Commit Graph

870 Commits

Author SHA1 Message Date
Tony Breeds 53fb095112 Retire Packaging Deb project repos
This commit is part of a series to retire the Packaging Deb
project. Step 2 is to remove all content from the project
repos, replacing it with a README notification where to find
ongoing work, and how to recover the repo if needed at some
future point (as in
https://docs.openstack.org/infra/manual/drivers.html#retiring-a-project).

Change-Id: Id4f02b036bf8aa3e31f1ada684f5260d0187247e
2017-09-12 15:36:33 -06:00
Jenkins ee9481dcdd Merge "Enable some off-by-default checks" 2017-07-14 16:34:27 +00:00
Jenkins 84a2eb97bb Merge "Fixed order of arguments in assertEqual" 2017-07-14 16:34:12 +00:00
Jenkins ad827efc6b Merge "Updated from global requirements" 2017-07-14 16:33:35 +00:00
Jenkins 6b08213427 Merge "Optimize the link address" 2017-07-14 16:32:31 +00:00
sudhir_agarwal 2455f95640 Fixed order of arguments in assertEqual
Some tests used incorrect order of arguments in
assertEqual(observed, expected). The correct order expected
by testtool is assertEqual(expected, observed).

Change-Id: I64138c2b08c44a970e7fdd96a634e8a0acd2bfa4
2017-07-14 11:02:00 +05:30
OpenStack Proposal Bot d46ac805ef Updated from global requirements
Change-Id: I7f9863699b97514957152cf727b5af74399dc701
2017-07-14 04:56:23 +00:00
lioplhp 715f2fd537 Add Apache License Content in index.rst
Add Apache License 2.0 Content which is necessary
for ./releasenotes/source/index.rst.

Change-Id: I93055a0e9d2a39c8b70ed020c5c772137db38055
2017-07-07 16:37:52 +08:00
OpenStack Proposal Bot d59d37d51f Updated from global requirements
Change-Id: Ief6d4ed8ca25eb201de73df4c5ccdc67ffdffa0c
2017-06-27 12:08:06 +00:00
lioplhp f10fd4f5d4 Enable some off-by-default checks
Some of the available checks are diskabled by default, like:
[H106] Don't put vim configuration in source files;
[H203] Use assertIs(Not)None to check for None.

Change-Id: Ib822b3b4cb9ae1176a8d69bbc0ab45126adc1bab
2017-06-23 15:46:30 +08:00
OpenStack Proposal Bot 02f52a4964 Updated from global requirements
Change-Id: I670c906f634f38b121c9708e85fd6dccb451f484
2017-06-02 21:53:29 +00:00
OpenStack Proposal Bot 8783d47cb1 Updated from global requirements
Change-Id: I9b953a312a525ac693092e2e6a02f00eec64db4d
2017-05-17 03:46:04 +00:00
OpenStack Proposal Bot 28d5607630 Updated from global requirements
Change-Id: I9c87d81fcd2a3612121b693051f2b2eb4f7d2384
2017-05-15 00:41:53 +00:00
loooosy 88a7f256d1 Optimize the link address
Use https instead of http to ensure the safety

Change-Id: I4df36b1f0a2b22fd7c9971b973cf1470400f8a4d
2017-04-10 05:36:41 +00:00
Jenkins a23af1b72d Merge "Blacklist call of ssl._create_unverified_context" 2017-04-09 01:10:24 +00:00
Jenkins 95b01334f3 Merge "Allow config for high and medium severity key sizes" 2017-04-07 04:31:41 +00:00
M V P Nitesh 693f57faae Replace six.iteritems() with .items()
1.As mentioned in [1], we should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will more readable.
2.In py2, the performance about list should be negligible, see the
link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html

Change-Id: I5340fa3d71b6fba76e8fcf75f9f30432329023d2
2017-04-04 15:32:55 +05:30
Eric Brown e40af23ff6 Blacklist call of ssl._create_unverified_context
The ssl._create_unverified_context creates a context for use with
such classes as HTTPSConnection which will do no certificate or
hostname verification. This should be flagged.

Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
2017-03-20 12:19:36 -07:00
Jenkins ba5735c801 Merge "Enable coverage report in console output" 2017-03-16 21:02:43 +00:00
Eric Brown 085c789490 Correct the yaml doc example to be actually yaml
The current doc for the yaml formatter shows an example of CSV
output, not yaml.

