diff --git a/bandit.yaml b/bandit.yaml
new file mode 100644
index 00000000..35384763
--- /dev/null
+++ b/bandit.yaml
@@ -0,0 +1,92 @@
+### Bandit config file generated from:
+# '/usr/local/bin/bandit-config-generator -o bandit.yaml'
+
+### This config may optionally select a subset of tests to run or skip by
+### filling out the 'tests' and 'skips' lists given below. If no tests are
+### specified for inclusion then it is assumed all tests are desired. The skips
+### set will remove specific tests from the include set. This can be controlled
+### using the -t/-s CLI options. Note that the same test ID should not appear
+### in both 'tests' and 'skips', this would be nonsensical and is detected by
+### Bandit at runtime.
+
+# Available tests:
+# B101 : assert_used
+# B102 : exec_used
+# B103 : set_bad_file_permissions
+# B104 : hardcoded_bind_all_interfaces
+# B105 : hardcoded_password_string
+# B106 : hardcoded_password_funcarg
+# B107 : hardcoded_password_default
+# B108 : hardcoded_tmp_directory
+# B109 : password_config_option_not_marked_secret
+# B110 : try_except_pass
+# B111 : execute_with_run_as_root_equals_true
+# B112 : try_except_continue
+# B201 : flask_debug_true
+# B301 : pickle
+# B302 : marshal
+# B303 : md5
+# B304 : ciphers
+# B305 : cipher_modes
+# B306 : mktemp_q
+# B307 : eval
+# B308 : mark_safe
+# B309 : httpsconnection
+# B310 : urllib_urlopen
+# B311 : random
+# B312 : telnetlib
+# B313 : xml_bad_cElementTree
+# B314 : xml_bad_ElementTree
+# B315 : xml_bad_expatreader
+# B316 : xml_bad_expatbuilder
+# B317 : xml_bad_sax
+# B318 : xml_bad_minidom
+# B319 : xml_bad_pulldom
+# B320 : xml_bad_etree
+# B321 : ftplib
+# B322 : input
+# B401 : import_telnetlib
+# B402 : import_ftplib
+# B403 : import_pickle
+# B404 : import_subprocess
+# B405 : import_xml_etree
+# B406 : import_xml_sax
+# B407 : import_xml_expat
+# B408 : import_xml_minidom
+# B409 : import_xml_pulldom
+# B410 : import_lxml
+# B411 : import_xmlrpclib
+# B412 : import_httpoxy
+# B501 : request_with_no_cert_validation
+# B502 : ssl_with_bad_version
+# B503 : ssl_with_bad_defaults
+# B504 : ssl_with_no_version
+# B505 : weak_cryptographic_key
+# B506 : yaml_load
+# B601 : paramiko_calls
+# B602 : subprocess_popen_with_shell_equals_true
+# B603 : subprocess_without_shell_equals_true
+# B604 : any_other_function_with_shell_equals_true
+# B605 : start_process_with_a_shell
+# B606 : start_process_with_no_shell
+# B607 : start_process_with_partial_path
+# B608 : hardcoded_sql_expressions
+# B609 : linux_commands_wildcard_injection
+# B701 : jinja2_autoescape_false
+# B702 : use_of_mako_templates
+
+# (optional) list included test IDs here, eg '[B101, B406]':
+tests:
+
+# (optional) list skipped test IDs here, eg '[B101, B406]':
+skips: [B101, B404, B603, B606]
+
+# globs of files which should be analyzed
+include:
+ - '*.py'
+ - '*.pyw'
+
+# a list of strings, which if found in the path will cause files to be excluded
+# for example /tests/ - will exclude all files in test folder.
