Merge "Updating Bandit config file"

2016-09-19 00:33:03 +00:00 · 2016-09-19 00:33:03 +00:00 · 6fea41e0f6
parent 5126cc844a b587d1606c
commit 6fea41e0f6
3 changed files with 153 additions and 145 deletions
--- a/bandit.yaml
+++ b/bandit.yaml
@ -1,149 +1,157 @@
-# optional: after how many files to update progress
-#show_progress_every: 100

-# optional: plugins directory name
-#plugins_dir: 'plugins'
+### This config may optionally select a subset of tests to run or skip by
+### filling out the 'tests' and 'skips' lists given below. If no tests are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is detected by
+### Bandit at runtime.

-# optional: plugins discovery name pattern
-plugin_name_pattern: '*.py'
+# Available tests:
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B109 : password_config_option_not_marked_secret
+# B110 : try_except_pass
+# B111 : execute_with_run_as_root_equals_true
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates

-# optional: terminal escape sequences to display colors
-#output_colors:
-#    DEFAULT: '\033[0m'
-#    HEADER: '\033[95m'
-#    LOW: '\033[94m'
-#    MEDIUM: '\033[93m'
-#    HIGH: '\033[91m'
+# (optional) list included test IDs here, eg '[B101, B406]':
+tests: [B102, B103, B109, B302, B306, B308, B309, B310, B401, B501, B502, B506, B601, B602, B609]

-# optional: log format string
-#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
+# (optional) list skipped test IDs here, eg '[B101, B406]':
+skips:

-# globs of files which should be analyzed
-include:
-    - '*.py'
+### (optional) plugin settings - some test plugins require configuration data
+### that may be given here, per-plugin. All bandit test plugins have a built in
+### set of sensible defaults and these will be used if no configuration is
+### provided. It is not necessary to provide settings for every (or any) plugin
+### if the defaults are acceptable.

