# optional: after how many files to update progress #show_progress_every: 100 # optional: plugins directory name #plugins_dir: 'plugins' # optional: plugins discovery name pattern plugin_name_pattern: '*.py' # optional: terminal escape sequences to display colors #output_colors: # DEFAULT: '\033[0m' # HEADER: '\033[95m' # INFO: '\033[94m' # WARN: '\033[93m' # ERROR: '\033[91m' # optional: log format string #log_format: "[%(module)s]\t%(levelname)s\t%(message)s" # globs of files which should be analyzed include: - '*.py' - '*.pyw' # a list of strings, which if found in the path will cause files to be excluded # for example /tests/ - to remove all all files in tests directory exclude_dirs: profiles: XSS: include: - jinja2_autoescape_false - use_of_mako_templates ShellInjection: include: - subprocess_popen_with_shell_equals_true - any_other_function_with_shell_equals_true exclude: SqlInjection: include: - hardcoded_sql_expressions blacklist_functions: bad_name_sets: - pickle: qualname: pickle.loads, pickle.dumps message: "Pickle library appears to be in use, possible security issue." - md5: qualname: hashlib.md5 message: "Use of insecure MD5 hash function." - subprocess_popen: qualname: subprocess.Popen message: "Use of possibly insecure system call function (subprocess.Popen)." - subprocess_call: qualname: subprocess.call message: "Use of possibly insecure system call function (subprocess.call)." - os_exec: qualname: os.exec, os.spawn params: l, le, lp, lpe, v, ve, vp, vpe message: "Use of possibly insecure system call function (os.exec or os.spawn)." - os_popen: qualname: os.popen message: "Use of insecure / deprecated system call function (os.popen)." - os_startfile_q: qualname: os.startfile message: "Use of insecure system function (os.startfile)." - mktemp_q: qualname: tempfile.mktemp message: "Use of insecure and deprecated function (mktemp)." - eval: name: eval message: "Use of possibly insecure function - consider using safer ast.literal_eval." - mark_safe: name: mark_safe message: "Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed." - httpsconnection: qualname: httplib.HTTPSConnection message: "Use of HTTPSConnection does not provide security, see https://wiki.openstack.org/wiki/OSSN/OSSN-0033" - yaml_load: qualname: yaml.load message: "Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load()." - urllib_urlopen: qualname: urllib.urlopen, urllib.urlretrieve, urllib.URLopener, urllib.FancyURLopener, urllib2.urlopen, urllib2.Request message: "Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected." blacklist_imports: bad_import_sets: - telnet: import: telnetlib level: ERROR message: "Telnet is considered insecure. Use SSH or some other encrypted protocol." - info_libs: import: pickle, subprocess, Crypto level: INFO message: "Consider possible security implications associated with {module} module." hardcoded_password: word_list: "wordlist/default-passwords" ssl_with_bad_version: bad_protocol_versions: - 'PROTOCOL_SSLv2' - 'SSLv2_METHOD' - 'SSLv23_METHOD' - 'PROTOCOL_SSLv3' # strict option - 'PROTOCOL_TLSv1' # strict option - 'SSLv3_METHOD' # strict option - 'TLSv1_METHOD' # strict option password_config_option_not_marked_secret: function_names: - oslo.config.cfg.StrOpt - oslo_config.cfg.StrOpt execute_with_run_as_root_equals_true: function_names: - ceilometer.utils.execute - cinder.utils.execute - neutron.agent.linux.utils.execute - nova.utils.execute - nova.utils.trycmd