Change-Id: I75b01cab5455559738d89b0803eb64261c445967
2017-03-09 14:33:19 -08:00
Jeremy Liu c2af2c8f5a Enable coverage report in console output
This will output coverage rate of every module in console.

Change-Id: Iffa984bd404d7f197786029d5f50ee3b0a2e3e49
2017-03-06 17:41:14 +08:00
Jenkins c59ac73afb Merge "Yet Another Formatter (yaml)" 2017-03-03 15:24:33 +00:00
OpenStack Proposal Bot fc44e0e31a Updated from global requirements
Change-Id: I85156d90b94995ee81bc75e0c78a8a1804dd7a0f
2017-03-02 11:42:52 +00:00
Jenkins 1e83fb1271 Merge "Dump bandit config file lists vertically" 2017-03-02 09:28:45 +00:00
Jenkins 049a6774bd Merge "HTTPSConnection is secure in newer Python" 2017-03-02 09:27:57 +00:00
Jenkins 7b3e43d0c9 Merge "Refactor check_example to be clearer on error" 2017-03-02 09:24:15 +00:00
Jenkins 61e8a86c08 Merge "Repair the more info links for two blacklist calls" 2017-03-02 09:15:06 +00:00
Jenkins ddc856a681 Merge "Docs for B319 listed twice" 2017-03-02 09:14:41 +00:00
OpenStack Proposal Bot ac2145ab7d Updated from global requirements
Change-Id: Ia0dcd4aa507f4babc64b503419bc5198ed6064eb
2017-03-02 00:20:25 -08:00
Eric Brown fbd4e83efe Yet Another Formatter (yaml)
This patch adds a yaml formatter to the output options of bandit.

Change-Id: Ibbe0cff062ce2c11138b746f95109f31de10f5b1
2017-02-27 16:23:17 -08:00
Eric Brown be0483a603 Repair the more info links for two blacklist calls
The blacklist calls has some of documentation anchors combined [1].
As a result, the links don't correct point to the proper anchor in
the html. Therefore we need some exception cases for checks that
have doc combined. Namely B304-B305 and B313-B320.

This patch also fixes links where there is an underscore in the
plugin name and replaces it with a dash. Apparently sphinx will
substitute _ for - when building the doc anchors.

[1]: https://docs.openstack.org/developer/bandit/blacklists/blacklist_calls.html#b304-b305-ciphers-and-modes

Change-Id: I4dfa905425f2631fa488a9a066c427d4145f4aac
2017-02-27 16:20:05 -08:00
Eric Brown 6a1a4b120d Docs for B319 listed twice
The blacklist calls doc lists B319 twice. This patch removes the
duplicate.

[1]: https://docs.openstack.org/developer/bandit/blacklists/blacklist_calls.html#b313-b320-xml

Change-Id: I94ca7cb1201f6d74ce8672294d2ba421ea5a608c
2017-02-27 15:48:44 -08:00
Eric Brown 87c8b70e7b Refactor check_example to be clearer on error
Currently the check_example in test_functional computes sums and
on error tells the developer the difference in sums, which is
confusing and error prone.

It also leads to false positives where sums may be correct, but
the exact number of MEDIUM, HIGH, etc is different. This was the
case for two tests: test_xml and test_secret_config_option.

The general_hardcoded_password test was also broken for py35
because it was assuming function args are ast.Name not ast.arg.
But surprisingly the tests passed because of a syntax error in
the example.

Change-Id: Icd06fb7ca27a8a01d6442f199775d474d436371b
2017-02-23 19:01:46 -08:00
Eric Brown a38056fafa Dump bandit config file lists vertically
Currently when using the bandit-config-generator to dump out a
config file, it looks rather messy because config option values
that are lists are dumped onto one long line.

So rather than dumping on one line, use the vertical yaml list
format by specifying default_flow_style=False.

Change-Id: Ic0dc97f19d067471b507421dcb98ac749874e49c
2017-02-20 14:06:31 -08:00
Eric Brown 4cf3af7d4c Allow config for high and medium severity key sizes
The severity level of various key sizes of RSA, DSA, and EC are
currently hard-coded in the weak_cryptographic_key.py itself. This
patch allows the values to be overriden via the config file mechanism.

Change-Id: I38ad5384e0e6012818bbac10f449840de6fb14ed
2017-02-20 13:25:31 -08:00
Eric Brown c924b2b12f HTTPSConnection is secure in newer Python
In Python 2.7.9 [1] and 3.4.3 [2], the HTTPSConnection class has
been fixed to perform all the necessary certificate and hostname
checks by default.

