Bandit scan changes for ranger

Change-Id: Ieb0f8656b7d5a3124e1f487c9a550e9c0c19bb82

bandit.yaml

@@ -0,0 +1,92 @@
+### Bandit config file generated from:
+# '/usr/local/bin/bandit-config-generator -o bandit.yaml'
+
+### This config may optionally select a subset of tests to run or skip by
+### filling out the 'tests' and 'skips' lists given below. If no tests are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is detected by
+### Bandit at runtime.
+
+# Available tests:
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B109 : password_config_option_not_marked_secret
+# B110 : try_except_pass
+# B111 : execute_with_run_as_root_equals_true
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B322 : input
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates
+
+# (optional) list included test IDs here, eg '[B101, B406]':
+tests:
+
+# (optional) list skipped test IDs here, eg '[B101, B406]':
+skips: [B101, B404, B603, B606]
+
+# globs of files which should be analyzed
+include:
+    - '*.py'
+    - '*.pyw'
+
+# a list of strings, which if found in the path will cause files to be excluded
+# for example /tests/ - will exclude all files in test folder.
+exclude_dirs:
+    - '/tests/'

orm/common/client/audit/audit_client/api/audit.py

@@ -169,13 +169,13 @@ def _post_data(data):
     # Validate that the configuration was initialized
     _validate()
     # Send the data
-    req = urllib2.Request(config['AUDIT_SERVER_URL'])
+    req = urllib2.Request(config['AUDIT_SERVER_URL'])    # nosec
     req.add_header('Content-Type', 'application/json')
     # Retry to send the data to the audit server
     success = False
     for retry_number in range(config['NUM_OF_SEND_RETRIES']):
         try:
-            urllib2.urlopen(req, json.dumps(data))
+            urllib2.urlopen(req, json.dumps(data))    # nosec
             success = True
             break
         except Exception as error:
@@ -197,13 +197,13 @@ def _get_data(query):
     # Send the data
     audit_server_url_with_query = "{}?{}".format(config['AUDIT_SERVER_URL'],
                                                  query)
-    req = urllib2.Request(audit_server_url_with_query)
+    req = urllib2.Request(audit_server_url_with_query)    # nosec
     # Retry to get the data from the audit server
     success = False
     response = None
     for retry_number in range(config['NUM_OF_SEND_RETRIES']):
         try:
-            response = urllib2.urlopen(req)
+            response = urllib2.urlopen(req)    # nosec
             success = True
             break
         except Exception as error:

orm/common/config.py

@@ -22,7 +22,7 @@ CONF = cfg.CONF
 api_opts = [
     cfg.HostAddressOpt(
         'host',
-        default='0.0.0.0',
+        default='0.0.0.0',    # nosec
         help='Ranger API server host'
     ),
     cfg.BoolOpt('ssl_verify', default=False, help='Enable HTTPS')

orm/orm_client/db_clear/db_comander.py

@@ -60,7 +60,7 @@ def _build_delet_resource_status_query(resource_id, table_name):
     query = '''
         DELETE from %s
         WHERE resource_id = '%s'
-        ''' % (table_name, resource_id)
+        ''' % (table_name, resource_id)  # nosec
     return query
 
 
@@ -70,7 +70,7 @@ def _build_delete_image_metadata(resource_id, image_metadata_table,
         DELETE from %s
         WHERE  image_meta_data_id in
             (SELECT id from %s where resource_id = '%s')
-        ''' % (image_metadata_table, resource_table, resource_id)
+        ''' % (image_metadata_table, resource_table, resource_id)  # nosec
     return query
 
 
@@ -78,7 +78,7 @@ def _build_delete_resource_query(resource_id, table_col, table_name):
     query = '''
         DELETE from %s
         WHERE %s.%s = '%s'
-        ''' % (table_name, table_name, table_col, resource_id)
+        ''' % (table_name, table_name, table_col, resource_id)  # nosec
     return query
 
