Adding bandit for security static analysis testing in swift
This change adds a basic bandit config for Swift. It can be invoked by running the tox environment for bandit; tox -e bandit This is an initial step for using bandit with Swift and it should be revisited to improve the testing as more is learned about the specific needs of the Swift code base.As per now some tests are excluded as they were used on purpose. https://wiki.openstack.org/wiki/Security/Projects/Bandit Implements: blueprint swift-bandit Change-Id: I621be9a68ae9311f3a6eadd1636b05e646260cf2
This commit is contained in:
parent
170313d7db
commit
67513fc17c
149
bandit.yaml
Normal file
149
bandit.yaml
Normal file
@ -0,0 +1,149 @@
|
||||
# optional: after how many files to update progress
|
||||
#show_progress_every: 100
|
||||
|
||||
# optional: plugins directory name
|
||||
#plugins_dir: 'plugins'
|
||||
|
||||
# optional: plugins discovery name pattern
|
||||
plugin_name_pattern: '*.py'
|
||||
|
||||
# optional: terminal escape sequences to display colors
|
||||
#output_colors:
|
||||
# DEFAULT: '\033[0m'
|
||||
# HEADER: '\033[95m'
|
||||
# LOW: '\033[94m'
|
||||
# MEDIUM: '\033[93m'
|
||||
# HIGH: '\033[91m'
|
||||
|
||||
# optional: log format string
|
||||
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
|
||||
|
||||
# globs of files which should be analyzed
|
||||
include:
|
||||
- '*.py'
|
||||
|
||||
# a list of strings, which if found in the path will cause files to be
|
||||
# excluded
|
||||
# for example /tests/ - to remove all all files in tests directory
|
||||
#exclude_dirs:
|
||||
# - '/tests/'
|
||||
|
||||
#configured for swift
|
||||
profiles:
|
||||
gate:
|
||||
include:
|
||||
- blacklist_calls
|
||||
- blacklist_imports
|
||||
- exec_used
|
||||
- linux_commands_wildcard_injection
|
||||
- request_with_no_cert_validation
|
||||
- set_bad_file_permissions
|
||||
- subprocess_popen_with_shell_equals_true
|
||||
- ssl_with_bad_version
|
||||
- password_config_option_not_marked_secret
|
||||
|
||||
# - any_other_function_with_shell_equals_true
|
||||
# - ssl_with_bad_defaults
|
||||
# - jinja2_autoescape_false
|
||||
# - use_of_mako_templates
|
||||
# - subprocess_without_shell_equals_true
|
||||
# - any_other_function_with_shell_equals_true
|
||||
# - start_process_with_a_shell
|
||||
# - start_process_with_no_shell
|
||||
# - hardcoded_sql_expressions
|
||||
# - hardcoded_tmp_director
|
||||
# - linux_commands_wildcard_injection
|
||||
#For now some items are commented which could be included as per use later.
|
||||
blacklist_calls:
|
||||
bad_name_sets:
|
||||
# - pickle:
|
||||
# qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
|
||||
# cPickle.loads, cPickle.load, cPickle.Unpickler]
|
||||
# level: LOW
|
||||
# message: "Pickle library appears to be in use, possible security
|
||||
#issue."
|
||||
|
||||
- marshal:
|
||||
qualnames: [marshal.load, marshal.loads]
|
||||
message: "Deserialization with the marshal module is possibly
|
||||
dangerous."
|
||||
# - md5:
|
||||
# qualnames: [hashlib.md5]
|
||||
# level: LOW
|
||||
# message: "Use of insecure MD5 hash function."
|
||||
- mktemp_q:
|
||||
qualnames: [tempfile.mktemp]
|
||||
message: "Use of insecure and deprecated function (mktemp)."
|
||||
# - eval:
|
||||
# qualnames: [eval]
|
||||
# level: LOW
|
||||
# message: "Use of possibly insecure function - consider using safer
|
||||
#ast.literal_eval."