+exclude_dirs:
+ - '/tests/'
diff --git a/orm/common/client/audit/audit_client/api/audit.py b/orm/common/client/audit/audit_client/api/audit.py
index 9077d8d6..dc0d9904 100755
--- a/orm/common/client/audit/audit_client/api/audit.py
+++ b/orm/common/client/audit/audit_client/api/audit.py
@@ -169,13 +169,13 @@ def _post_data(data):
# Validate that the configuration was initialized
_validate()
# Send the data
- req = urllib2.Request(config['AUDIT_SERVER_URL'])
+ req = urllib2.Request(config['AUDIT_SERVER_URL']) # nosec
req.add_header('Content-Type', 'application/json')
# Retry to send the data to the audit server
success = False
for retry_number in range(config['NUM_OF_SEND_RETRIES']):
try:
- urllib2.urlopen(req, json.dumps(data))
+ urllib2.urlopen(req, json.dumps(data)) # nosec
success = True
break
except Exception as error:
@@ -197,13 +197,13 @@ def _get_data(query):
# Send the data
audit_server_url_with_query = "{}?{}".format(config['AUDIT_SERVER_URL'],
query)
- req = urllib2.Request(audit_server_url_with_query)
+ req = urllib2.Request(audit_server_url_with_query) # nosec
# Retry to get the data from the audit server
success = False
response = None
for retry_number in range(config['NUM_OF_SEND_RETRIES']):
try:
- response = urllib2.urlopen(req)
+ response = urllib2.urlopen(req) # nosec
success = True
break
except Exception as error:
diff --git a/orm/common/config.py b/orm/common/config.py
index 1eaa8f44..889ea8de 100644
--- a/orm/common/config.py
+++ b/orm/common/config.py
@@ -22,7 +22,7 @@ CONF = cfg.CONF
api_opts = [
cfg.HostAddressOpt(
'host',
- default='0.0.0.0',
+ default='0.0.0.0', # nosec
help='Ranger API server host'
),
cfg.BoolOpt('ssl_verify', default=False, help='Enable HTTPS')
diff --git a/orm/orm_client/db_clear/db_comander.py b/orm/orm_client/db_clear/db_comander.py
index 930125e5..9b283118 100644
--- a/orm/orm_client/db_clear/db_comander.py
+++ b/orm/orm_client/db_clear/db_comander.py
@@ -60,7 +60,7 @@ def _build_delet_resource_status_query(resource_id, table_name):
query = '''
DELETE from %s
WHERE resource_id = '%s'
- ''' % (table_name, resource_id)
+ ''' % (table_name, resource_id) # nosec
return query
@@ -70,7 +70,7 @@ def _build_delete_image_metadata(resource_id, image_metadata_table,
DELETE from %s
WHERE image_meta_data_id in
(SELECT id from %s where resource_id = '%s')
- ''' % (image_metadata_table, resource_table, resource_id)
+ ''' % (image_metadata_table, resource_table, resource_id) # nosec
return query
@@ -78,7 +78,7 @@ def _build_delete_resource_query(resource_id, table_col, table_name):
query = '''
DELETE from %s
WHERE %s.%s = '%s'
- ''' % (table_name, table_name, table_col, resource_id)
+ ''' % (table_name, table_name, table_col, resource_id) # nosec
return query
@@ -86,7 +86,7 @@ def _build_get_cms_regions_query(resource_id, table_name):
query = '''
select region_id from %s
WHERE customer_id = '%s' and region_id != '-1'
- ''' % (table_name, resource_id)
+ ''' % (table_name, resource_id) # nosec
return query
@@ -94,7 +94,7 @@ def _build_get_fms_regions_query(resource_id, table_name):
query = '''
select region_name from %s
WHERE flavor_internal_id = '%s'
- ''' % (table_name, resource_id)
+ ''' % (table_name, resource_id) # nosec
return query
@@ -102,7 +102,7 @@ def _build_get_ims_regions_query(resource_id, table_name):
query = '''
select region_name from %s
WHERE image_id = '%s'
- ''' % (table_name, resource_id)
+ ''' % (table_name, resource_id) # nosec
return query
@@ -110,7 +110,7 @@ def _build_get_resource_id_query(resource_id, table_col, table_name):
query = '''
select * from %s
WHERE %s.%s = '%s'
- ''' % (table_name, table_name, table_col, resource_id)
+ ''' % (table_name, table_name, table_col, resource_id) # nosec
return query
diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py
index 3b8ab57a..a6494eb0 100755
--- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py
+++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/cms_user_record.py
@@ -38,7 +38,7 @@ class CmsUserRecord:
raise
def get_cms_user_id_from_name(self, cms_user_name):
- result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"" % (cms_user_name))
+ result = self.session.connection().scalar("SELECT id from cms_user WHERE name = \"%s\"", (cms_user_name,))