 
@@ -86,7 +86,7 @@ def _build_get_cms_regions_query(resource_id, table_name):
     query = '''
         select region_id from %s
         WHERE customer_id = '%s' and region_id != '-1'
-        ''' % (table_name, resource_id)
+        ''' % (table_name, resource_id)    # nosec
     return query
 
 
@@ -94,7 +94,7 @@ def _build_get_fms_regions_query(resource_id, table_name):
     query = '''
         select region_name from %s
         WHERE flavor_internal_id = '%s'
-        ''' % (table_name, resource_id)
+        ''' % (table_name, resource_id)    # nosec
     return query
 
 
@@ -102,7 +102,7 @@ def _build_get_ims_regions_query(resource_id, table_name):
     query = '''
         select region_name from %s
         WHERE image_id = '%s'
-        ''' % (table_name, resource_id)
+        ''' % (table_name, resource_id)    # nosec
     return query
 
 
@@ -110,7 +110,7 @@ def _build_get_resource_id_query(resource_id, table_col, table_name):
     query = '''
         select * from %s
         WHERE %s.%s = '%s'
-        ''' % (table_name, table_name, table_col, resource_id)
+        ''' % (table_name, table_name, table_col, resource_id)    # nosec
     return query
 
 

orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py

@@ -38,7 +38,7 @@ class CmsUserRecord:
             raise
 
     def get_cms_user_id_from_name(self, cms_user_name):
-        result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"" % (cms_user_name))
+        result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"", (cms_user_name,))
         if result is not None:
             return int(result)
         return result

orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py

@@ -42,7 +42,7 @@ class CustomerRecord:
             raise
 
     def delete_by_primary_key(self, customer_id):
-        result = self.session.connection().execute("delete from customer where id = {}".format(customer_id))
+        result = self.session.connection().execute("delete from customer where id = {}".format(customer_id))    # nosec
         return result
 
     def read_by_primary_key(self):
@@ -69,7 +69,7 @@ class CustomerRecord:
             raise
 
     def get_customer_id_from_uuid(self, uuid):
-        result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid))
+        result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid))  # nosec
 
         if result:
             return int(result)
@@ -77,7 +77,7 @@ class CustomerRecord:
             return None
 
     def get_customers_status_by_uuids(self, uuid_str):
-        results = self.session.connection().execute("SELECT id, resource_id, region, status"
+        results = self.session.connection().execute("SELECT id, resource_id, region, status"  # nosec
                                                     "  FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
         cust_region_dict = {}
         if results:

orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py

@@ -68,7 +68,7 @@ class CustomerRegionRecord:
                 'region with the region name {0} not found'.format(
                     region_name))
         result = self.session.connection().execute(
-            "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id))
+            "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id))  # nosec
         self.session.flush()
 
         if result.rowcount == 0:
@@ -86,6 +86,6 @@ class CustomerRegionRecord:
             customer_id = customer_record.get_customer_id_from_uuid(customer_id)
 
         result = self.session.connection().execute(
-            "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id))
+            "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id))  # nosec
         # print "num records deleted from customer regions: " + str(result.rowcount)
         return result

orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py

@@ -37,7 +37,7 @@ class RegionRecord:
             raise
 
     def get_region_id_from_name(self, region_name):
-        result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name))
+        result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name))  # nosec
         if result is not None:
             return int(result)
         return result

orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py

@@ -64,9 +64,10 @@ class UserRoleRecord:
             # additional logic for delete_user only: check if the provided user id
             # is associated with the customer and region in cms delete_user request
             elif region_id > -1:
-                user_check = "SELECT DISTINCT user_id from user_role " \
-                             "WHERE customer_id =%d AND region_id =%d " \
-                             "AND user_id =%d" % (customer_id, region_id, user_id)
+                user_check = '''
+                    SELECT DISTINCT user_id from user_role
+                    WHERE customer_id =%d AND region_id =%d AND user_id =%d"
+                    ''' % (customer_id, region_id, user_id)  # nosec
 
                 result = self.session.connection().execute(user_check)
                 if result.rowcount == 0:

orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py

@@ -53,7 +53,7 @@ class FlavorRecord:
 
     def delete_by_uuid(self, flavor_uuid):
         try:
-            result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid))
+            result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid))    # nosec
             return result
 
         except Exception as exception:
@@ -148,7 +148,7 @@ class FlavorRecord:
             raise
 
     def get_flavors_status_by_uuids(self, uuid_str):
-        results = self.session.connection().execute("SELECT id, resource_id, region, status"
+        results = self.session.connection().execute("SELECT id, resource_id, region, status"  # nosec
                                                     "  FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
 
         flvr_region_dict = {}

orm/services/flavor_manager/fms_rest/data/wsme/models.py

@@ -1,3 +1,4 @@
+import ast
 import wsme
 
 from orm.common.orm_common.utils.cross_api_utils import (set_utils_conf,
@@ -254,7 +255,7 @@ class Flavor(Model):
 
                 if self.series == 'p1':
                     if {'n0'}.issubset(self.options.keys()) and \
-                            eval(self.options.get('n0').lower().capitalize()):
+                            ast.literal_eval(self.options.get('n0').lower().capitalize()):
                         vcpu_limit = int(conf.flavor_limits.p1_n0_vcpu_limit)
                         vram_limit = int(conf.flavor_limits.p1_n0_vram_limit)
                     else:

orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py

@@ -9,7 +9,7 @@ LOG = get_logger(__name__)
 class ImageRecord(Record):
     def __init__(self, session):
 
-        # this model is uses only for the parameters of access mothods, not an instance of model in the database
+        # this model is uses only for the parameters of access methods, not an instance of model in the database
         self.__image = Image()
         # self.set_record_data(self.__image)
         # self.__image.clear()
@@ -48,7 +48,7 @@ class ImageRecord(Record):
 
     def delete_image_by_id(self, id):
         try:
-            result = self.session.connection().execute("delete from image where id = '{0}'".format(id))
+            result = self.session.connection().execute("delete from image where id = '{0}'".format(id))  # nosec
             return result
 
         except Exception as exception:
@@ -95,7 +95,7 @@ class ImageRecord(Record):
             raise
 
     def get_images_status_by_uuids(self, uuid_str):
-        results = self.session.connection().execute("SELECT id, resource_id, region, status"
+        results = self.session.connection().execute("SELECT id, resource_id, region, status"  # nosec
                                                     "  FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
         img_region_dict = {}
         if results:

orm/services/region_manager/rms/model/model.py

@@ -1,8 +1,10 @@
 """model module."""
+from orm.services.region_manager.rms.logger import get_logger
 from orm.services.region_manager.rms.services import error_base
-
 from pecan import conf
 
+logger = get_logger(__name__)
+
 
 class Address(object):
     """address class."""
@@ -123,8 +125,9 @@ class RegionData(object):
                             "type {}".format(endpoint.type))
             try:
                 endpoints_types_must_have.remove(endpoint.type)
-            except Exception:
-                pass
+            except Exception as exp:
+                # pass
+                logger.debug(exp)
         if len(endpoints_types_must_have) > 0:
             raise error_base.InputValueError(
                 message="Invalid endpoints. Endpoint type '{}' "

test-requirements.txt

@@ -3,7 +3,7 @@
 # process, which may cause wedges in the gate later.
 
 hacking>=0.12.0,<0.13 # Apache-2.0
-
+bandit>=1.5.1
 coverage>=4.0,!=4.4 # Apache-2.0
 openstackdocstheme>=1.11.0  # Apache-2.0
 oslotest>=1.10.0 # Apache-2.0

tox.ini

@@ -21,8 +21,14 @@ whitelist_externals =
   bash
   find
 
+[testenv:bandit]
+deps = .[bandit]
+commands = bandit-baseline -r orm -n5 -c bandit.yaml
+
 [testenv:pep8]
-commands = flake8 {posargs}
+commands =
+  flake8 {posargs}
+  {[testenv:bandit]commands}
 
 [testenv:venv]
 commands = {posargs}