Open Stack

Hello,

The libraries from the Oslo project are used everywhere in OpenStack, 
which means that a security issue in Olso code might have an impact on a
lot of other projects. This is why I am currently trying to add support 
for the bandit[1] static checker in all of the Oslo libraries.

While reviewing one of my patches[2], Victor Stinner noticed that the 
bandit configuration file (bandit.yaml) I proposed, which is basically a
copy of the example config file[3] provided by the bandit project with
some minor changes, might be a bit hard to maintain across all Oslo 
projects. Indeed, all configuration files could potentially have to be
changed whenever a new checker is added to bandit, for instance.

In order to make it easier to keep an up-to-date configuration file, I
quickly wrote a proof of concept[4] that allows developers to generate a
configuration file that fits their needs. One can now generate a working
bandit.yaml configuration file by typing something like:

$ bandit-conf-generator --disable try_except_pass --out bandit.yaml 
oslo.messaging ~/openstack/bandit/bandit/config/bandit.yaml

Whenever a new version of bandit comes out, one can grab the latest
config file example from the bandit release, and re-run the above
command. The generated config file will include all the new checkers.

What do you think? Could this be a useful tool to handle bandit
configurations?


Cyril Roelandt.
---

[1] https://wiki.openstack.org/wiki/Security/Projects/Bandit
[2] https://review.openstack.org/#/c/239666/
[3] 
https://github.com/openstack/bandit/blob/master/bandit/config/bandit.yaml
[4] https://github.com/CyrilRoelandteNovance/bandit_conf_generator