Merge "Updating Bandit config file"

bandit.yaml

@@ -1,149 +1,157 @@
-# optional: after how many files to update progress
-#show_progress_every: 100
 
-# optional: plugins directory name
+### This config may optionally select a subset of tests to run or skip by
-#plugins_dir: 'plugins'
+### filling out the 'tests' and 'skips' lists given below. If no tests are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is detected by
+### Bandit at runtime.
 
-# optional: plugins discovery name pattern
+# Available tests:
-plugin_name_pattern: '*.py'
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B109 : password_config_option_not_marked_secret
+# B110 : try_except_pass
+# B111 : execute_with_run_as_root_equals_true
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates
 
-# optional: terminal escape sequences to display colors
+# (optional) list included test IDs here, eg '[B101, B406]':
-#output_colors:
+tests: [B102, B103, B109, B302, B306, B308, B309, B310, B401, B501, B502, B506, B601, B602, B609]
-#    DEFAULT: '\033[0m'
-#    HEADER: '\033[95m'
-#    LOW: '\033[94m'
-#    MEDIUM: '\033[93m'
-#    HIGH: '\033[91m'
 
-# optional: log format string
+# (optional) list skipped test IDs here, eg '[B101, B406]':
-#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
+skips:
 
-# globs of files which should be analyzed
+### (optional) plugin settings - some test plugins require configuration data
-include:
+### that may be given here, per-plugin. All bandit test plugins have a built in
-    - '*.py'
+### set of sensible defaults and these will be used if no configuration is
+### provided. It is not necessary to provide settings for every (or any) plugin
+### if the defaults are acceptable.
 
