diff options
author | Omer Katz <omer.drow@gmail.com> | 2018-12-17 16:04:26 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-12-17 16:04:26 +0200 |
commit | e9c6f01bc6f89e6b90f2c9b61e6a9878d5612147 (patch) | |
tree | cadc199546285753f61380da3eda6a8bdb2c17a0 | |
parent | 8de1e52fabdd9c3738a012bb88e2234d1bd06255 (diff) | |
download | oauthlib-e9c6f01bc6f89e6b90f2c9b61e6a9878d5612147.tar.gz |
Added bandit to CI to avoid security issues (#627)
* Added bandit to CI to avoid security issues.
* Remove basepython for bandit.
* Remove metrics.
-rw-r--r-- | .travis.yml | 2 | ||||
-rw-r--r-- | bandit.json | 48 | ||||
-rw-r--r-- | tox.ini | 8 |
3 files changed, 57 insertions, 1 deletions
diff --git a/.travis.yml b/.travis.yml index e304ce6..c7978d7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,6 +15,8 @@ matrix: env: TOXENV=py36 - python: 3.7 env: TOXENV=py37 + - python: 3.7 + env: TOXENV=bandit - python: pypy3.5 env: TOXENV=pypy3 install: diff --git a/bandit.json b/bandit.json new file mode 100644 index 0000000..02e15a8 --- /dev/null +++ b/bandit.json @@ -0,0 +1,48 @@ +{ + "errors": [], + "generated_at": "2018-12-13T10:39:37Z", + "results": [ + { + "code": "182 if request.body is not None and content_type_eligible:\n183 params.append(('oauth_body_hash', base64.b64encode(hashlib.sha1(request.body.encode('utf-8')).digest()).decode('utf-8')))\n184 \n", + "filename": "oauthlib/oauth1/rfc5849/__init__.py", + "issue_confidence": "HIGH", + "issue_severity": "MEDIUM", + "issue_text": "Use of insecure MD2, MD4, MD5, or SHA1 hash function.", + "line_number": 183, + "line_range": [ + 183 + ], + "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5", + "test_id": "B303", + "test_name": "blacklist" + }, + { + "code": "45 def __init__(self, endpoints, claims={}, raise_errors=True):\n46 assert isinstance(claims, dict)\n47 for endpoint in endpoints:\n", + "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py", + "issue_confidence": "HIGH", + "issue_severity": "LOW", + "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.", + "line_number": 46, + "line_range": [ + 46 + ], + "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html", + "test_id": "B101", + "test_name": "assert_used" + }, + { + "code": "47 for endpoint in endpoints:\n48 assert isinstance(endpoint, BaseEndpoint)\n49 \n", + "filename": "oauthlib/oauth2/rfc6749/endpoints/metadata.py", + "issue_confidence": "HIGH", + "issue_severity": "LOW", + "issue_text": "Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.", + "line_number": 48, + "line_range": [ + 48 + ], + "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html", + "test_id": "B101", + "test_name": "assert_used" + } + ] +} @@ -1,5 +1,5 @@ [tox] -envlist = py27,py34,py35,py36,py37,pypy,pypy3,docs,readme +envlist = py27,py34,py35,py36,py37,pypy,pypy3,docs,readme,bandit [testenv] deps= @@ -27,3 +27,9 @@ whitelist_externals=echo commands= python setup.py check -r -s echo setup.py/long description is syntaxly correct + +[testenv:bandit] +skipsdist=True +deps=bandit +commands=bandit -b bandit.json -r oauthlib/ +whitelist_externals=bandit |