This commit is part of a series to retire the Packaging Deb
project. Step 2 is to remove all content from the project
repos, replacing it with a README notification where to find
ongoing work, and how to recover the repo if needed at some
future point (as in
https://docs.openstack.org/infra/manual/drivers.html#retiring-a-project).
Change-Id: Id4f02b036bf8aa3e31f1ada684f5260d0187247e
Some tests used incorrect order of arguments in
assertEqual(observed, expected). The correct order expected
by testtool is assertEqual(expected, observed).
Change-Id: I64138c2b08c44a970e7fdd96a634e8a0acd2bfa4
Some of the available checks are diskabled by default, like:
[H106] Don't put vim configuration in source files;
[H203] Use assertIs(Not)None to check for None.
Change-Id: Ib822b3b4cb9ae1176a8d69bbc0ab45126adc1bab
1.As mentioned in [1], we should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will more readable.
2.In py2, the performance about list should be negligible, see the
link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: I5340fa3d71b6fba76e8fcf75f9f30432329023d2
The ssl._create_unverified_context creates a context for use with
such classes as HTTPSConnection which will do no certificate or
hostname verification. This should be flagged.
Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
The blacklist calls has some of documentation anchors combined [1].
As a result, the links don't correct point to the proper anchor in
the html. Therefore we need some exception cases for checks that
have doc combined. Namely B304-B305 and B313-B320.
This patch also fixes links where there is an underscore in the
plugin name and replaces it with a dash. Apparently sphinx will
substitute _ for - when building the doc anchors.
[1]: https://docs.openstack.org/developer/bandit/blacklists/blacklist_calls.html#b304-b305-ciphers-and-modes
Change-Id: I4dfa905425f2631fa488a9a066c427d4145f4aac
Currently the check_example in test_functional computes sums and
on error tells the developer the difference in sums, which is
confusing and error prone.
It also leads to false positives where sums may be correct, but
the exact number of MEDIUM, HIGH, etc is different. This was the
case for two tests: test_xml and test_secret_config_option.
The general_hardcoded_password test was also broken for py35
because it was assuming function args are ast.Name not ast.arg.
But surprisingly the tests passed because of a syntax error in
the example.
Change-Id: Icd06fb7ca27a8a01d6442f199775d474d436371b
Currently when using the bandit-config-generator to dump out a
config file, it looks rather messy because config option values
that are lists are dumped onto one long line.
So rather than dumping on one line, use the vertical yaml list
format by specifying default_flow_style=False.
Change-Id: Ic0dc97f19d067471b507421dcb98ac749874e49c
The severity level of various key sizes of RSA, DSA, and EC are
currently hard-coded in the weak_cryptographic_key.py itself. This
patch allows the values to be overriden via the config file mechanism.
Change-Id: I38ad5384e0e6012818bbac10f449840de6fb14ed
In Python 2.7.9 [1] and 3.4.3 [2], the HTTPSConnection class has
been fixed to perform all the necessary certificate and hostname
checks by default.
Therefore, Bandit's warning is only applicable if the module is
using older versions of Python. Even though Bandit could detect
the version of Python used for its scan, it cannot ensure that is
the same version used for running the said scanned module.
This patch modifies the warning message to make this clearer.
[1]: https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection
[2]: https://docs.python.org/3.4/library/http.client.html#http.client.HTTPSConnection
Change-Id: I8105137d2cbbf0eb000729a18f43c3db443644d7
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I83d2df500e2e30047494c201a2ab39820ffd1502
As stated in the bug, the PyCryptodomex package reintroduces
PyCrypto, but with a different namespace. Therefore Bandit should
also include Cryptodome in its checks.
Change-Id: I6a02f97747420cedfb4523917ea0083ed5792d7a
Closes-Bug: #1655975
The previous version assumed the SQL query would start with `select`,
`insert into`, `update` or `delete from` which rules out queries that
are not so simple, for example queries using `with` such as:
WITH cte AS (query)
SELECT something FROM cte;
This version losens the criteria and considers any string with simple
SQL grammar (e.g. `select` followed by `from` anywhere within) as SQL.
Change-Id: I4c95842474e71aed61abc4bc878f3565a907f7c7
The names of skipped files were not being encoded properly in
output reports.
Change-Id: I38055512d71b3268b5241d50f1aa01a4b28ed332
Closes-Bug: #1647925
* Consistently use single space after period, not double
* Keep line width at 80 where possible
* Replace Pythion 3.4 references with 3.5 since the gate no longer
tests 3.4.
Change-Id: Ia6a1b9a5582f37e359b069b4a97f7c180e32ab3a
This commit removes 'stats' from the JSON output formatter. The
same information is available in the metrics section and
duplicating the data is pointless.
Closes-Bug: #1643723
Change-Id: Ia80a177fdc03c9769c35c824d8d907c93da2ebf7
This commit updates the check for a partial path in the shell
plugin to recognize Windows paths (c:\something\) as complete
paths.
Change-Id: I0e6e3b83f5464e2fe4b06bc72632bb950b5e3d7e
Closes-Bug: #1650392