if result is not None:
return int(result)
return result
diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py
index 2e375aae..fe2e7d60 100755
--- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py
+++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_record.py
@@ -42,7 +42,7 @@ class CustomerRecord:
raise
def delete_by_primary_key(self, customer_id):
- result = self.session.connection().execute("delete from customer where id = {}".format(customer_id))
+ result = self.session.connection().execute("delete from customer where id = {}".format(customer_id)) # nosec
return result
def read_by_primary_key(self):
@@ -69,7 +69,7 @@ class CustomerRecord:
raise
def get_customer_id_from_uuid(self, uuid):
- result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid))
+ result = self.session.connection().scalar("SELECT id from customer WHERE uuid = \"{}\"".format(uuid)) # nosec
if result:
return int(result)
@@ -77,7 +77,7 @@ class CustomerRecord:
return None
def get_customers_status_by_uuids(self, uuid_str):
- results = self.session.connection().execute("SELECT id, resource_id, region, status"
+ results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec
" FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
cust_region_dict = {}
if results:
diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py
index d742444a..c3573107 100755
--- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py
+++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/customer_region_record.py
@@ -68,7 +68,7 @@ class CustomerRegionRecord:
'region with the region name {0} not found'.format(
region_name))
result = self.session.connection().execute(
- "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id))
+ "delete from customer_region where customer_id = {} and region_id = {}".format(customer_id, region_id)) # nosec
self.session.flush()
if result.rowcount == 0:
@@ -86,6 +86,6 @@ class CustomerRegionRecord:
customer_id = customer_record.get_customer_id_from_uuid(customer_id)
result = self.session.connection().execute(
- "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id))
+ "delete from customer_region where customer_id = {} and region_id <> -1 ".format(customer_id)) # nosec
# print "num records deleted from customer regions: " + str(result.rowcount)
return result
diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py
index 0bf5dcc0..07154a2f 100755
--- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py
+++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/region_record.py
@@ -37,7 +37,7 @@ class RegionRecord:
raise
def get_region_id_from_name(self, region_name):
- result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name))
+ result = self.session.connection().scalar("SELECT id from cms_region WHERE name = \"{}\"".format(region_name)) # nosec
if result is not None:
return int(result)
return result
diff --git a/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py b/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py
index ceb94971..aaf11112 100755
--- a/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py
+++ b/orm/services/customer_manager/cms_rest/data/sql_alchemy/user_role_record.py
@@ -64,9 +64,10 @@ class UserRoleRecord:
# additional logic for delete_user only: check if the provided user id
# is associated with the customer and region in cms delete_user request
elif region_id > -1:
- user_check = "SELECT DISTINCT user_id from user_role " \
- "WHERE customer_id =%d AND region_id =%d " \
- "AND user_id =%d" % (customer_id, region_id, user_id)
+ user_check = '''
+ SELECT DISTINCT user_id from user_role
+ WHERE customer_id =%d AND region_id =%d AND user_id =%d"
+ ''' % (customer_id, region_id, user_id) # nosec
result = self.session.connection().execute(user_check)
if result.rowcount == 0:
diff --git a/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py b/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py
index a1255839..aef20afd 100755
--- a/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py
+++ b/orm/services/flavor_manager/fms_rest/data/sql_alchemy/flavor/flavor_record.py
@@ -53,7 +53,7 @@ class FlavorRecord:
def delete_by_uuid(self, flavor_uuid):
try:
- result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid))
