From 7890be45d258c1cbcec611426500274d857e5e7e Mon Sep 17 00:00:00 2001 From: Al Bailey Date: Fri, 22 Nov 2019 12:25:51 -0600 Subject: [PATCH] Update list of skipped bandit plugins. Adding a zuul job so that any new bandit failures will be caught. Switching bandit to run in python3. B111 plugin was removed from bandit by: PyCQA/bandit@d93eed5 Cleanup the list of bandit checks that need to be skipped in order for this tox job to pass. Those checks can be removed when the code is updated by future commits. Story: 2004515 Task: 37744 Change-Id: I1809b1124a5a693d288fb7ea893f30c24487af36 Signed-off-by: Al Bailey --- .zuul.yaml | 13 +++++++++++++ sysinv/sysinv/sysinv/tox.ini | 34 ++++++++++++++++++++++------------ tox.ini | 4 ++++ 3 files changed, 39 insertions(+), 12 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index b507299514..9cfeb6e61f 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -12,6 +12,7 @@ - sysinv-tox-py35 - sysinv-tox-flake8 - sysinv-tox-pylint + - sysinv-tox-bandit - controllerconfig-tox-flake8 - controllerconfig-tox-py27 - controllerconfig-tox-pylint @@ -25,6 +26,7 @@ - sysinv-tox-py35 - sysinv-tox-flake8 - sysinv-tox-pylint + - sysinv-tox-bandit - controllerconfig-tox-flake8 - controllerconfig-tox-py27 - controllerconfig-tox-pylint @@ -90,6 +92,17 @@ tox_envlist: pylint tox_extra_args: -c sysinv/sysinv/sysinv/tox.ini +- job: + name: sysinv-tox-bandit + parent: tox + description: | + Run bandit test for sysinv + files: + - sysinv/sysinv/* + vars: + tox_envlist: bandit + tox_extra_args: -c sysinv/sysinv/sysinv/tox.ini + - job: name: controllerconfig-tox-flake8 parent: tox diff --git a/sysinv/sysinv/sysinv/tox.ini b/sysinv/sysinv/sysinv/tox.ini index 5a1a5185ac..d7da909426 100644 --- a/sysinv/sysinv/sysinv/tox.ini +++ b/sysinv/sysinv/sysinv/tox.ini @@ -111,29 +111,39 @@ commands = {posargs} [bandit] # The following bandit tests are being skipped: # B101: Test for use of assert +# B103: Test for setting permissive file permissions # B104: Test for binding to all interfaces -# B107: Test for use of hard-coded password argument defaults -# B108: Probable insecure usage of temp file/directory +# B105: Test for use of hard-coded password strings +# B108: Test for insecure usage of tmp file/directory # B110: Try, Except, Pass detected. -# B111: Execute with run_as_root=True identified, possible security issue +# B303: Use of insecure MD2, MD4, MD5, or SHA1 hash function. +# B307: Blacklisted call to eval. # B310: Audit url open for permitted schemes # B311: Standard pseudo-random generators are not suitable for security/cryptographic purposes +# B314: Blacklisted calls to xml.etree.ElementTree +# B318: Blacklisted calls to xml.dom.minidom +# B320: Blacklisted calls to lxml.etree # B404: Import of subprocess module -# B410: Import of lxml module -# B504: Test for SSL use with no version specified +# B405: import xml.etree +# B408: import xml.minidom +# B410: import lxml # B506: Test for use of yaml load -# B603: Test for use of subprocess with shell equals true +# B602: Test for use of popen with shell equals true +# B603: Test for use of subprocess without shell equals true +# B604: Test for any function with shell equals true +# B605: Test for starting a process with a shell # B607: Test for starting a process with a partial path -skips = B101,B104,B107,B108,B110,B111,B310,B311,B404,B410,B504,B506,B603,B607 +# +# Note: 'skips' entry cannot be split across multiple lines +# +skips = B101,B103,B104,B105,B108,B110,B303,B307,B310,B311,B314,B318,B320,B404,B405,B408,B410,B506,B602,B603,B604,B605,B607 exclude = tests [testenv:bandit] -basepython = python2.7 - -deps = {[testenv]deps} +basepython = python3 +deps = -r{toxinidir}/test-requirements.txt bandit - -commands = bandit --ini tox.ini -n 5 -f xml -o bandit.xml -r sysinv +commands = bandit --ini tox.ini -n 5 -r sysinv [testenv:pylint] basepython = python2.7 diff --git a/tox.ini b/tox.ini index 912018edf8..85966a0477 100644 --- a/tox.ini +++ b/tox.ini @@ -53,6 +53,10 @@ description = Dummy environment to allow flake8 to be run in subdir tox basepython = python3 description = Dummy environment to allow pylint to be run in subdir tox +[testenv:bandit] +basepython = python3 +description = Dummy environment to allow bandit to be run in subdir tox + [testenv:api-ref] basepython = python3 install_command = pip install -U {opts} {packages}