Skip to content

Commit

Permalink
Add Bandit security linting; update requirements (#562)
Browse files Browse the repository at this point in the history
  • Loading branch information
austinbyers authored Jan 10, 2018
1 parent da7e05e commit cf12209
Show file tree
Hide file tree
Showing 6 changed files with 42 additions and 33 deletions.
1 change: 1 addition & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,6 @@ script:
- ./manage.py lambda test --processor all
- sphinx-build -W docs/source docs/build
- ./tests/scripts/pylint.sh
- bandit --ini setup.cfg -r .
after_success:
coveralls
9 changes: 4 additions & 5 deletions requirements-top-level.txt
Original file line number Diff line number Diff line change
@@ -1,23 +1,22 @@
Sphinx
autoflake
autopep8
awscli
backoff
bandit
boto3
botocore
boxsdk[jwt]==2.0.0a11
coverage
coveralls
cryptography
google_api_python_client
google_api_python_client==1.6.4
jsonpath_rw
mock
moto==1.1.10
netaddr
nose
pyfakefs
pylint
pylint==1.7.4
requests
Sphinx
sphinx-rtd-theme
virtualenv
yapf
46 changes: 21 additions & 25 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@
Sphinx==1.6.5
autoflake==1.0
autopep8==1.3.3
awscli==1.11.185
awscli==1.14.22
backoff==1.4.3
boto3==1.4.7
botocore==1.7.43
bandit==1.4.0
boto3==1.5.12
boxsdk==2.0.0a11
coverage==4.4.2
coveralls==1.2.0
cryptography==2.1.3
cryptography==2.1.4
google-api-python-client==1.6.4
jsonpath-rw==1.4.0
mock==2.0.0
Expand All @@ -18,20 +17,17 @@ nose==1.3.7
pyfakefs==3.3
pylint==1.7.4
requests==2.18.4
Sphinx==1.6.6
sphinx-rtd-theme==0.2.4
virtualenv==15.1.0
yapf==0.19.0
yapf==0.20.0
## The following requirements were added by pip freeze:
alabaster==0.7.10
asn1crypto==0.23.0
astroid==1.5.3
aws-xray-sdk==0.93
asn1crypto==0.24.0
astroid==1.6.0
Babel==2.5.1
backports.functools-lru-cache==1.4
backports.ssl-match-hostname==3.5.0.1
backports.tempfile==1.0
backports.weakref==1.0.post1
boto==2.48.0
botocore==1.8.26
certifi==2017.11.5
cffi==1.11.2
chainmap==1.0.2
Expand All @@ -41,50 +37,50 @@ configparser==3.5.0
cookies==2.2.1
decorator==4.1.2
dicttoxml==1.7.4
docker==2.6.1
docker-pycreds==0.2.1
docopt==0.6.2
docutils==0.14
enum34==1.1.6
funcsigs==1.0.2
futures==3.1.1
futures==3.2.0
gitdb2==2.0.3
GitPython==2.1.8
httplib2==0.10.3
idna==2.6
imagesize==0.7.1
ipaddress==1.0.18
ipaddress==1.0.19
isort==4.2.15
Jinja2==2.10
jmespath==0.9.3
jsonpickle==0.9.5
lazy-object-proxy==1.3.1
MarkupSafe==1.0
mccabe==0.6.1
oauth2client==4.1.2
pbr==3.1.1
ply==3.10
pyaml==17.10.0
pyasn1==0.3.7
pyasn1-modules==0.1.5
pyaml==17.12.1
pyasn1==0.4.2
pyasn1-modules==0.2.1
pycodestyle==2.3.1
pycparser==2.18
pyflakes==1.6.0
Pygments==2.2.0
PyJWT==1.5.3
pyOpenSSL==17.3.0
pyOpenSSL==17.5.0
python-dateutil==2.6.1
pytz==2017.3
PyYAML==3.12
requests-toolbelt==0.8.0
rsa==3.4.2
s3transfer==0.1.11
s3transfer==0.1.12
singledispatch==3.4.0.3
six==1.11.0
smmap2==2.0.3
snowballstemmer==1.2.1
sphinxcontrib-websupport==1.0.1
stevedore==1.28.0
typing==3.6.2
uritemplate==3.0.0
urllib3==1.22
websocket-client==0.44.0
Werkzeug==0.12.2
Werkzeug==0.14.1
wrapt==1.10.11
xmltodict==0.11.0
11 changes: 11 additions & 0 deletions setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,17 @@ nocapture=1
[pycodestyle]
max-line-length=90

[bandit]
# Skip the venv/ and tests/ directories when scanning.
exclude: venv,tests

# Skip the following tests:
#
# - [B404:blacklist] Consider possible security implications associated with subprocess module.
# Severity: Low Confidence: High
# There are other warnings specific to subprocess calls (e.g. B603, B607)
skips: B404

[yapf]
COLUMN_LIMIT=100

Expand Down
3 changes: 2 additions & 1 deletion stream_alert/rule_processor/payload.py
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,8 @@ def _download_object(self, region, bucket, key):
if size_mb > 128:
raise S3ObjectSizeError('S3 object to download is above 128MB')

LOGGER.debug(os.popen('df -h /tmp | tail -1').read().strip())
# Bandit warns about using a shell process, ignore with #nosec
LOGGER.debug(os.popen('df -h /tmp | tail -1').read().strip()) # nosec

display_size = '{}MB'.format(size_mb) if size_mb else '{}KB'.format(size_kb)

Expand Down
5 changes: 3 additions & 2 deletions stream_alert_cli/helpers.py
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ def run_command(runner_args, **kwargs):
stdout_option = open(os.devnull, 'w')

try:
subprocess.check_call(runner_args, stdout=stdout_option, cwd=cwd)
subprocess.check_call(runner_args, stdout=stdout_option, cwd=cwd) # nosec
except subprocess.CalledProcessError as err:
LOGGER_CLI.error('%s\n%s', error_message, err.cmd)
return False
Expand Down Expand Up @@ -320,7 +320,8 @@ def format_lambda_test_record(test_record):

if service == 's3':
# Set the S3 object key to a random value for testing
test_record['key'] = ('{:032X}'.format(random.randrange(16**32)))
# (Bandit warns about use of insecure random generator: ignore with #nosec)
test_record['key'] = ('{:032X}'.format(random.randrange(16**32))) # nosec
record_template['s3']['object']['key'] = test_record['key']
record_template['s3']['object']['size'] = len(data)
record_template['s3']['bucket']['arn'] = 'arn:aws:s3:::{}'.format(source)
Expand Down

0 comments on commit cf12209

Please sign in to comment.