On Mon, Nov 2, 2015 at 12:22 PM, Cyril Roelandt <[email protected]> wrote:
> Hello, > > The libraries from the Oslo project are used everywhere in OpenStack, > which means that a security issue in Olso code might have an impact on a > lot of other projects. This is why I am currently trying to add support > for the bandit[1] static checker in all of the Oslo libraries. > > While reviewing one of my patches[2], Victor Stinner noticed that the > bandit configuration file (bandit.yaml) I proposed, which is basically a > copy of the example config file[3] provided by the bandit project with > some minor changes, might be a bit hard to maintain across all Oslo > projects. Indeed, all configuration files could potentially have to be > changed whenever a new checker is added to bandit, for instance. > > In order to make it easier to keep an up-to-date configuration file, I > quickly wrote a proof of concept[4] that allows developers to generate a > configuration file that fits their needs. One can now generate a working > bandit.yaml configuration file by typing something like: > > $ bandit-conf-generator --disable try_except_pass --out bandit.yaml > oslo.messaging ~/openstack/bandit/bandit/config/bandit.yaml > > Whenever a new version of bandit comes out, one can grab the latest > config file example from the bandit release, and re-run the above > command. The generated config file will include all the new checkers. > > What do you think? Could this be a useful tool to handle bandit > configurations? > > We could use something like this in keystone since we've got a few repositories. There should be a way to document why the test was skipped since otherwise we'll have to figure it out every time we update the file. Putting a comment on the command line would wind up being unwieldy, so we should have a config file for bandit-conf-generator... but then why not just have bandit know how to read the bandit-conf-generator config file and skip the extra step? - Brant > Cyril Roelandt. > --- > > [1] https://wiki.openstack.org/wiki/Security/Projects/Bandit > [2] https://review.openstack.org/#/c/239666/ > [3] > https://github.com/openstack/bandit/blob/master/bandit/config/bandit.yaml > [4] https://github.com/CyrilRoelandteNovance/bandit_conf_generator > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
