From 92d11d139e9f76d4fd76859aea78643fc32ef36b Mon Sep 17 00:00:00 2001 From: asteroide Date: Thu, 24 Sep 2015 16:27:16 +0200 Subject: Update Keystone code from repository. Change-Id: Ib3d0a06b10902fcc6d520f58e85aa617bc326d00 --- keystone-moon/bandit.yaml | 92 ++++++++++++++++++++++++++++++++++++----------- 1 file changed, 72 insertions(+), 20 deletions(-) (limited to 'keystone-moon/bandit.yaml') diff --git a/keystone-moon/bandit.yaml b/keystone-moon/bandit.yaml index 89d2551d..d1f561ec 100644 --- a/keystone-moon/bandit.yaml +++ b/keystone-moon/bandit.yaml @@ -11,9 +11,9 @@ plugin_name_pattern: '*.py' #output_colors: # DEFAULT: '\033[0m' # HEADER: '\033[95m' -# INFO: '\033[94m' -# WARN: '\033[93m' -# ERROR: '\033[91m' +# LOW: '\033[94m' +# MEDIUM: '\033[93m' +# HIGH: '\033[91m' # optional: log format string #log_format: "[%(module)s]\t%(levelname)s\t%(message)s" @@ -29,31 +29,75 @@ exclude_dirs: - '/tests/' profiles: - keystone_conservative: + gate: include: + + # TODO: + # - any_other_function_with_shell_equals_true + + # TODO: + # - assert_used + - blacklist_calls + + # TODO: + # - blacklist_import_func + - blacklist_imports - - request_with_no_cert_validation - exec_used - - set_bad_file_permissions - - subprocess_popen_with_shell_equals_true + + # TODO: + # - execute_with_run_as_root_equals_true + + # TODO: + # - hardcoded_bind_all_interfaces + + # Not working because wordlist/default-passwords file not bundled, + # see https://bugs.launchpad.net/bandit/+bug/1451575 : + # - hardcoded_password + + # Not used because it's prone to false positives: + # - hardcoded_sql_expressions + + # TODO: + # - hardcoded_tmp_directory + + # TODO: + # - jinja2_autoescape_false + - linux_commands_wildcard_injection - - ssl_with_bad_version + # TODO: + # - paramiko_calls + + # TODO: + # - password_config_option_not_marked_secret - keystone_verbose: - include: - - blacklist_calls - - blacklist_imports - request_with_no_cert_validation - - exec_used - set_bad_file_permissions - - hardcoded_tmp_directory - subprocess_popen_with_shell_equals_true - - any_other_function_with_shell_equals_true - - linux_commands_wildcard_injection - - ssl_with_bad_version + + # TODO: + # - subprocess_without_shell_equals_true + + # TODO: + # - start_process_with_a_shell + + # TODO: + # - start_process_with_no_shell + + # TODO: + # - start_process_with_partial_path + - ssl_with_bad_defaults + - ssl_with_bad_version + - ssl_with_no_version + + # TODO: + # - try_except_pass + + # TODO: + # - use_of_mako_templates blacklist_calls: bad_name_sets: @@ -65,8 +109,8 @@ blacklist_calls: qualnames: [marshal.load, marshal.loads] message: "Deserialization with the marshal module is possibly dangerous." - md5: - qualnames: [hashlib.md5] - message: "Use of insecure MD5 hash function." + qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5] + message: "Use of insecure MD2, MD4, or MD5 hash function." - mktemp_q: qualnames: [tempfile.mktemp] message: "Use of insecure and deprecated function (mktemp)." @@ -107,8 +151,13 @@ blacklist_imports: level: ERROR message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." +hardcoded_tmp_directory: + tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm'] + hardcoded_password: - word_list: "wordlist/default-passwords" + # Support for full path, relative path and special "%(site_data_dir)s" + # substitution (/usr/{local}/share) + word_list: "%(site_data_dir)s/wordlist/default-passwords" ssl_with_bad_version: bad_protocol_versions: @@ -132,3 +181,6 @@ execute_with_run_as_root_equals_true: - neutron.agent.linux.utils.execute - nova.utils.execute - nova.utils.trycmd + +try_except_pass: + check_typed_exception: True -- cgit 1.2.3-korg