Merge "Bring bandit config up-to-date"
This commit is contained in:
commit
83e6a2d8e3
83
bandit.yaml
83
bandit.yaml
|
@ -11,9 +11,9 @@ plugin_name_pattern: '*.py'
|
||||||
#output_colors:
|
#output_colors:
|
||||||
# DEFAULT: '\033[0m'
|
# DEFAULT: '\033[0m'
|
||||||
# HEADER: '\033[95m'
|
# HEADER: '\033[95m'
|
||||||
# INFO: '\033[94m'
|
# LOW: '\033[94m'
|
||||||
# WARN: '\033[93m'
|
# MEDIUM: '\033[93m'
|
||||||
# ERROR: '\033[91m'
|
# HIGH: '\033[91m'
|
||||||
|
|
||||||
# optional: log format string
|
# optional: log format string
|
||||||
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
|
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
|
||||||
|
@ -31,14 +31,73 @@ exclude_dirs:
|
||||||
profiles:
|
profiles:
|
||||||
gate:
|
gate:
|
||||||
include:
|
include:
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - any_other_function_with_shell_equals_true
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - assert_used
|
||||||
|
|
||||||
- blacklist_calls
|
- blacklist_calls
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - blacklist_import_func
|
||||||
|
|
||||||
- blacklist_imports
|
- blacklist_imports
|
||||||
- request_with_no_cert_validation
|
|
||||||
- exec_used
|
- exec_used
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - execute_with_run_as_root_equals_true
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - hardcoded_bind_all_interfaces
|
||||||
|
|
||||||
|
# Not working because wordlist/default-passwords file not bundled,
|
||||||
|
# see https://bugs.launchpad.net/bandit/+bug/1451575 :
|
||||||
|
# - hardcoded_password
|
||||||
|
|
||||||
|
# Not used because it's prone to false positives:
|
||||||
|
# - hardcoded_sql_expressions
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - hardcoded_tmp_directory
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - jinja2_autoescape_false
|
||||||
|
|
||||||
|
- linux_commands_wildcard_injection
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - paramiko_calls
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - password_config_option_not_marked_secret
|
||||||
|
|
||||||
|
- request_with_no_cert_validation
|
||||||
- set_bad_file_permissions
|
- set_bad_file_permissions
|
||||||
- subprocess_popen_with_shell_equals_true
|
- subprocess_popen_with_shell_equals_true
|
||||||
- linux_commands_wildcard_injection
|
|
||||||
|
# TODO:
|
||||||
|
# - subprocess_without_shell_equals_true
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - start_process_with_a_shell
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - start_process_with_no_shell
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - start_process_with_partial_path
|
||||||
|
|
||||||
|
- ssl_with_bad_defaults
|
||||||
- ssl_with_bad_version
|
- ssl_with_bad_version
|
||||||
|
- ssl_with_no_version
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - try_except_pass
|
||||||
|
|
||||||
|
# TODO:
|
||||||
|
# - use_of_mako_templates
|
||||||
|
|
||||||
blacklist_calls:
|
blacklist_calls:
|
||||||
bad_name_sets:
|
bad_name_sets:
|
||||||
|
@ -50,8 +109,8 @@ blacklist_calls:
|
||||||
qualnames: [marshal.load, marshal.loads]
|
qualnames: [marshal.load, marshal.loads]
|
||||||
message: "Deserialization with the marshal module is possibly dangerous."
|
message: "Deserialization with the marshal module is possibly dangerous."
|
||||||
- md5:
|
- md5:
|
||||||
qualnames: [hashlib.md5]
|
qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
|
||||||
message: "Use of insecure MD5 hash function."
|
message: "Use of insecure MD2, MD4, or MD5 hash function."
|
||||||
- mktemp_q:
|
- mktemp_q:
|
||||||
qualnames: [tempfile.mktemp]
|
qualnames: [tempfile.mktemp]
|
||||||
message: "Use of insecure and deprecated function (mktemp)."
|
message: "Use of insecure and deprecated function (mktemp)."
|
||||||
|
@ -92,8 +151,13 @@ blacklist_imports:
|
||||||
level: ERROR
|
level: ERROR
|
||||||
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
|
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
|
||||||
|
|
||||||
|
hardcoded_tmp_directory:
|
||||||
|
tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']
|
||||||
|
|
||||||
hardcoded_password:
|
hardcoded_password:
|
||||||
word_list: "wordlist/default-passwords"
|
# Support for full path, relative path and special "%(site_data_dir)s"
|
||||||
|
# substitution (/usr/{local}/share)
|
||||||
|
word_list: "%(site_data_dir)s/wordlist/default-passwords"
|
||||||
|
|
||||||
ssl_with_bad_version:
|
ssl_with_bad_version:
|
||||||
bad_protocol_versions:
|
bad_protocol_versions:
|
||||||
|
@ -117,3 +181,6 @@ execute_with_run_as_root_equals_true:
|
||||||
- neutron.agent.linux.utils.execute
|
- neutron.agent.linux.utils.execute
|
||||||
- nova.utils.execute
|
- nova.utils.execute
|
||||||
- nova.utils.trycmd
|
- nova.utils.trycmd
|
||||||
|
|
||||||
|
try_except_pass:
|
||||||
|
check_typed_exception: True
|
||||||
|
|
Loading…
Reference in New Issue