From ffe64b7706f479c1e97e053006a3487ef8eb8b32 Mon Sep 17 00:00:00 2001
From: Brant Knudson <bknudson@us.ibm.com>
Date: Fri, 18 Sep 2015 15:13:29 -0500
Subject: [PATCH] Bring bandit config up-to-date

Bandit 0.13.2 was released and this is the min version in
requirements.txt. This version updated the tests that are
available.

Using the latest default bandit.yaml from bandit 0.13.2:

1) Copied the latest bandit config stuff from the top of the file.
2) Copied the list of all tests from the sample "All" profile:

   - Left the new tests that we weren't running disabled, these will
     be enabled if they work, marked with TODO.
   - Removed crypto_random and shell_injection since these are not
     in the list of all tests anymore.
   - Some tests weren't enabled before, I added the reason why.

3) After the profiles comes the configuration for each test, which
   bandit 0.13.2 has changed. Changes to the configs for the
   blacklist_calls and blacklist_imports tests caused some new lines
   to be flagged, so these will be handled separately.

Follow-on commits will handle enabling the new tests or providing a
reason why the test is not run and updating the test configs to the
latest from 0.13.2.

[1] http://git.openstack.org/cgit/openstack/bandit/tree/bandit/config/bandit.yaml?id=0.13.2

Change-Id: Iee28a669853497d3fa79d6d89ecbb2d8b755e78e
---
 bandit.yaml | 83 +++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 75 insertions(+), 8 deletions(-)

diff --git a/bandit.yaml b/bandit.yaml
index 1f2f68e76e..d1f561ecdd 100644
--- a/bandit.yaml
+++ b/bandit.yaml
@@ -11,9 +11,9 @@ plugin_name_pattern: '*.py'
 #output_colors:
 #    DEFAULT: '\033[0m'
 #    HEADER: '\033[95m'
-#    INFO: '\033[94m'
-#    WARN: '\033[93m'
-#    ERROR: '\033[91m'
+#    LOW: '\033[94m'
+#    MEDIUM: '\033[93m'
+#    HIGH: '\033[91m'
 
 # optional: log format string
 #log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
@@ -31,14 +31,73 @@ exclude_dirs:
 profiles:
     gate:
         include:
+
+            # TODO:
+            # - any_other_function_with_shell_equals_true
+
+            # TODO:
+            # - assert_used
+
             - blacklist_calls
+
+            # TODO:
+            # - blacklist_import_func
+
             - blacklist_imports
-            - request_with_no_cert_validation
             - exec_used
+
+            # TODO:
+            # - execute_with_run_as_root_equals_true
+
+            # TODO:
+            # - hardcoded_bind_all_interfaces
+
+            # Not working because wordlist/default-passwords file not bundled,
+            # see https://bugs.launchpad.net/bandit/+bug/1451575 :
+            # - hardcoded_password
+
+            # Not used because it's prone to false positives:
+            # - hardcoded_sql_expressions
+
+            # TODO:
+            # - hardcoded_tmp_directory
+
+            # TODO:
+            # - jinja2_autoescape_false
+
+            - linux_commands_wildcard_injection
+
+            # TODO:
+            # - paramiko_calls
+
+            # TODO:
+            # - password_config_option_not_marked_secret
+
+            - request_with_no_cert_validation
             - set_bad_file_permissions
             - subprocess_popen_with_shell_equals_true
-            - linux_commands_wildcard_injection
+
+            # TODO:
+            # - subprocess_without_shell_equals_true
+
+            # TODO:
+            # - start_process_with_a_shell
+
+            # TODO:
+            # - start_process_with_no_shell
+
+            # TODO:
+            # - start_process_with_partial_path
+
+            - ssl_with_bad_defaults
             - ssl_with_bad_version
+            - ssl_with_no_version
+
+            # TODO:
+            # - try_except_pass
+
+            # TODO:
+            # - use_of_mako_templates
 
 blacklist_calls:
     bad_name_sets:
@@ -50,8 +109,8 @@ blacklist_calls:
             qualnames: [marshal.load, marshal.loads]
             message: "Deserialization with the marshal module is possibly dangerous."
         - md5:
-            qualnames: [hashlib.md5]
-            message: "Use of insecure MD5 hash function."
+            qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
+            message: "Use of insecure MD2, MD4, or MD5 hash function."
         - mktemp_q:
             qualnames: [tempfile.mktemp]
             message: "Use of insecure and deprecated function (mktemp)."
@@ -92,8 +151,13 @@ blacklist_imports:
             level: ERROR
             message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
 
+hardcoded_tmp_directory:
+    tmp_dirs:  ['/tmp', '/var/tmp', '/dev/shm']
+
 hardcoded_password:
-    word_list: "wordlist/default-passwords"
+    # Support for full path, relative path and special "%(site_data_dir)s"
+    # substitution (/usr/{local}/share)
+    word_list: "%(site_data_dir)s/wordlist/default-passwords"
 
 ssl_with_bad_version:
     bad_protocol_versions:
@@ -117,3 +181,6 @@ execute_with_run_as_root_equals_true:
         - neutron.agent.linux.utils.execute
         - nova.utils.execute
         - nova.utils.trycmd
+
+try_except_pass:
+  check_typed_exception: True