| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
It was retired upstream: https://github.com/PyCQA/bandit/pull/858
Continuing to list it causes CI failures like
ERROR Unknown test found in profile: B309
Change-Id: I52c535bd2078f25bb57c42a2c2c966247cd3094b
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
md5 is not an approved algorithm in FIPS mode, and trying to
instantiate a hashlib.md5() will fail when the system is running in
FIPS mode.
md5 is allowed when in a non-security context. There is a plan to
add a keyword parameter (usedforsecurity) to hashlib.md5() to annotate
whether or not the instance is being used in a security context.
In the case where it is not, the instantiation of md5 will be allowed.
See https://bugs.python.org/issue9216 for more details.
Some downstream python versions already support this parameter. To
support these versions, a new encapsulation of md5() is added to
swift/common/utils.py. This encapsulation is identical to the one being
added to oslo.utils, but is recreated here to avoid adding a dependency.
This patch is to replace the instances of hashlib.md5() with this new
encapsulation, adding an annotation indicating whether the usage is
a security context or not.
While this patch seems large, it is really just the same change over and
again. Reviewers need to pay particular attention as to whether the
keyword parameter (usedforsecurity) is set correctly. Right now, all
of them appear to be not used in a security context.
Now that all the instances have been converted, we can update the bandit
run to look for these instances and ensure that new invocations do not
creep in.
With this latest patch, the functional and unit tests all pass
on a FIPS enabled system.
Co-Authored-By: Pete Zaitcev
Change-Id: Ibb4917da4c083e1e094156d748708b87387f2d87
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to the bandit current version document,
the B109 and B111 plugin has been removed.
And Add the following tests:
Complete Test Plugin Listing: B507, B610, B611, B703
Blacklist Plugins Listing: B322, B323, B325, B413, B414
Reference URL: https://bandit.readthedocs.io/en/latest/plugins/index.html
Change-Id: I5e9365f9147776d7d90c6ba889acbde3c0e6c19d
Closes-Bug: #1838361
|
|
|
|
|
|
|
|
| |
Test B109 was removed from bandit in release 1.5.0[1]
[1] - https://github.com/PyCQA/bandit/commit/d93eed549242013ca10f6fc990dd4234b69958f7
Change-Id: I57ea610b924c2140b7572762c44cbc6510d0f549
|
|
|
|
|
|
|
|
|
|
|
| |
This commit updates the Swift Bandit file to the new style
introduced in Bandit 1.0. In response to the struggle with
getting a Bandit config file working and kept up to date we
introduced a simplified version in Bandit 1.0.
This commit updates Swift's bandit.yaml to use the new version.
Change-Id: Ida5dd08f4ea72a377346f2159caeb2f3741d4980
|
|
This change adds a basic bandit config for Swift. It can be invoked
by running the tox environment for bandit;
tox -e bandit
This is an initial step for using bandit with Swift
and it should be revisited to improve the testing as more is learned
about the specific needs of the Swift code base.As per now some tests
are excluded as they were used on purpose.
https://wiki.openstack.org/wiki/Security/Projects/Bandit
Implements: blueprint swift-bandit
Change-Id: I621be9a68ae9311f3a6eadd1636b05e646260cf2
|