-# a list of strings, which if found in the path will cause files to be
+#any_other_function_with_shell_equals_true:
-# excluded
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-# for example /tests/ - to remove all all files in tests directory
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-#exclude_dirs:
+#    os.spawnvp, os.spawnvpe, os.startfile]
-#    - '/tests/'
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-#configured for swift
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-profiles:
+#    utils.execute, utils.execute_with_timeout]
-    gate:
+#execute_with_run_as_root_equals_true:
-        include:
+#  function_names: [ceilometer.utils.execute, cinder.utils.execute, neutron.agent.linux.utils.execute,
-            - blacklist_calls
+#    nova.utils.execute, nova.utils.trycmd]
-            - blacklist_imports
+#hardcoded_tmp_directory:
-            - exec_used
+#  tmp_dirs: [/tmp, /var/tmp, /dev/shm]
-            - linux_commands_wildcard_injection
+#linux_commands_wildcard_injection:
-            - request_with_no_cert_validation
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-            - set_bad_file_permissions
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-            - subprocess_popen_with_shell_equals_true
+#    os.spawnvp, os.spawnvpe, os.startfile]
-            - ssl_with_bad_version
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-            - password_config_option_not_marked_secret
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-#            - any_other_function_with_shell_equals_true
+#    utils.execute, utils.execute_with_timeout]
-#            - ssl_with_bad_defaults
+#password_config_option_not_marked_secret:
-#            - jinja2_autoescape_false
+#  function_names: [oslo.config.cfg.StrOpt, oslo_config.cfg.StrOpt]
-#            - use_of_mako_templates
+#ssl_with_bad_defaults:
-#            - subprocess_without_shell_equals_true
+#  bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
-#            - any_other_function_with_shell_equals_true
+#    PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
-#            - start_process_with_a_shell
+#ssl_with_bad_version:
-#            - start_process_with_no_shell
+#  bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
-#            - hardcoded_sql_expressions
+#    PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
-#            - hardcoded_tmp_director
+#start_process_with_a_shell:
-#            - linux_commands_wildcard_injection
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-#For now some items are commented which could be included as per use later.
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-blacklist_calls:
+#    os.spawnvp, os.spawnvpe, os.startfile]
-    bad_name_sets:
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-#        - pickle:
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-#            qualnames: [pickle.loads, pickle.load, pickle.Unpickler,
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-#                        cPickle.loads, cPickle.load, cPickle.Unpickler]
+#    utils.execute, utils.execute_with_timeout]
-#            level: LOW
+#start_process_with_no_shell:
-#            message: "Pickle library appears to be in use, possible security
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-#issue."
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-
+#    os.spawnvp, os.spawnvpe, os.startfile]
-        - marshal:
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-            qualnames: [marshal.load, marshal.loads]
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-            message: "Deserialization with the marshal module is possibly
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-dangerous."
+#    utils.execute, utils.execute_with_timeout]
-#        - md5:
+#start_process_with_partial_path:
-#            qualnames: [hashlib.md5]
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-#            level: LOW
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-#            message: "Use of insecure MD5 hash function."
+#    os.spawnvp, os.spawnvpe, os.startfile]
-        - mktemp_q:
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-            qualnames: [tempfile.mktemp]
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-            message: "Use of insecure and deprecated function (mktemp)."
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-#        - eval:
+#    utils.execute, utils.execute_with_timeout]
-#            qualnames: [eval]
+#subprocess_popen_with_shell_equals_true:
-#            level: LOW
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-#            message: "Use of possibly insecure function - consider using safer
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-#ast.literal_eval."
+#    os.spawnvp, os.spawnvpe, os.startfile]
-        - mark_safe:
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-            names: [mark_safe]
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-            message: "Use of mark_safe() may expose cross-site scripting
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-vulnerabilities and should be reviewed."
+#    utils.execute, utils.execute_with_timeout]
-        - httpsconnection:
+#subprocess_without_shell_equals_true:
-            qualnames: [httplib.HTTPSConnection]
+#  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
-            message: "Use of HTTPSConnection does not provide security, see
+#    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
-https://wiki.openstack.org/wiki/OSSN/OSSN-0033"
+#    os.spawnvp, os.spawnvpe, os.startfile]
-        - yaml_load:
+#  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
-            qualnames: [yaml.load]
+#    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-            message: "Use of unsafe yaml load. Allows instantiation of
+#  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
-arbitrary objects. Consider yaml.safe_load()."
+#    utils.execute, utils.execute_with_timeout]
-        - urllib_urlopen:
+#try_except_continue: {check_typed_exception: false}
-            qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener,
+#try_except_pass: {check_typed_exception: false}
-urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
-            message: "Audit url open for permitted schemes. Allowing use of
-file:/ or custom schemes is often unexpected."
-        - paramiko_injection:
-            qualnames: [paramiko.exec_command, paramiko.invoke_shell]
-            message: "Paramiko exec_command() and invoke_shell() usage may
-expose command injection vulnerabilities and should be reviewed."
-
-shell_injection:
-    # Start a process using the subprocess module, or one of its wrappers.
-    subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
-                 subprocess.check_output, utils.execute,
-utils.execute_with_timeout]
-    # Start a process with a function vulnerable to shell injection.
-    shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,
-            popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,
-            popen2.Popen4, commands.getoutput, commands.getstatusoutput]
-    # Start a process with a function that is not vulnerable to shell
-    # injection.
-    no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve,
-               os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp,
-               os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe,
-               os.startfile]
-
-blacklist_imports:
-    bad_import_sets:
-        - telnet:
-            imports: [telnetlib]
-            level: HIGH
-            message: "Telnet is considered insecure. Use SSH or some other
-encrypted protocol."
-        - info_libs:
-            imports: [Crypto]
-            level: LOW
-            message: "Consider possible security implications associated with
-#{module} module."
-
-hardcoded_password:
-    word_list: "wordlist/default-passwords"
-
-ssl_with_bad_version:
-    bad_protocol_versions:
-        - 'PROTOCOL_SSLv2'
-        - 'SSLv2_METHOD'
-        - 'SSLv23_METHOD'
-        - 'PROTOCOL_SSLv3'  # strict option
-        - 'PROTOCOL_TLSv1'  # strict option
-        - 'SSLv3_METHOD'    # strict option
-        - 'TLSv1_METHOD'    # strict option
-
-password_config_option_not_marked_secret:
-    function_names:
-        - oslo.config.cfg.StrOpt
-        - oslo_config.cfg.StrOpt

test-requirements.txt

@@ -18,4 +18,4 @@ python-swiftclient
 python-keystoneclient>=1.3.0
 
 # Security checks
-bandit>=0.10.1
+bandit>=1.1.0  # Apache-2.0

tox.ini

@@ -94,7 +94,7 @@ commands = sphinx-build -a -E -W -d install-guide/build/doctrees -b html install
 
 [testenv:bandit]
 deps = -r{toxinidir}/test-requirements.txt
-commands = bandit -c bandit.yaml -r swift bin -n 5 -p gate
+commands = bandit -c bandit.yaml -r swift -n 5
 
 [flake8]
 # it's not a bug that we aren't using all of hacking, ignore: