openstack-swift
/
bandit.yaml
162 строки · 7.8 Кб
1
2### This config may optionally select a subset of tests to run or skip by
3### filling out the 'tests' and 'skips' lists given below. If no tests are
4### specified for inclusion then it is assumed all tests are desired. The skips
5### set will remove specific tests from the include set. This can be controlled
6### using the -t/-s CLI options. Note that the same test ID should not appear
7### in both 'tests' and 'skips', this would be nonsensical and is detected by
8### Bandit at runtime.
9
10# Available tests:
11# B101 : assert_used
12# B102 : exec_used
13# B103 : set_bad_file_permissions
14# B104 : hardcoded_bind_all_interfaces
15# B105 : hardcoded_password_string
16# B106 : hardcoded_password_funcarg
17# B107 : hardcoded_password_default
18# B108 : hardcoded_tmp_directory
19# B110 : try_except_pass
20# B112 : try_except_continue
21# B201 : flask_debug_true
22# B301 : pickle
23# B302 : marshal
24# B303 : md5
25# B304 : ciphers
26# B305 : cipher_modes
27# B306 : mktemp_q
28# B307 : eval
29# B308 : mark_safe
30# B310 : urllib_urlopen
31# B311 : random
32# B312 : telnetlib
33# B313 : xml_bad_cElementTree
34# B314 : xml_bad_ElementTree
35# B315 : xml_bad_expatreader
36# B316 : xml_bad_expatbuilder
37# B317 : xml_bad_sax
38# B318 : xml_bad_minidom
39# B319 : xml_bad_pulldom
40# B320 : xml_bad_etree
41# B321 : ftplib
42# B322 : input
43# B323 : unverified_context
44# B325 : tempnam
45# B401 : import_telnetlib
46# B402 : import_ftplib
47# B403 : import_pickle
48# B404 : import_subprocess
49# B405 : import_xml_etree
50# B406 : import_xml_sax
51# B407 : import_xml_expat
52# B408 : import_xml_minidom
53# B409 : import_xml_pulldom
54# B410 : import_lxml
55# B411 : import_xmlrpclib
56# B412 : import_httpoxy
57# B413 : import_pycrypto
58# B414 : import_pycryptodome
59# B501 : request_with_no_cert_validation
60# B502 : ssl_with_bad_version
61# B503 : ssl_with_bad_defaults
62# B504 : ssl_with_no_version
63# B505 : weak_cryptographic_key
64# B506 : yaml_load
65# B507 : ssh_no_host_key_verification
66# B601 : paramiko_calls
67# B602 : subprocess_popen_with_shell_equals_true
68# B603 : subprocess_without_shell_equals_true
69# B604 : any_other_function_with_shell_equals_true
70# B605 : start_process_with_a_shell
71# B606 : start_process_with_no_shell
72# B607 : start_process_with_partial_path
73# B608 : hardcoded_sql_expressions
74# B609 : linux_commands_wildcard_injection
75# B610 : django_extra_used
76# B611 : django_rawsql_used
77# B701 : jinja2_autoescape_false
78# B702 : use_of_mako_templates
79# B703 : django_mark_safe
80
81# (optional) list included test IDs here, eg '[B101, B406]':
82tests: [B102, B103, B302, B303, B304, B305, B306, B308, B310, B401, B501, B502, B506, B601, B602, B609]83
84# (optional) list skipped test IDs here, eg '[B101, B406]':
85skips:86
87### (optional) plugin settings - some test plugins require configuration data
88### that may be given here, per-plugin. All bandit test plugins have a built in
89### set of sensible defaults and these will be used if no configuration is
90### provided. It is not necessary to provide settings for every (or any) plugin
91### if the defaults are acceptable.
92
93#any_other_function_with_shell_equals_true:
94# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
95# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
96# os.spawnvp, os.spawnvpe, os.startfile]
97# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
98# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
99# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
100# utils.execute, utils.execute_with_timeout]
101#execute_with_run_as_root_equals_true:
102# function_names: [ceilometer.utils.execute, cinder.utils.execute, neutron.agent.linux.utils.execute,
103# nova.utils.execute, nova.utils.trycmd]
104#hardcoded_tmp_directory:
105# tmp_dirs: [/tmp, /var/tmp, /dev/shm]
106#linux_commands_wildcard_injection:
107# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
108# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
109# os.spawnvp, os.spawnvpe, os.startfile]
110# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
111# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
112# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
113# utils.execute, utils.execute_with_timeout]
114#password_config_option_not_marked_secret:
115# function_names: [oslo.config.cfg.StrOpt, oslo_config.cfg.StrOpt]
116#ssl_with_bad_defaults:
117# bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
118# PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
119#ssl_with_bad_version:
120# bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
121# PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
122#start_process_with_a_shell:
123# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
124# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
125# os.spawnvp, os.spawnvpe, os.startfile]
126# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
127# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
128# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
129# utils.execute, utils.execute_with_timeout]
130#start_process_with_no_shell:
131# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
132# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
133# os.spawnvp, os.spawnvpe, os.startfile]
134# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
135# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
136# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
137# utils.execute, utils.execute_with_timeout]
138#start_process_with_partial_path:
139# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
140# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
141# os.spawnvp, os.spawnvpe, os.startfile]
142# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
143# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
144# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
145# utils.execute, utils.execute_with_timeout]
146#subprocess_popen_with_shell_equals_true:
147# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
148# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
149# os.spawnvp, os.spawnvpe, os.startfile]
150# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
151# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
152# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
153# utils.execute, utils.execute_with_timeout]
154#subprocess_without_shell_equals_true:
155# no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
156# os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
157# os.spawnvp, os.spawnvpe, os.startfile]
158# shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2, popen2.popen3,
159# popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput, commands.getstatusoutput]
160# subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call, subprocess.check_output,
161# utils.execute, utils.execute_with_timeout]
162#try_except_continue: {check_typed_exception: false}
163#try_except_pass: {check_typed_exception: false}
164