Therefore, Bandit's warning is only applicable if the module is
using older versions of Python. Even though Bandit could detect
the version of Python used for its scan, it cannot ensure that is
the same version used for running the said scanned module.

This patch modifies the warning message to make this clearer.

[1]: https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection
[2]: https://docs.python.org/3.4/library/http.client.html#http.client.HTTPSConnection

Change-Id: I8105137d2cbbf0eb000729a18f43c3db443644d7
2017-02-20 11:25:48 -08:00
OpenStack Proposal Bot 32b4714562 Updated from global requirements
Change-Id: I5595e1b03dee7f2fdc7402a8e056ac84a8836040
2017-02-10 05:47:05 +00:00
Anh Tran e17af5cac2 Typo fix: targetting => targeting
Change-Id: Iebfb2186e2824e47f57f53f9480776a9cbf67398
2017-02-07 10:13:43 +07:00
Eric Brown 52c4b9be68 Use https for references to openstack.org
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.

Change-Id: I83d2df500e2e30047494c201a2ab39820ffd1502
2017-01-30 14:08:03 -08:00
Philip Jones 6ce60806ca Alter SQL injection plugin to consider .format strings
This considers `"{}".format()` style alongside `"%s" % ` string
formatting for possible SQL injection vulnerabilities.

Change-Id: If7b09083bd2cc5e48e5d3fd3e8d5e6142fdb67ed
2017-01-22 13:59:24 +00:00
Jenkins 2516e40d86 Merge "Add Cryptodome to blacklist and weak ciphers/hash" 2017-01-13 13:16:45 +00:00
Eric Brown d4e213445a Add Cryptodome to blacklist and weak ciphers/hash
As stated in the bug, the PyCryptodomex package reintroduces
PyCrypto, but with a different namespace. Therefore Bandit should
also include Cryptodome in its checks.

Change-Id: I6a02f97747420cedfb4523917ea0083ed5792d7a
Closes-Bug: #1655975
2017-01-12 23:53:24 -08:00
Philip Jones 96632b53eb Alter SQL Injection plugin SQL check
The previous version assumed the SQL query would start with `select`,
`insert into`, `update` or `delete from` which rules out queries that
are not so simple, for example queries using `with` such as:

   WITH cte AS (query)
   SELECT something FROM cte;

This version losens the criteria and considers any string with simple
SQL grammar (e.g. `select` followed by `from` anywhere within) as SQL.

Change-Id: I4c95842474e71aed61abc4bc878f3565a907f7c7
2017-01-11 20:56:30 +00:00
Timothy Kelsey 17c737a391 Fixing some UTF8 encoding issues in file names
The names of skipped files were not being encoded properly in
output reports.

Change-Id: I38055512d71b3268b5241d50f1aa01a4b28ed332
Closes-Bug: #1647925
2017-01-06 17:33:11 +00:00
Eric Brown 0acf9f95db Fix up nits in the README and other files
* Consistently use single space after period, not double
* Keep line width at 80 where possible
* Replace Pythion 3.4 references with 3.5 since the gate no longer
  tests 3.4.

Change-Id: Ia6a1b9a5582f37e359b069b4a97f7c180e32ab3a
2017-01-05 15:12:11 -08:00
Stanisław Pitucha 00742402aa Drop redundant dict call
Change-Id: I3b80d403f9515da8cb611833c1ed5e8f145470e0
2016-12-21 15:00:40 +11:00
Travis McPeak 77eda34120 Removing 'stats' from JSON output formatter
This commit removes 'stats' from the JSON output formatter.  The
same information is available in the metrics section and
duplicating the data is pointless.

Closes-Bug: #1643723
Change-Id: Ia80a177fdc03c9769c35c824d8d907c93da2ebf7
2016-12-20 11:34:55 -08:00
Travis McPeak e3f19b0dca Fixing partial path detection for Windows
This commit updates the check for a partial path in the shell
plugin to recognize Windows paths (c:\something\) as complete
paths.

Change-Id: I0e6e3b83f5464e2fe4b06bc72632bb950b5e3d7e
Closes-Bug: #1650392
2016-12-20 09:57:33 -08:00
Jenkins a9f47e5d03 Merge "Add functional tests for B308, B321, and B402" 2016-12-20 15:33:05 +00:00
Jenkins a1cf1c3502 Merge "Typo in calls doc for input call" 2016-12-20 15:31:32 +00:00