I reviewed python-prometheus-client 0.9.0-1 as checked into impish. This
shouldn't be
considered a full audit but rather a quick gauge of maintainability.
python-prometheus-client is a middleware layer to provide metrics for
openstack software. (It could probably be asked to work outside the
openstack ecosystem.)
- CVE History:
None
- Build-Depends: debhelper-compat (= 13),
Build-Depends-Indep: dh-python,
python3-all,
python3-decorator (>= 4.0.10),
python3-pytest,
python3-setuptools,
- pre/post inst/rm scripts?
automatically added by dh_python3 -- (funny trailing space in there)
- init scripts?
None
- systemd units?
None
- dbus services?
None
- setuid binaries?
None
- binaries in PATH?
None
- sudo fragments?
None
- polkit files?
None
- udev rules?
None
- unit tests / autopkgtests?
large selection of tests, run during build
- cron jobs?
None
- Build logs:
E: python-prometheus-client changes: bad-distribution-in-changes-file unstable
(meh)
- Processes spawned?
None
- Memory management?
None
- File IO?
I believe it's all under control of the application that embeds this
middleware -- though this uses the 'prometheus_multiproc_dir'
environment variable when constructing paths to open
- Logging?
None
- Environment variable usage?
'prometheus_multiproc_dir', 'HTTP_ACCEPT', 'QUERY_STRING' -- looked fine
- Use of privileged functions?
None
- Use of cryptography / random number sources etc?
None
- Use of temp files?
Some -- though, in the same directory as the storage target, and
'simple' constructed names. Not quite as good as mkstemp(3) but not
blatantly out of line either.
- Use of networking?
Yes, both as a server and as a client; both parts are under control of
whichever program has embedded this toolkit. Probably the quality varies
drastically between the start_http_server method vs start_wsgi_server
method.
- Use of WebKit?
None
- Use of PolicyKit?
None
- Any significant cppcheck results?
None
- Any significant Coverity results?
Nothing substantial
- Any significant shellcheck results?
None
- Any significant bandit results?
Nothing substantial
This is very-generic middleware. Quite a lot of what it does will be
controlled by code elsewhere. So it's perhaps lacking checks / controls /
etc that feel like they should be here, but its inputs aren't entirely
wide open because code elsewhere should be doing something reasonable.
Security team ACK for promoting python-prometheus-client to main.
** Changed in: python-prometheus-client (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: python-prometheus-client (Ubuntu)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1943143
Title:
[MIR] python-oslo.metrics, python-prometheus-client
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-oslo.metrics/+bug/1943143/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
