[openstack-dev] [oslo][bandit] Handling bandit configuration files in Oslo.

Brant Knudson blk at acm.org
Mon Nov 2 18:40:32 UTC 2015


On Mon, Nov 2, 2015 at 12:22 PM, Cyril Roelandt <cyril at redhat.com> wrote:

> Hello,
>
> The libraries from the Oslo project are used everywhere in OpenStack,
> which means that a security issue in Olso code might have an impact on a
> lot of other projects. This is why I am currently trying to add support
> for the bandit[1] static checker in all of the Oslo libraries.
>
> While reviewing one of my patches[2], Victor Stinner noticed that the
> bandit configuration file (bandit.yaml) I proposed, which is basically a
> copy of the example config file[3] provided by the bandit project with
> some minor changes, might be a bit hard to maintain across all Oslo
> projects. Indeed, all configuration files could potentially have to be
> changed whenever a new checker is added to bandit, for instance.
>
> In order to make it easier to keep an up-to-date configuration file, I
> quickly wrote a proof of concept[4] that allows developers to generate a
> configuration file that fits their needs. One can now generate a working
> bandit.yaml configuration file by typing something like:
>
> $ bandit-conf-generator --disable try_except_pass --out bandit.yaml
> oslo.messaging ~/openstack/bandit/bandit/config/bandit.yaml
>
> Whenever a new version of bandit comes out, one can grab the latest
> config file example from the bandit release, and re-run the above
> command. The generated config file will include all the new checkers.
>
> What do you think? Could this be a useful tool to handle bandit
> configurations?
>
>
We could use something like this in keystone since we've got a few
repositories. There should be a way to document why the test was skipped
since otherwise we'll have to figure it out every time we update the file.
Putting a comment on the command line would wind up being unwieldy, so we
should have a config file for bandit-conf-generator... but then why not
just have bandit know how to read the bandit-conf-generator config file and
skip the extra step?

- Brant


> Cyril Roelandt.
> ---
>
> [1] https://wiki.openstack.org/wiki/Security/Projects/Bandit
> [2] https://review.openstack.org/#/c/239666/
> [3]
> https://github.com/openstack/bandit/blob/master/bandit/config/bandit.yaml
> [4] https://github.com/CyrilRoelandteNovance/bandit_conf_generator
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151102/c4a31a9f/attachment.html>


More information about the OpenStack-dev mailing list