[checkmk-commits] First experiments with bandit security scanner

7 Nov 2016

Module: check_mk
Branch: master
Commit: c3eba7ca835c3ec23c7ac5f314ffa5461c6dbf19
URL:   
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c3eba7ca835c3e…

Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt;
Date:   Mon Nov  7 21:30:45 2016 +0100

First experiments with bandit security scanner

---

 bandit.yaml    | 161 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 tests/Makefile |  18 ++++++-
 2 files changed, 178 insertions(+), 1 deletion(-)

diff --git a/bandit.yaml b/bandit.yaml
new file mode 100644
index 0000000..5829195
--- /dev/null
+++ b/bandit.yaml
@@ -0,0 +1,161 @@
+
+### Bandit config file generated from:
+# '/usr/local/bin/bandit-config-generator -o ../bandit.yaml'
+
+### This config may optionally select a subset of tests to run or skip by
+### filling out the 'tests' and 'skips' lists given below. If no tests
are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is
detected by
+### Bandit at runtime.
+
+# Available tests:
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B109 : password_config_option_not_marked_secret
+# B110 : try_except_pass
+# B111 : execute_with_run_as_root_equals_true
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates
+
+# (optional) list included test IDs here, eg '[B101, B406]':
+tests:
+
+# (optional) list skipped test IDs here, eg '[B101, B406]':
+skips:
+
+### (optional) plugin settings - some test plugins require configuration data
+### that may be given here, per-plugin. All bandit test plugins have a built in
+### set of sensible defaults and these will be used if no configuration is
+### provided. It is not necessary to provide settings for every (or any) plugin
+### if the defaults are acceptable.
+
+any_other_function_with_shell_equals_true:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+execute_with_run_as_root_equals_true:
+  function_names: [ceilometer.utils.execute, cinder.utils.execute,
neutron.agent.linux.utils.execute,
+    nova.utils.execute, nova.utils.trycmd]
+hardcoded_tmp_directory:
+  tmp_dirs: [/tmp, /var/tmp, /dev/shm]
+linux_commands_wildcard_injection:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+password_config_option_not_marked_secret:
+  function_names: [oslo.config.cfg.StrOpt, oslo_config.cfg.StrOpt]
+ssl_with_bad_defaults:
+  bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
+    PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
+ssl_with_bad_version:
+  bad_protocol_versions: [PROTOCOL_SSLv2, SSLv2_METHOD, SSLv23_METHOD, PROTOCOL_SSLv3,
+    PROTOCOL_TLSv1, SSLv3_METHOD, TLSv1_METHOD]
+start_process_with_a_shell:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+start_process_with_no_shell:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+start_process_with_partial_path:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+subprocess_popen_with_shell_equals_true:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+subprocess_without_shell_equals_true:
+  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve, os.execvp,
+    os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe, os.spawnv, os.spawnve,
+    os.spawnvp, os.spawnvpe, os.startfile]
+  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4, popen2.popen2,
popen2.popen3,
+    popen2.popen4, popen2.Popen3, popen2.Popen4, commands.getoutput,
commands.getstatusoutput]
+  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,
subprocess.check_output,
+    utils.execute, utils.execute_with_timeout]
+try_except_continue: {check_typed_exception: false}
+try_except_pass: {check_typed_exception: false}
+
diff --git a/tests/Makefile b/tests/Makefile
index a3b6524..b6cbcc9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,6 +1,9 @@
+SHELL=/bin/bash
+
 help:
 	@echo "test        - Run all tests"
 	@echo "test-pylint - Run pylint based tests"
+	@echo "test-bandit - Run bandit (security) tests"
 	@echo "setup       - Install dependencies"
 
 test:
@@ -9,6 +12,18 @@ test:
 test-pylint:
 	py.test -k pylint
 
+test-bandit:
+	# Currently only care about high severity reported issues. Once this is
+	# reached, go and enable the medium/low checks.
+	bandit \
+		-c ../bandit.yaml \
+		-r \
+		-f xml -o $$WORKDIR/bandit_results.xml \
+		-lll \
+		$(realpath ..) \
+		$(realpath ..)/{checks,inventory}/* \
+		$(realpath ../cmc/)
+
 
 test-pylint-ci:
 	export TERM="linux" ; \
@@ -29,5 +44,6 @@ setup:
 	    beautifulsoup4 \
 	    pytest-stepwise \
 	    dill \
-	    html5lib
+	    html5lib \
+	    bandit
 	$(MAKE) -C pylint setup


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[checkmk-commits] First experiments with bandit security scanner