Hello,
The libraries from the Oslo project are used everywhere in OpenStack,
which means that a security issue in Olso code might have an impact on a
lot of other projects. This is why I am currently trying to add support
for the bandit[1] static checker in all of the Oslo libraries.
While reviewing one of my patches[2], Victor Stinner noticed that the
bandit configuration file (bandit.yaml) I proposed, which is basically a
copy of the example config file[3] provided by the bandit project with
some minor changes, might be a bit hard to maintain across all Oslo
projects. Indeed, all configuration files could potentially have to be
changed whenever a new checker is added to bandit, for instance.
In order to make it easier to keep an up-to-date configuration file, I
quickly wrote a proof of concept[4] that allows developers to generate a
configuration file that fits their needs. One can now generate a working
bandit.yaml configuration file by typing something like:
$ bandit-conf-generator --disable try_except_pass --out bandit.yaml
oslo.messaging ~/openstack/bandit/bandit/config/bandit.yaml
Whenever a new version of bandit comes out, one can grab the latest
config file example from the bandit release, and re-run the above
command. The generated config file will include all the new checkers.
What do you think? Could this be a useful tool to handle bandit
configurations?
Cyril Roelandt.
---
[1] https://wiki.openstack.org/wiki/Security/Projects/Bandit
[2] https://review.openstack.org/#/c/239666/
[3]
https://github.com/openstack/bandit/blob/master/bandit/config/bandit.yaml
[4] https://github.com/CyrilRoelandteNovance/bandit_conf_generator
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