+ result = self.session.connection().execute("delete from flavor where id = \"{0}\"".format(flavor_uuid)) # nosec
return result
except Exception as exception:
@@ -148,7 +148,7 @@ class FlavorRecord:
raise
def get_flavors_status_by_uuids(self, uuid_str):
- results = self.session.connection().execute("SELECT id, resource_id, region, status"
+ results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec
" FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
flvr_region_dict = {}
diff --git a/orm/services/flavor_manager/fms_rest/data/wsme/models.py b/orm/services/flavor_manager/fms_rest/data/wsme/models.py
index 4254f921..07d4efa3 100755
--- a/orm/services/flavor_manager/fms_rest/data/wsme/models.py
+++ b/orm/services/flavor_manager/fms_rest/data/wsme/models.py
@@ -1,3 +1,4 @@
+import ast
import wsme
from orm.common.orm_common.utils.cross_api_utils import (set_utils_conf,
@@ -254,7 +255,7 @@ class Flavor(Model):
if self.series == 'p1':
if {'n0'}.issubset(self.options.keys()) and \
- eval(self.options.get('n0').lower().capitalize()):
+ ast.literal_eval(self.options.get('n0').lower().capitalize()):
vcpu_limit = int(conf.flavor_limits.p1_n0_vcpu_limit)
vram_limit = int(conf.flavor_limits.p1_n0_vram_limit)
else:
diff --git a/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py b/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py
index 58ea3775..a16aa16a 100755
--- a/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py
+++ b/orm/services/image_manager/ims/persistency/sql_alchemy/image/image_record.py
@@ -9,7 +9,7 @@ LOG = get_logger(__name__)
class ImageRecord(Record):
def __init__(self, session):
- # this model is uses only for the parameters of access mothods, not an instance of model in the database
+ # this model is uses only for the parameters of access methods, not an instance of model in the database
self.__image = Image()
# self.set_record_data(self.__image)
# self.__image.clear()
@@ -48,7 +48,7 @@ class ImageRecord(Record):
def delete_image_by_id(self, id):
try:
- result = self.session.connection().execute("delete from image where id = '{0}'".format(id))
+ result = self.session.connection().execute("delete from image where id = '{0}'".format(id)) # nosec
return result
except Exception as exception:
@@ -95,7 +95,7 @@ class ImageRecord(Record):
raise
def get_images_status_by_uuids(self, uuid_str):
- results = self.session.connection().execute("SELECT id, resource_id, region, status"
+ results = self.session.connection().execute("SELECT id, resource_id, region, status" # nosec
" FROM rds_resource_status_view WHERE resource_id IN ({})".format(uuid_str))
img_region_dict = {}
if results:
diff --git a/orm/services/region_manager/rms/model/model.py b/orm/services/region_manager/rms/model/model.py
index fc20e355..b6d1d85f 100755
--- a/orm/services/region_manager/rms/model/model.py
+++ b/orm/services/region_manager/rms/model/model.py
@@ -1,8 +1,10 @@
"""model module."""
+from orm.services.region_manager.rms.logger import get_logger
from orm.services.region_manager.rms.services import error_base
-
from pecan import conf
+logger = get_logger(__name__)
+
class Address(object):
"""address class."""
@@ -123,8 +125,9 @@ class RegionData(object):
"type {}".format(endpoint.type))
try:
endpoints_types_must_have.remove(endpoint.type)
- except Exception:
- pass
+ except Exception as exp:
+ # pass
+ logger.debug(exp)
if len(endpoints_types_must_have) > 0:
raise error_base.InputValueError(
message="Invalid endpoints. Endpoint type '{}' "
diff --git a/test-requirements.txt b/test-requirements.txt
index ee4cf7cb..f3685245 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,7 +3,7 @@
# process, which may cause wedges in the gate later.
hacking>=0.12.0,<0.13 # Apache-2.0
-
+bandit>=1.5.1
coverage>=4.0,!=4.4 # Apache-2.0
openstackdocstheme>=1.11.0 # Apache-2.0
oslotest>=1.10.0 # Apache-2.0
diff --git a/tox.ini b/tox.ini
index b4e33a9a..7d579ea4 100644
--- a/tox.ini
+++ b/tox.ini
@@ -21,8 +21,14 @@ whitelist_externals =
bash
find
+[testenv:bandit]
+deps = .[bandit]
+commands = bandit-baseline -r orm -n5 -c bandit.yaml
+
[testenv:pep8]
-commands = flake8 {posargs}
+commands =
+ flake8 {posargs}
+ {[testenv:bandit]commands}
[testenv:venv]
commands = {posargs}