Add Bandit security linting; update requirements (#562)

.travis.yml

@@ -13,5 +13,6 @@ script:
   - ./manage.py lambda test --processor all
   - sphinx-build -W docs/source docs/build
   - ./tests/scripts/pylint.sh
+  - bandit --ini setup.cfg -r .
 after_success:
   coveralls

requirements-top-level.txt

@@ -1,23 +1,22 @@
-Sphinx
 autoflake
 autopep8
 awscli
 backoff
+bandit
 boto3
-botocore
 boxsdk[jwt]==2.0.0a11
 coverage
 coveralls
 cryptography
-google_api_python_client
+google_api_python_client==1.6.4
 jsonpath_rw
 mock
 moto==1.1.10
 netaddr
 nose
 pyfakefs
-pylint
+pylint==1.7.4
 requests
+Sphinx
 sphinx-rtd-theme
-virtualenv
 yapf

requirements.txt

@@ -1,14 +1,13 @@
-Sphinx==1.6.5
 autoflake==1.0
 autopep8==1.3.3
-awscli==1.11.185
+awscli==1.14.22
 backoff==1.4.3
-boto3==1.4.7
-botocore==1.7.43
+bandit==1.4.0
+boto3==1.5.12
 boxsdk==2.0.0a11
 coverage==4.4.2
 coveralls==1.2.0
-cryptography==2.1.3
+cryptography==2.1.4
 google-api-python-client==1.6.4
 jsonpath-rw==1.4.0
 mock==2.0.0
@@ -18,20 +17,17 @@ nose==1.3.7
 pyfakefs==3.3
 pylint==1.7.4
 requests==2.18.4
+Sphinx==1.6.6
 sphinx-rtd-theme==0.2.4
-virtualenv==15.1.0
-yapf==0.19.0
+yapf==0.20.0
 ## The following requirements were added by pip freeze:
 alabaster==0.7.10
-asn1crypto==0.23.0
-astroid==1.5.3
-aws-xray-sdk==0.93
+asn1crypto==0.24.0
+astroid==1.6.0
 Babel==2.5.1
 backports.functools-lru-cache==1.4
-backports.ssl-match-hostname==3.5.0.1
-backports.tempfile==1.0
-backports.weakref==1.0.post1
 boto==2.48.0
+botocore==1.8.26
 certifi==2017.11.5
 cffi==1.11.2
 chainmap==1.0.2
@@ -41,50 +37,50 @@ configparser==3.5.0
 cookies==2.2.1
 decorator==4.1.2
 dicttoxml==1.7.4
-docker==2.6.1
-docker-pycreds==0.2.1
 docopt==0.6.2
 docutils==0.14
 enum34==1.1.6
 funcsigs==1.0.2
-futures==3.1.1
+futures==3.2.0
+gitdb2==2.0.3
+GitPython==2.1.8
 httplib2==0.10.3
 idna==2.6
 imagesize==0.7.1
-ipaddress==1.0.18
+ipaddress==1.0.19
 isort==4.2.15
 Jinja2==2.10
 jmespath==0.9.3
-jsonpickle==0.9.5
 lazy-object-proxy==1.3.1
 MarkupSafe==1.0
 mccabe==0.6.1
 oauth2client==4.1.2
 pbr==3.1.1
 ply==3.10
-pyaml==17.10.0
-pyasn1==0.3.7
-pyasn1-modules==0.1.5
+pyaml==17.12.1
+pyasn1==0.4.2
+pyasn1-modules==0.2.1
 pycodestyle==2.3.1
 pycparser==2.18
 pyflakes==1.6.0
 Pygments==2.2.0
 PyJWT==1.5.3
-pyOpenSSL==17.3.0
+pyOpenSSL==17.5.0
 python-dateutil==2.6.1
 pytz==2017.3
 PyYAML==3.12
 requests-toolbelt==0.8.0
 rsa==3.4.2
-s3transfer==0.1.11
+s3transfer==0.1.12
 singledispatch==3.4.0.3
 six==1.11.0
+smmap2==2.0.3
 snowballstemmer==1.2.1
 sphinxcontrib-websupport==1.0.1
+stevedore==1.28.0
 typing==3.6.2
 uritemplate==3.0.0
 urllib3==1.22
-websocket-client==0.44.0
-Werkzeug==0.12.2
+Werkzeug==0.14.1
 wrapt==1.10.11
 xmltodict==0.11.0

setup.cfg

@@ -13,6 +13,17 @@ nocapture=1
 [pycodestyle]
 max-line-length=90
 
+[bandit]
+# Skip the venv/ and tests/ directories when scanning.
+exclude: venv,tests
+
+# Skip the following tests:
+#
+# - [B404:blacklist] Consider possible security implications associated with subprocess module.
+#   Severity: Low   Confidence: High
+#       There are other warnings specific to subprocess calls (e.g. B603, B607)
+skips: B404
+
 [yapf]
 COLUMN_LIMIT=100
 

stream_alert/rule_processor/payload.py

@@ -203,7 +203,8 @@ def _download_object(self, region, bucket, key):
         if size_mb > 128:
             raise S3ObjectSizeError('S3 object to download is above 128MB')
 
-        LOGGER.debug(os.popen('df -h /tmp | tail -1').read().strip())
+        # Bandit warns about using a shell process, ignore with #nosec
+        LOGGER.debug(os.popen('df -h /tmp | tail -1').read().strip())  # nosec
 
         display_size = '{}MB'.format(size_mb) if size_mb else '{}KB'.format(size_kb)
 

stream_alert_cli/helpers.py

@@ -69,7 +69,7 @@ def run_command(runner_args, **kwargs):
         stdout_option = open(os.devnull, 'w')
 
     try:
-        subprocess.check_call(runner_args, stdout=stdout_option, cwd=cwd)
+        subprocess.check_call(runner_args, stdout=stdout_option, cwd=cwd)  # nosec
     except subprocess.CalledProcessError as err:
         LOGGER_CLI.error('%s\n%s', error_message, err.cmd)
         return False
@@ -320,7 +320,8 @@ def format_lambda_test_record(test_record):
 
     if service == 's3':
         # Set the S3 object key to a random value for testing
-        test_record['key'] = ('{:032X}'.format(random.randrange(16**32)))
+        # (Bandit warns about use of insecure random generator: ignore with #nosec)
+        test_record['key'] = ('{:032X}'.format(random.randrange(16**32)))  # nosec
         record_template['s3']['object']['key'] = test_record['key']
         record_template['s3']['object']['size'] = len(data)
         record_template['s3']['bucket']['arn'] = 'arn:aws:s3:::{}'.format(source)