|
||||
- mark_safe:
|
||||
names: [mark_safe]
|
||||
message: "Use of mark_safe() may expose cross-site scripting
|
||||
vulnerabilities and should be reviewed."
|
||||
- httpsconnection:
|
||||
qualnames: [httplib.HTTPSConnection]
|
||||
message: "Use of HTTPSConnection does not provide security, see
|
||||
https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
|
||||
- yaml_load:
|
||||
qualnames: [yaml.load]
|
||||
message: "Use of unsafe yaml load. Allows instantiation of
|
||||
arbitrary objects. Consider yaml.safe_load()."
|
||||
- urllib_urlopen:
|
||||
qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener,
|
||||
urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
|
||||
message: "Audit url open for permitted schemes. Allowing use of
|
||||
file:/ or custom schemes is often unexpected."
|
||||
- paramiko_injection:
|
||||
qualnames: [paramiko.exec_command, paramiko.invoke_shell]
|
||||
message: "Paramiko exec_command() and invoke_shell() usage may
|
||||
expose command injection vulnerabilities and should be reviewed."
|
||||
|
||||
shell_injection:
|
||||
# Start a process using the subprocess module, or one of its wrappers.
|
||||
subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
|
||||
subprocess.check_output, utils.execute,
|
||||
utils.execute_with_timeout]
|
||||
# Start a process with a function vulnerable to shell injection.
|
||||
shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
|
||||
popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
|
||||
popen2.Popen4, commands.getoutput, commands.getstatusoutput]
|
||||
# Start a process with a function that is not vulnerable to shell
|
||||
# injection.
|
||||
no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
|
||||
os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
|
||||
os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
|
||||
os.startfile]
|
||||
|
||||
blacklist_imports:
|
||||
bad_import_sets:
|
||||
- telnet:
|
||||
imports: [telnetlib]
|
||||
level: HIGH
|
||||
message: "Telnet is considered insecure. Use SSH or some other
|
||||
encrypted protocol."
|
||||
- info_libs:
|
||||
imports: [Crypto]
|
||||
level: LOW
|
||||
message: "Consider possible security implications associated with
|
||||
#{module} module."
|
||||
|
||||
hardcoded_password:
|
||||
word_list: "wordlist/default-passwords"
|
||||
|
||||
ssl_with_bad_version:
|
||||
bad_protocol_versions:
|
||||
- 'PROTOCOL_SSLv2'
|
||||
- 'SSLv2_METHOD'
|
||||
- 'SSLv23_METHOD'
|
||||
- 'PROTOCOL_SSLv3' # strict option
|
||||
- 'PROTOCOL_TLSv1' # strict option
|
||||
- 'SSLv3_METHOD' # strict option
|
||||
- 'TLSv1_METHOD' # strict option
|
||||
|
||||
password_config_option_not_marked_secret:
|
||||
function_names:
|
||||
- oslo.config.cfg.StrOpt
|
||||
- oslo_config.cfg.StrOpt
|
@ -13,3 +13,6 @@ sphinx>=1.1.2,<1.2
|
||||
mock>=1.0
|
||||
python-swiftclient
|
||||
python-keystoneclient>=1.3.0
|
||||
|
||||
# Security checks
|
||||
bandit>=0.10.1
|
||||
|
4
tox.ini
4
tox.ini
@ -49,6 +49,10 @@ commands = {posargs}
|
||||
[testenv:docs]
|
||||
commands = python setup.py build_sphinx
|
||||
|
||||
[testenv:bandit]
|
||||
deps = -r{toxinidir}/test-requirements.txt
|
||||
commands = bandit -c bandit.yaml -r swift bin -n 5 -p gate
|
||||
|
||||
[flake8]
|
||||
# it's not a bug that we aren't using all of hacking
|
||||
# H102 -> apache2 license exists
|
||||
|
Loading…
Reference in New Issue
Block a user