aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/bandit.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/bandit.yaml')
-rw-r--r--keystone-moon/bandit.yaml92
1 files changed, 72 insertions, 20 deletions
diff --git a/keystone-moon/bandit.yaml b/keystone-moon/bandit.yaml
index 89d2551d..d1f561ec 100644
--- a/keystone-moon/bandit.yaml
+++ b/keystone-moon/bandit.yaml
@@ -11,9 +11,9 @@ plugin_name_pattern: '*.py'
#output_colors:
# DEFAULT: '\033[0m'
# HEADER: '\033[95m'
-# INFO: '\033[94m'
-# WARN: '\033[93m'
-# ERROR: '\033[91m'
+# LOW: '\033[94m'
+# MEDIUM: '\033[93m'
+# HIGH: '\033[91m'
# optional: log format string
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
@@ -29,31 +29,75 @@ exclude_dirs:
- '/tests/'
profiles:
- keystone_conservative:
+ gate:
include:
+
+ # TODO:
+ # - any_other_function_with_shell_equals_true
+
+ # TODO:
+ # - assert_used
+
- blacklist_calls
+
+ # TODO:
+ # - blacklist_import_func
+
- blacklist_imports
- - request_with_no_cert_validation
- exec_used
- - set_bad_file_permissions
- - subprocess_popen_with_shell_equals_true
+
+ # TODO:
+ # - execute_with_run_as_root_equals_true
+
+ # TODO:
+ # - hardcoded_bind_all_interfaces
+
+ # Not working because wordlist/default-passwords file not bundled,
+ # see https://bugs.launchpad.net/bandit/+bug/1451575 :
+ # - hardcoded_password
+
+ # Not used because it's prone to false positives:
+ # - hardcoded_sql_expressions
+
+ # TODO:
+ # - hardcoded_tmp_directory
+
+ # TODO:
+ # - jinja2_autoescape_false
+
- linux_commands_wildcard_injection
- - ssl_with_bad_version
+ # TODO:
+ # - paramiko_calls
+
+ # TODO:
+ # - password_config_option_not_marked_secret
- keystone_verbose:
- include:
- - blacklist_calls
- - blacklist_imports
- request_with_no_cert_validation
- - exec_used
- set_bad_file_permissions
- - hardcoded_tmp_directory
- subprocess_popen_with_shell_equals_true
- - any_other_function_with_shell_equals_true
- - linux_commands_wildcard_injection
- - ssl_with_bad_version
+
+ # TODO:
+ # - subprocess_without_shell_equals_true
+
+ # TODO:
+ # - start_process_with_a_shell
+
+ # TODO:
+ # - start_process_with_no_shell
+
+ # TODO:
+ # - start_process_with_partial_path
+
- ssl_with_bad_defaults
+ - ssl_with_bad_version
+ - ssl_with_no_version
+
+ # TODO:
+ # - try_except_pass
+
+ # TODO:
+ # - use_of_mako_templates
blacklist_calls:
bad_name_sets:
@@ -65,8 +109,8 @@ blacklist_calls:
qualnames: [marshal.load, marshal.loads]
message: "Deserialization with the marshal module is possibly dangerous."
- md5:
- qualnames: [hashlib.md5]
- message: "Use of insecure MD5 hash function."
+ qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
+ message: "Use of insecure MD2, MD4, or MD5 hash function."
- mktemp_q:
qualnames: [tempfile.mktemp]
message: "Use of insecure and deprecated function (mktemp)."
@@ -107,8 +151,13 @@ blacklist_imports:
level: ERROR
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
+hardcoded_tmp_directory:
+ tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']
+
hardcoded_password:
- word_list: "wordlist/default-passwords"
+ # Support for full path, relative path and special "%(site_data_dir)s"
+ # substitution (/usr/{local}/share)
+ word_list: "%(site_data_dir)s/wordlist/default-passwords"
ssl_with_bad_version:
bad_protocol_versions:
@@ -132,3 +181,6 @@ execute_with_run_as_root_equals_true:
- neutron.agent.linux.utils.execute
- nova.utils.execute
- nova.utils.trycmd
+
+try_except_pass:
+ check_typed_exception: True