install bandit and start "security" scannig our code #112
Conversation
|
I don’t see the value in doing this. Most of the commit is adding a comment to skip the scanning in the first place. I can only imagine how many of those comments we’re going to have. Why are we using bandit? |
|
I will give my 0.50 cents! Instead of do a make up, would be better let it exposed till somebody can real fix it, in case it is a real issue. |
|
the value is to be aware of what we're doing. For the other, we don't need to keep it: Right now, libiocage is exeperimental, and i hope no one is using it for their production systems, we can still — openly — use an automated system — such as bandit, or maybe something else — to tease out the issues, or at least, become aware of them. For instance, #113 is a consequence of this PR. |
|
Bandit is not relevant for runtime execution, so it won't affect the enduser. It's better for us to have strict analysis tools in place to give people working on pull-requests a better chance to fit the project requirements. The tighter we define the code quality requirements on our build system, the easier it becomes to merge code contributions.
I absolutely want to be explicit with dangerous things like forks. 💛 |
|
Perhaps an additional section at README with suggestion of tools to be used before submit a PR makes more sense than enforce tools usage such like: mypy and/or bandit. Or otherwise in a near future, if a submitter sends a patch and he is not aware of these tools he would feel frustrated and probably will go away. I strongly suggest to create an additional section at README and expose these tools, before pick up a tool and enforce the usage. At least everybody will be aware of the tools the project is choosing. As an additional example: travis will be always broke and soon or late, devs will start to ignore it, what is dangerous. |
Yes. And in addition we should break the various checks into multiple Travis tasks. The total execution time will be longer, but on a PR it would show exactly which metric does not fit the requirements. We can always point a link to a description in our README. Good call, @araujobsd |
|
+1 |
|
travis has been broken for weeks on every pull request that @gronke and myself have worked on, because we've been working on pull requests to improve the code-quality with the help of automated testing tools we haven't merged anything that was broken, so master has been green (we need to reflect that as a badge in our README ;) i absolutely agree with you on helping contributors submit PRs that will be travis-green from the get-go. To do that, we should add a |
|
My suggestion would be, first start with the additional section listing all tools the project intend to use as best practices. After a while and after it gets mature among devs, it will be natural the adoption of it and then enforce it. Overall all these tools have something good, just need apply in homeopathic doses. |
igalic
force-pushed
the
chore/sec-scan
branch
2 times, most recently
from
d33a622
to
27f2421
Compare
|
switching gears, and focusing on the results of this PR so far: most of our issues are currently B110: try_except_pass that is, code of this form: try:
do_some_stuff()
except Exception:
passwe should consider refactoring this pattern to at least catch the "correct" exception. |
|
I agree with the exception, it should catch the right exception and do something not only pass all exceptions! Although sometimes it is inevitable and it is a necessary evil. |
|
Another class of issues currently marked with medium severity is possibly a bug in bandit: [B310:blacklist] Audit url open for permitted schemes. fails to notice that our I cannot seem to find anything related in bandit's issue tracker (laundpad!), so if someone knows any of its developers, it would be great to point them here. |
as discussed in #111, we would like to analyze our code for potential security issues. a first step here is to install a code scanner and start using it!
* input: we're on python 3 * shell command: we actually want that in this case;) * exec() -> use fully qualified named
since this is now encapsulated in Makefile, we can switch .travis.yml to
this ("simpler") method too.
This addresses #115 in parts.
we don't need to browse through the svnweb view, we can simply click thru the repository
we have a in the @property.setter where the URLs are validated
any hash function that produces a string >= 12 characters would've done, so the choice of sha224 is almost arbitrary, however, sha1() is also deprecated already, and sha384 and sha512 are, as per their documentation, too slow.
In this case, it's an AttributeError when accessing an `object`'s attribute that does not exist.
It needs root permissions to run, anyway, so we have it very explicitly documented now.
where this is not possible, we should use pathlib to validate the path.
gronke
force-pushed
the
chore/sec-scan
branch
2 times, most recently
from
fd145f4
to
d06a6c2
Compare
iocage/cli/__init__.py
Outdated
| @@ -25,7 +25,7 @@ | |||
| import os | |||
| import re | |||
| import signal | |||
| import subprocess as su | |||
| import subprocess # nosec: B804 | |||
There was a problem hiding this comment.
this should be B404, shouldn't it?
i disabled that entirely in the makefile, and tried disabling it in setup.cfg
There was a problem hiding this comment.
Just figured out that despite of a defined exception, # nosec: <ANYTHING> does skip all bandit warnings for this line. We should be careful with that and fix upstream
| @@ -21,6 +21,7 @@ | |||
| # STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING | |||
| # IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |||
| # POSSIBILITY OF SUCH DAMAGE. | |||
| import typing | |||
There was a problem hiding this comment.
this should be a separate commit
setup.cfg
Outdated
| @@ -1,6 +1,9 @@ | |||
| [metadata] | |||
| description-file = README.md | |||
|
|
|||
| [bandit] | |||
| skip = B404 | |||
There was a problem hiding this comment.
does this actually work
There was a problem hiding this comment.
It did complain about B404, so I don't think so.
gronke
force-pushed
the
chore/sec-scan
branch
from
d06a6c2
to
05e2cfd
Compare
@skarekrow the errors reported by bandit have been valuable to know. It found for example swallowed exceptions where we didn't precisely defined the expected errors. It's a nice addition to MyPy and should be required in the build process. |
as discussed in #111, we would like to analyze our code for potential
security issues. a first step here is to install a code scanner and
start using it!