- New test for HTTPoxy bug (CVE-2016-5386)
- Man page added
[Bug Fixes]
- XSS bug fixed in HTML output (Security fix)
- Various typos and spelling errors fixed
[Behind the Scenes]
- Catch general exceptions per-file
- Docs improvements
- Py3.5 bits
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAABCgAGBQJXsaiRAAoJEHidEZrptdDW7BEQAIq6c2phmr75j7f3mu08+og2
WWwZ5KWoh6XTBlBKGMWpZNGn4/1Xnfc9UrfFBhtAr8PfsuA00VxZmXhA5+UkD3df
VmbqTZ694UxtNCdxuubsia/9lbGpn6VxVl9uOjwyU+nJEaRwQpfHSPHjaGwMs30Y
LMlJpeQ3P5gLah6CLFTxv5Otw7psgtQUNsj0M/iZN+8t6+cpPuvMMLYNOU/Yjxj4
Hn04dxMopXX6J1SIzSL1bl06u7g8BbG/vb7iVrt0hxB4zvMEjC8byiMckujQRwuo
9erFnjUtl0a2I+7/VgBSgA+9M0gXSXmMJ3RVvZq2z1IBrvXGfaTz1G4Q8gU6Ypwk
TJIuXndWPl2kRBf8d53hIVlZg+GZaGJRTsCODaby7lpVhKCCZoHwJNddaRMkbswc
ckP0Z33tgluHa9yzYsbxy8e36TFhIy7FBNPi0A7jd48XpWk6iRLEO79Ek2Sfgvj1
9hP4nj0J7XHXdRiD1+qxtW+cgyiNxiyG6ycyFrtEUcCGATADfhyxe4EqBQSTSwJH
B3VBcpbcdhm55a5GDd/qhGQKhBLtQCBg2t1V8aRjBr6+IhDsPmrk9GLAjAzGA5K4
km5Q/Cne/4gtZY8dPjFDn8bOEBN5hD3mFzifUOBudzxjobm4nV0zP0DLfqqi84eV
fSFHcugmjECnyYbHujCM
=SOpq
-----END PGP SIGNATURE-----
Merge tag '1.1.0' into debian/newton
* New upstream release.
* Fixed (build-)depends for this release.
* Standards-Version is now 3.9.8 (no change).
* Using OpenStack's Gerrit as VCS URLs.
* debian/source/options: ignores egg-info and .gitreview.
* Using pkgos-dh_auto_{test,install} from openstack-pkg-tools >= 52~.
* Adding bandit, bandit-baseline and bandit-config-generator binary in
debian/bin to have unit tests and config generation to work.
* Generate the bandit.yaml using bandit-config-generator.
* Do not run functional tests that are failing.
* Do not attempt to install bandit.yaml (file gone upstream).
Change-Id: I8bb004137c19a63589a88e348c139d462afd28c8
Coverage combine deletes reports and thus jenkins failed
saying `no data to report`, this change fixes it.
Change-Id: Ia95ec755513d4382f9ad945e9688836445aee4d3
This commit adds a missing section in the Bandit plugin
documentation for developers that describes how gen_config should
be used to declare and set default values for parameters.
Closes-Bug: #1602002
Change-Id: Iac3135394c9f723f04d9756459a0d5595de07021
Python 3.5 support was added to the gate jobs. Since Bandit fully
passes those tests, we can now claim Python 3.5 support in the
classifier.
Change-Id: Ia733ec36ce2350b5273031e4ab2491b344fd2bd2
Soon the gate jobs will support Python 3.5. This patch adds the
tox virtualenv in preparation for the move from 3.4 to 3.5.
Change-Id: Ifda38d02f97510f7687924e83b4c7b01c28bf10b
The argparse module already has the capability to default to stdout
at CLI parameter definition time. This patch utilizes this and avoids
the opening of the output file by each formatter.
Change-Id: Ib1e89492558fe1fc06966711b6014bd5b86b84c8
bandit/core/node_visitor.py is a module rather than a script.
doc/source/conf.py is a configuration file rather than a script.
Change-Id: I08d855da5adab6c722ce63d120dc437c1ca81f6b
This modifies the Bandit manager to catch a general Exception on a
per-file basis. When an exception does occur, the name of the file is
emitted and the file is logged as a 'skipped file' for inclusion in
the end-of-run output. When run in debug mode, a traceback will also
be printed.
The change also adds a new test targeting this case, along with a new
example file (nonsense2.py is gzipped nonsense.py) to trigger the
test.
Change-Id: I86e648890dddcc5c2fff7dd9844678e990b0cd63
Closes-Bug: #1498258
Some configurations dont pass an Attribute through directly. These
are safe as far as the test is concerned, but were exploading the
logic.
Closes-bug: #1564787
Change-Id: I8152983552ad61613c3c5474502a74ac4acf0d64
The exit code of sub commands were ignored. As a result all
integration jobs would pass even when they fail.
Change-Id: I071283d2737199ed710e246740f68f8e857027f2
Closes-Bug: #1546772
These tests default to the strict setting, this is quite noisy and
normally produces false positives. Probably not a good default, so
this calms down these tests.
Change-Id: Ia22569bdae1705a2a499ad17bbfffdf211e9d2b2
This commit contains a number of relatively minor changes to the help
text displayed by Bandit when 'bandit -h' is executed.
It is an attempt to normalize (capitalization, formatting, and usage of
certain terms) and edit for clarity.
It also updates the README to include the new help text, and the test
that checks the README is up-to-date.
Change-Id: Ic583f891a295ac13339db1f65bcf38d66bd2abcd
Along with a 'try, except, pass' check, we should also check for the
similar existance of 'try, except, continue', which raises the same
type of security implications, given the similar type of functionality.
Using 'continue' in place of 'pass' (inside a loop) currently allows
code to bypass the 'try, except, pass' warning.
Change-Id: I3e7ce037518875c5f5e46e26e1d72ef878f78a2f
The docs for these tests were very out of date. This fixes them
and also removes the old wordlist, as its not used by anything.
Change-Id: I28c047dfd0041824e08e28e1239ccbae8c7141a0
This patch adds a validation step to the config class that can
be used to detect bad configs. For now it just asserts that if
legacy blacklist tests are mentioned the config contains the
required data block for them.
Additionally, this also removes various places in our test set
where a config file is specified. This was only done to satisfy
the old behaviour when a config was not optional.
Finally, this detects when a config has legacy data in it and
prints a deprecation warning.
Test coverage of the config class is now raised to 100%
Change-Id: I492a20f9b9f421d32e3e72eaa15f88c34c3d11e8