« back to all changes in this revision
Viewing changes to bandit.yaml
- browse files at revision 22
- compare with another revision
- download diff
- download tarball
- view history from revision 22
- Committer: Package Import Robot
- Author(s): Thomas Goirand, James Page, Thomas Goirand
- Date: 2015-09-27 21:59:45 UTC
- mfrom: (1.1.13) (2.1.4 experimental)
- Revision ID: package-import@ubuntu.com-20150927215945-mb0010u27sox75pp
Tags: 1.21.0-1
[ James Page ]
* d/pydist-overrides: Map suds-jurko -> suds to ease backporting.
[ Thomas Goirand ]
* New upstream release.
* d/pydist-overrides: Map suds-jurko -> suds to ease backporting.
[ Thomas Goirand ]
* New upstream release.
- files modified:
- bandit.yaml
added
removed
bandit.yaml
11
11
#output_colors:
12
12
# DEFAULT: '\033[0m'
13
13
# HEADER: '\033[95m'
14
# INFO: '\033[94m'
15
# WARN: '\033[93m'
16
# ERROR: '\033[91m'
14
# LOW: '\033[94m'
15
# MEDIUM: '\033[93m'
16
# HIGH: '\033[91m'
17
17
18
18
# optional: log format string
19
19
#log_format: "[%(module)s]\t%(levelname)s\t%(message)s"
21
21
# globs of files which should be analyzed
22
22
include:
23
23
- '*.py'
24
- '*.pyw'
24
25
25
26
# a list of strings, which if found in the path will cause files to be excluded
26
27
# for example /tests/ - to remove all all files in tests directory
28
29
- '/tests/'
29
30
30
31
profiles:
32
All:
33
include:
34
- any_other_function_with_shell_equals_true
35
- assert_used
36
- blacklist_calls
37
- blacklist_import_func
38
- blacklist_imports
39
- exec_used
40
- execute_with_run_as_root_equals_true
41
- hardcoded_bind_all_interfaces
42
- hardcoded_password
43
- hardcoded_sql_expressions
44
- hardcoded_tmp_directory
45
- jinja2_autoescape_false
46
- linux_commands_wildcard_injection
47
- paramiko_calls
48
- password_config_option_not_marked_secret
49
- request_with_no_cert_validation
50
- set_bad_file_permissions
51
- subprocess_popen_with_shell_equals_true
52
- subprocess_without_shell_equals_true
53
- start_process_with_a_shell
54
- start_process_with_no_shell
55
- start_process_with_partial_path
56
- ssl_with_bad_defaults
57
- ssl_with_bad_version
58
- ssl_with_no_version
59
- try_except_pass
60
- use_of_mako_templates
61
31
62
XSS:
32
63
include:
33
64
- jinja2_autoescape_false
40
71
- any_other_function_with_shell_equals_true
41
72
- start_process_with_a_shell
42
73
- start_process_with_no_shell
74
- start_process_with_partial_path
43
75
exclude:
44
76
45
77
SqlInjection:
56
88
qualnames: [marshal.load, marshal.loads]
57
89
message: "Deserialization with the marshal module is possibly dangerous."
58
90
- md5:
59
qualnames: [hashlib.md5]
60
message: "Use of insecure MD5 hash function."
91
qualnames: [hashlib.md5, Crypto.Hash.MD2.new, Crypto.Hash.MD4.new, Crypto.Hash.MD5.new, cryptography.hazmat.primitives.hashes.MD5]
92
message: "Use of insecure MD2, MD4, or MD5 hash function."
61
93
- mktemp_q:
62
94
qualnames: [tempfile.mktemp]
63
95
message: "Use of insecure and deprecated function (mktemp)."
76
108
- urllib_urlopen:
77
109
qualnames: [urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request]
78
110
message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected."
111
- random:
112
qualnames: [random.random, random.randrange, random.randint, random.choice, random.uniform, random.triangular]
113
message: "Standard pseudo-random generators are not suitable for security/cryptographic purposes."
114
level: "LOW"
115
116
# Most of this is based off of Christian Heimes' work on defusedxml:
117
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
118
119
- xml_bad_cElementTree:
120
qualnames: [xml.etree.cElementTree.parse,
121
xml.etree.cElementTree.iterparse,
122
xml.etree.cElementTree.fromstring,
123
xml.etree.cElementTree.XMLParser]
124
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
125
- xml_bad_ElementTree:
126
qualnames: [xml.etree.ElementTree.parse,
127
xml.etree.ElementTree.iterparse,
128
xml.etree.ElementTree.fromstring,
129
xml.etree.ElementTree.XMLParser]
130
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
131
- xml_bad_expatreader:
132
qualnames: [xml.sax.expatreader.create_parser]
133
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
134
- xml_bad_expatbuilder:
135
qualnames: [xml.dom.expatbuilder.parse,
136
xml.dom.expatbuilder.parseString]
137
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
138
- xml_bad_sax:
139
qualnames: [xml.sax.parse,
140
xml.sax.parseString,
141
xml.sax.make_parser]
142
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
143
- xml_bad_minidom:
144
qualnames: [xml.dom.minidom.parse,
145
xml.dom.minidom.parseString]
146
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
147
- xml_bad_pulldom:
148
qualnames: [xml.dom.pulldom.parse,
149
xml.dom.pulldom.parseString]
150
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
151
- xml_bad_etree:
152
qualnames: [lxml.etree.parse,
153
lxml.etree.fromstring,
154
lxml.etree.RestrictedElement,
155
lxml.etree.GlobalParserTLS,
156
lxml.etree.getDefaultParser,
157
lxml.etree.check_docinfo]
158
message: "Using {func} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {func} with it's defusedxml equivilent function."
159
79
160
80
161
shell_injection:
81
162
# Start a process using the subprocess module, or one of its wrappers.
95
176
bad_import_sets:
96
177
- telnet:
97
178
imports: [telnetlib]
98
level: ERROR
179
level: HIGH
99
180
message: "Telnet is considered insecure. Use SSH or some other encrypted protocol."
100
181
- info_libs:
101
182
imports: [pickle, cPickle, subprocess, Crypto]
102
level: INFO
183
level: LOW
103
184
message: "Consider possible security implications associated with {module} module."
104
185
186
# Most of this is based off of Christian Heimes' work on defusedxml:
187
# https://pypi.python.org/pypi/defusedxml/#defusedxml-sax
188
189
- xml_libs:
190
imports: [xml.etree.cElementTree,
191
xml.etree.ElementTree,
192
xml.sax.expatreader,
193
xml.sax,
194
xml.dom.expatbuilder,
195
xml.dom.minidom,
196
xml.dom.pulldom,
197
lxml.etree,
198
lxml]
199
message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Replace {module} with the equivilent defusedxml package."
200
level: LOW
201
- xml_libs_high:
202
imports: [xmlrpclib]
203
message: "Using {module} to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities."
204
level: HIGH
205
206
hardcoded_tmp_directory:
207
tmp_dirs: ['/tmp', '/var/tmp', '/dev/shm']
208
105
209
hardcoded_password:
106
word_list: "wordlist/default-passwords"
210
# Support for full path, relative path and special "%(site_data_dir)s"
211
# substitution (/usr/{local}/share)
212
word_list: "%(site_data_dir)s/wordlist/default-passwords"
107
213
108
214
ssl_with_bad_version:
109
215
bad_protocol_versions:
127
233
- neutron.agent.linux.utils.execute
128
234
- nova.utils.execute
129
235
- nova.utils.trycmd
236
237
try_except_pass:
238
check_typed_exception: True
Loggerhead is a web-based interface for Breezy
Version: 2.0.1