-# a list of strings, which if found in the path will cause files to be
-# excluded
-# for example /tests/ - to remove all all files in tests directory
-#exclude_dirs:
-#    - '/tests/'
-
-#configured for swift
-profiles:
-    gate:
-        include:
-            - blacklist_calls
-            - blacklist_imports
-            - exec_used
-            - linux_commands_wildcard_injection
-            - request_with_no_cert_validation
-            - set_bad_file_permissions
-            - subprocess_popen_with_shell_equals_true
-            - ssl_with_bad_version
-            - password_config_option_not_marked_secret
-
-#            - any_other_function_with_shell_equals_true
-#            - ssl_with_bad_defaults
-#            - jinja2_autoescape_false
-#            - use_of_mako_templates
-#            - subprocess_without_shell_equals_true
-#            - any_other_function_with_shell_equals_true
-#            - start_process_with_a_shell
-#            - start_process_with_no_shell
-#            - hardcoded_sql_expressions
-#            - hardcoded_tmp_director
-#            - linux_commands_wildcard_injection
-#For now some items are commented which could be included as per use later.
-blacklist_calls:
-    bad_name_sets:
-#        - pickle:
-#            qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
-#                        cPickle.loads, cPickle.load, cPickle.Unpickler]
-#            level: LOW
-#            message: "Pickle library appears to be in use, possible security
-#issue."
-
-        - marshal:
-            qualnames: [marshal.load, marshal.loads]
-            message: "Deserialization with the marshal module is possibly
-dangerous."
-#        - md5:
-#            qualnames: [hashlib.md5]
-#            level: LOW
-#            message: "Use of insecure MD5 hash function."
-        - mktemp_q:
-            qualnames: [tempfile.mktemp]
-            message: "Use of insecure and deprecated function (mktemp)."
-#        - eval:
-#            qualnames: [eval]
-#            level: LOW
-#            message: "Use of possibly insecure function - consider using safer
-#ast.literal_eval."
-        - mark_safe:
-            names: [mark_safe]
-            message: "Use of mark_safe() may expose cross-site scripting
-vulnerabilities and should be reviewed."
-        - httpsconnection:
-            qualnames: [httplib.HTTPSConnection]
-            message: "Use of HTTPSConnection does not provide security, see
-https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
-        - yaml_load:
-            qualnames: [yaml.load]
-            message: "Use of unsafe yaml load. Allows instantiation of
-arbitrary objects. Consider yaml.safe_load()."
-        - urllib_urlopen:
-            qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener,
-urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
-            message: "Audit url open for permitted schemes. Allowing use of
-file:/ or custom schemes is often unexpected."
-        - paramiko_injection:
-            qualnames: [paramiko.exec_command, paramiko.invoke_shell]
-            message: "Paramiko exec_command() and invoke_shell() usage may
-expose command injection vulnerabilities and should be reviewed."
-
-shell_injection:
-    # Start a process using the subprocess module, or one of its wrappers.
-    subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
-                 subprocess.check_output, utils.execute,
-utils.execute_with_timeout]
-    # Start a process with a function vulnerable to shell injection.
-    shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
-            popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
-            popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-    # Start a process with a function that is not vulnerable to shell
-    # injection.
-    no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
-               os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
-               os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
-               os.startfile]
-
-blacklist_imports:
-    bad_import_sets:
-        - telnet:
-            imports: [telnetlib]
-            level: HIGH
-            message: "Telnet is considered insecure. Use SSH or some other
-encrypted protocol."
-        - info_libs:
-            imports: [Crypto]
-            level: LOW
-            message: "Consider possible security implications associated with
-#{module} module."
-
-hardcoded_password:
-    word_list: "wordlist/default-passwords"
-
-ssl_with_bad_version:
-    bad_protocol_versions:
-        - 'PROTOCOL_SSLv2'
-        - 'SSLv2_METHOD'
-        - 'SSLv23_METHOD'
-        - 'PROTOCOL_SSLv3'  # strict option
-        - 'PROTOCOL_TLSv1'  # strict option
-        - 'SSLv3_METHOD'    # strict option
-        - 'TLSv1_METHOD'    # strict option
-
-password_config_option_not_marked_secret:
-    function_names:
-        - oslo.config.cfg.StrOpt
-        - oslo_config.cfg.StrOpt
+#any_other_function_with_shell_equals_true:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#execute_with_run_as_root_equals_true:
+#  function_names: [ceilometer.utils.execute, cinder.utils.execute, neutron.agent.linux.utils.execute,
+#    nova.utils.execute, nova.utils.trycmd]
+#hardcoded_tmp_directory:
+#  tmp_dirs: [/tmp, /var/tmp, /dev/shm]
+#linux_commands_wildcard_injection:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#password_config_option_not_marked_secret:
+#  function_names: [oslo.config.cfg.StrOpt, oslo_config.cfg.StrOpt]
+#ssl_with_bad_defaults:
+#  bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
+#    PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
+#ssl_with_bad_version:
+#  bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
+#    PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
+#start_process_with_a_shell:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#start_process_with_no_shell:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#start_process_with_partial_path:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#subprocess_popen_with_shell_equals_true:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#subprocess_without_shell_equals_true:
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+#    os.spawnvp, os.spawnvpe, os.startfile]
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
+#    utils.execute, utils.execute_with_timeout]
+#try_except_continue: {check_typed_exception: false}
+#try_except_pass: {check_typed_exception: false}
--- a/test-requirements.txt
+++ b/test-requirements.txt
@ -18,4 +18,4 @@ python-swiftclient
 python-keystoneclient>=1.3.0

 # Security checks
-bandit>=0.10.1
+bandit>=1.1.0  # Apache-2.0
--- a/tox.ini
+++ b/tox.ini
@ -94,7 +94,7 @@ commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install

 [testenv:bandit]
 deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -c bandit.yaml -r swift bin -n 5 -p gate
+commands = bandit -c bandit.yaml -r swift -n 5

 [flake8]
 # it's not a bug that we aren't using all of hacking, ignore: