c26c7b8edd464d1fcf1d219f7c3fb040914d9da3
10 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
Alistair Coles
|
aa0429ce00 |
CI: document bandit tests by reference
The available bandit tests change with time (e.g. the Related-Change). We shouldn't try to maintain the list. Related-Change: Ie668d49a56c0a6542d28128656cfd44f7c089ec4 Change-Id: I6eb106abbac28ffbb9a3f64e8aa60218cbe75682 |
||
|
Tim Burke
|
f95315b711 |
CI: Remove B320 and B410 bandit skips
They were removed upstream recently, so now Bandit is complaining about the unknown test. See https://github.com/PyCQA/bandit/pull/1212 Change-Id: Ie668d49a56c0a6542d28128656cfd44f7c089ec4 |
||
|
Tim Burke
|
e576c5cee0 |
CI: Configure bandit better
Declare the tests to skip, rather than the tests to run. This ensures that we pick up new bandit checks automatically. I recently noticed a use of md5() without the usedforsecurity=False kwarg. Confused about why this wasn't caught in the gate, I eventually traced it back to B303 (which we explicitly enabled) being largely superseded by B324 (which did not exist when we wrote down the tests to enable). Flag a bunch of false-positives with "# nosec" comments, resolve two other errors, and skip some more-pervasive errors, to be resolved later. Change-Id: Ia054e4f7c9e5bf29064a66933e27830adbc107d3 |
||
|
Tim Burke
|
199aa78fbe |
xprofile: Stop using eval()
All we need is int(). Using eval() on user-provided data (or really at all) is a Bad Idea. Closes-Bug: #2091124 Change-Id: I39bb87f9d8e27f2f88410a087a120a0e9be1a243 |
||
|
Tim Burke
|
479a010165 |
Drop bandit check B309
It was retired upstream: https://github.com/PyCQA/bandit/pull/858 Continuing to list it causes CI failures like ERROR Unknown test found in profile: B309 Change-Id: I52c535bd2078f25bb57c42a2c2c966247cd3094b |
||
|
Ade Lee
|
5320ecbaf2 |
replace md5 with swift utils version
md5 is not an approved algorithm in FIPS mode, and trying to instantiate a hashlib.md5() will fail when the system is running in FIPS mode. md5 is allowed when in a non-security context. There is a plan to add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate whether or not the instance is being used in a security context. In the case where it is not, the instantiation of md5 will be allowed. See https://bugs.python.org/issue9216 for more details. Some downstream python versions already support this parameter. To support these versions, a new encapsulation of md5() is added to swift/common/utils.py. This encapsulation is identical to the one being added to oslo.utils, but is recreated here to avoid adding a dependency. This patch is to replace the instances of hashlib.md5() with this new encapsulation, adding an annotation indicating whether the usage is a security context or not. While this patch seems large, it is really just the same change over and again. Reviewers need to pay particular attention as to whether the keyword parameter (usedforsecurity) is set correctly. Right now, all of them appear to be not used in a security context. Now that all the instances have been converted, we can update the bandit run to look for these instances and ensure that new invocations do not creep in. With this latest patch, the functional and unit tests all pass on a FIPS enabled system. Co-Authored-By: Pete Zaitcev Change-Id: Ibb4917da4c083e1e094156d748708b87387f2d87 |
||
|
CY Chiang
|
c0035ed82e |
Update the bandit.yaml available tests list
According to the bandit current version document, the B109 and B111 plugin has been removed. And Add the following tests: Complete Test Plugin Listing: B507, B610, B611, B703 Blacklist Plugins Listing: B322, B323, B325, B413, B414 Reference URL: https://bandit.readthedocs.io/en/latest/plugins/index.html Change-Id: I5e9365f9147776d7d90c6ba889acbde3c0e6c19d Closes-Bug: #1838361 |
||
|
Thiago da Silva
|
fc04dc1cf2 |
Attempt to fix pep8
Test B109 was removed from bandit in release 1.5.0[1]
[1] -
|
||
|
Travis McPeak
|
b587d1606c |
Updating Bandit config file
This commit updates the Swift Bandit file to the new style introduced in Bandit 1.0. In response to the struggle with getting a Bandit config file working and kept up to date we introduced a simplified version in Bandit 1.0. This commit updates Swift's bandit.yaml to use the new version. Change-Id: Ida5dd08f4ea72a377346f2159caeb2f3741d4980 |
||
|
janonymous
|
67513fc17c |
Adding bandit for security static analysis testing in swift
This change adds a basic bandit config for Swift. It can be invoked by running the tox environment for bandit; tox -e bandit This is an initial step for using bandit with Swift and it should be revisited to improve the testing as more is learned about the specific needs of the Swift code base.As per now some tests are excluded as they were used on purpose. https://wiki.openstack.org/wiki/Security/Projects/Bandit Implements: blueprint swift-bandit Change-Id: I621be9a68ae9311f3a6eadd1636b05e646260cf2 |