diff options
author | Eric Brown <browne@vmware.com> | 2015-02-17 15:28:46 -0800 |
---|---|---|
committer | Eric Brown <browne@vmware.com> | 2015-04-23 07:45:32 -0700 |
commit | 32c61ee8b0dec6d351bbc9a7331b9dc9a216a618 (patch) | |
tree | 66f3175f55ef75da9fc09388fbd74e196402a627 | |
parent | 9338d7fe64a02f538899bfb74c854328b4457b06 (diff) | |
download | oslo-vmware-32c61ee8b0dec6d351bbc9a7331b9dc9a216a618.tar.gz |
Add bandit to tox for security static analysis
This patch adds security static analysis to tox as an optional
target.
Change-Id: Id74a190e893326a587911e32593040bcb844d3e9
-rw-r--r-- | bandit.yaml | 130 | ||||
-rw-r--r-- | oslo_vmware/objects/datastore.py | 6 | ||||
-rw-r--r-- | test-requirements-bandit.txt | 1 | ||||
-rw-r--r-- | tox.ini | 4 |
4 files changed, 138 insertions, 3 deletions
diff --git a/bandit.yaml b/bandit.yaml new file mode 100644 index 0000000..529ef8f --- /dev/null +++ b/bandit.yaml @@ -0,0 +1,130 @@ +# optional: after how many files to update progress +#show_progress_every: 100 + +# optional: plugins directory name +#plugins_dir: 'plugins' + +# optional: plugins discovery name pattern +plugin_name_pattern: '*.py' + +# optional: terminal escape sequences to display colors +#output_colors: +# DEFAULT: '\033[0m' +# HEADER: '\033[95m' +# INFO: '\033[94m' +# WARN: '\033[93m' +# ERROR: '\033[91m' + +# optional: log format string +#log_format: "[%(module)s]\t%(levelname)s\t%(message)s" + +# globs of files which should be analyzed +include: + - '*.py' + - '*.pyw' + +# a list of strings, which if found in the path will cause files to be excluded +# for example /tests/ - to remove all all files in tests directory +exclude_dirs: + - '/tests/' + +profiles: + XSS: + include: + - jinja2_autoescape_false + - use_of_mako_templates + + ShellInjection: + include: + - subprocess_popen_with_shell_equals_true + - subprocess_without_shell_equals_true + - any_other_function_with_shell_equals_true + - start_process_with_a_shell + - start_process_with_no_shell + exclude: + + SqlInjection: + include: + - hardcoded_sql_expressions + +blacklist_functions: + bad_name_sets: + - pickle: + qualnames: [pickle.loads, pickle.load, pickle.Unpickler, + cPickle.loads, cPickle.load, cPickle.Unpickler] + message: "Pickle library appears to be in use, possible security issue." + - marshal: + qualnames: [marshal.load, marshal.loads] + message: "Deserialization with the marshal module is possibly dangerous." + - md5: + qualnames: [hashlib.md5] + message: "Use of insecure MD5 hash function." + - mktemp_q: + qualnames: [tempfile.mktemp] + message: "Use of insecure and deprecated function (mktemp)." + - eval: + qualnames: [eval] + message: "Use of possibly insecure function - consider using safer ast.literal_eval." + - mark_safe: + names: [mark_safe] + message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." + - httpsconnection: + qualnames: [httplib.HTTPSConnection] + message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" + - yaml_load: + qualnames: [yaml.load] + message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()." + - urllib_urlopen: + qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request] + message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." + +shell_injection: + # Start a process using the subprocess module, or one of its wrappers. + subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, + subprocess.check_output, utils.execute, utils.execute_with_timeout] + # Start a process with a function vulnerable to shell injection. + shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, + popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3, + popen2.Popen4, commands.getoutput, commands.getstatusoutput] + # Start a process with a function that is not vulnerable to shell injection. + no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv,os.execve, + os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, + os.spawnlpe, os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, + os.startfile] + +blacklist_imports: + bad_import_sets: + - telnet: + imports: [telnetlib] + level: ERROR + message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." + - info_libs: + imports: [pickle, cPickle, subprocess, Crypto] + level: INFO + message: "Consider possible security implications associated with {module} module." + +hardcoded_password: + word_list: "wordlist/default-passwords" + +ssl_with_bad_version: + bad_protocol_versions: + - 'PROTOCOL_SSLv2' + - 'SSLv2_METHOD' + - 'SSLv23_METHOD' + - 'PROTOCOL_SSLv3' # strict option + - 'PROTOCOL_TLSv1' # strict option + - 'SSLv3_METHOD' # strict option + - 'TLSv1_METHOD' # strict option + +password_config_option_not_marked_secret: + function_names: + - oslo.config.cfg.StrOpt + - oslo_config.cfg.StrOpt + +execute_with_run_as_root_equals_true: + function_names: + - ceilometer.utils.execute + - cinder.utils.execute + - neutron.agent.linux.utils.execute + - nova.utils.execute + - nova.utils.trycmd diff --git a/oslo_vmware/objects/datastore.py b/oslo_vmware/objects/datastore.py index dd3b7b9..4f1e0e1 100644 --- a/oslo_vmware/objects/datastore.py +++ b/oslo_vmware/objects/datastore.py @@ -14,7 +14,7 @@ import logging import posixpath -import random as _random +import random as _random # nosec import six.moves.http_client as httplib import six.moves.urllib.parse as urlparse @@ -25,7 +25,7 @@ from oslo_vmware import exceptions from oslo_vmware import vim_util LOG = logging.getLogger(__name__) -random = _random.SystemRandom() +random = _random.SystemRandom() # nosec def get_datastore_by_ref(session, ds_ref): @@ -157,7 +157,7 @@ class Datastore(object): @staticmethod def choose_host(hosts): - i = random.randrange(0, len(hosts)) + i = random.randrange(0, len(hosts)) # nosec return hosts[i] diff --git a/test-requirements-bandit.txt b/test-requirements-bandit.txt new file mode 100644 index 0000000..38c39e1 --- /dev/null +++ b/test-requirements-bandit.txt @@ -0,0 +1 @@ +bandit==0.10.1 @@ -24,6 +24,10 @@ deps = -r{toxinidir}/requirements.txt pylint>=1.3.0 commands = pylint oslo +[testenv:bandit] +deps = -r{toxinidir}/test-requirements-bandit.txt +commands = bandit -c bandit.yaml -r oslo_vmware -n 5 + [testenv:docs] commands = python setup.py build_sphinx |