 +108,55 @@ blacklist_calls:
         - urllib_urlopen:
             qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
             message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
+        - random:
+            qualnames: [random.random, random.randrange, random.randint, random.choice, random.uniform, random.triangular]
+            message: "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
+            level: "LOW"
+
+        # Most of this is based off of Christian Heimes' work on defusedxml:
+        #   https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
+
+        - xml_bad_cElementTree:
+            qualnames: [xml.etree.cElementTree.parse,
+                        xml.etree.cElementTree.iterparse,
+                        xml.etree.cElementTree.fromstring,
+                        xml.etree.cElementTree.XMLParser]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_ElementTree:
+            qualnames: [xml.etree.ElementTree.parse,
+                        xml.etree.ElementTree.iterparse,
+                        xml.etree.ElementTree.fromstring,
+                        xml.etree.ElementTree.XMLParser]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_expatreader:
+            qualnames: [xml.sax.expatreader.create_parser]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_expatbuilder:
+            qualnames: [xml.dom.expatbuilder.parse,
+                        xml.dom.expatbuilder.parseString]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_sax:
+            qualnames: [xml.sax.parse,
+                        xml.sax.parseString,
+                        xml.sax.make_parser]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_minidom:
+            qualnames: [xml.dom.minidom.parse,
+                        xml.dom.minidom.parseString]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_pulldom:
+            qualnames: [xml.dom.pulldom.parse,
+                        xml.dom.pulldom.parseString]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+        - xml_bad_etree:
+            qualnames: [lxml.etree.parse,
+                        lxml.etree.fromstring,
+                        lxml.etree.RestrictedElement,
+                        lxml.etree.GlobalParserTLS,
+                        lxml.etree.getDefaultParser,
+                        lxml.etree.check_docinfo]
+            message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
+
 
 shell_injection:
     # Start a process using the subprocess module, or one of its wrappers.
@@ -95,15 +176,40 @@ blacklist_imports:
     bad_import_sets:
         - telnet:
             imports: [telnetlib]
-            level: ERROR
+            level: HIGH
             message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
         - info_libs:
             imports: [pickle, cPickle, subprocess, Crypto]
-            level: INFO
+            level: LOW
             message: "Consider possible security implications associated with {module} module."
 
+        # Most of this is based off of Christian Heimes' work on defusedxml:
+        #   https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
+
+        - xml_libs:
+            imports: [xml.etree.cElementTree,
+                      xml.etree.ElementTree,
+                      xml.sax.expatreader,
+                      xml.sax,
+                      xml.dom.expatbuilder,
+                      xml.dom.minidom,
+                      xml.dom.pulldom,
+                      lxml.etree,
+                      lxml]
+            message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {module} with the equivilent defusedxml package."
+            level: LOW
+        - xml_libs_high:
+            imports: [xmlrpclib]
+            message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities."
+            level: HIGH
+
+hardcoded_tmp_directory:
+    tmp_dirs:  ['/tmp', '/var/tmp', '/dev/shm']
+
 hardcoded_password:
-    word_list: "wordlist/default-passwords"
+    # Support for full path, relative path and special "%(site_data_dir)s"
+    # substitution (/usr/{local}/share)
+    word_list: "%(site_data_dir)s/wordlist/default-passwords"
 
 ssl_with_bad_version:
     bad_protocol_versions:
@@ -127,3 +233,6 @@ execute_with_run_as_root_equals_true:
         - neutron.agent.linux.utils.execute
         - nova.utils.execute
         - nova.utils.trycmd
+
+try_except_pass:
+  check_typed_exception: True

oslo_vmware/objects/datastore.py

@@ -14,7 +14,7 @@
 
 import logging
 import posixpath
-import random as _random  # nosec
+import random
 
 import six.moves.http_client as httplib
 import six.moves.urllib.parse as urlparse
@@ -25,7 +25,6 @@ from oslo_vmware import exceptions
 from oslo_vmware import vim_util
 
 LOG = logging.getLogger(__name__)
-random = _random.SystemRandom()  # nosec
 
 
 def get_datastore_by_ref(session, ds_ref):
@@ -157,7 +156,7 @@ class Datastore(object):
 
     @staticmethod
     def choose_host(hosts):
-        i = random.randrange(0, len(hosts))  # nosec
+        i = random.SystemRandom().randrange(0, len(hosts))
         return hosts[i]
 
 

oslo_vmware/service.py

@@ -380,8 +380,8 @@ class SudsLogFilter(logging.Filter):
 
         if login.childAtPath('userName') is not None:
             login.childAtPath('userName').setText('***')
-        if login.childAtPath('password') is not None:
+        if login.childAtPath('password') is not None:  # nosec
-            login.childAtPath('password').setText('***')
+            login.childAtPath('password').setText('***')  # nosec
 
         session_id = login.childAtPath('sessionID')
         if session_id is not None:

tox.ini

@@ -18,7 +18,7 @@ commands = pylint oslo
 
 [testenv:bandit]
 deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -c bandit.yaml -r oslo_vmware -n 5 -ll
+commands = bandit -c bandit.yaml -r oslo_vmware -n 5
 
 [testenv:docs]
 commands = python setup.py build_sphinx