The three lines of code in pegleg.engine.errorcodes, and
pegleg.engine.util.pegleg_secret_management are giving false positive
bandit errors. This patchset address these by adding # nosec label
to each line, instructing Bandit to ignore that line of code.
The three errors detected are all B105, details below from Bandit:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'P009'
Severity: Low Confidence: Medium
Location: pegleg/engine/errorcodes.py:22
20 FILE_CONTAINS_INVALID_YAML = 'P007'
21 DOCUMENT_LAYER_MISMATCH = 'P008'
22 SECRET_NOT_ENCRYPTED_POLICY = 'P009'
23
24 ALL_CODES = (
25 SCHEMA_STORAGE_POLICY_MISMATCH_FLAG,
# nosec reasoning: The variable 'SECRET_NOT_ENCRYPTED_POLICY' does not
map to a hardcoded password.
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'^.{24,}$'
Severity: Low Confidence: Medium
Location: pegleg/engine/util/pegleg_secret_management.py:30
28
29 LOG = logging.getLogger(__name__)
30 PASSPHRASE_PATTERN = '^.{24,}$'
31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
32 ENV_SALT = 'PEGLEG_SALT'
# nosec reasoning: The variable 'PASSPHRASE_PATTERN' does not map to a
hardcoded password
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'PEGLEG_PASSPHRASE'
Severity: Low Confidence: Medium
Location: pegleg/engine/util/pegleg_secret_management.py:31
29 LOG = logging.getLogger(__name__)
30 PASSPHRASE_PATTERN = '^.{24,}$'
31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
32 ENV_SALT = 'PEGLEG_SALT'
33
# nosec reasoning: The variable 'ENV_PASSPHRASE' does not map to a
hardcoded password. This is setting the environment variable name that
passwords are stored in as 'PEGLEG_PASSPHRASE'. The passphrases are not
hardcoded on disk, but retrieved from environment variables later via
os.environ.get(ENV_PASSPHRASE)
Change-Id: I4508b30b763f25e4466c2e2159fbaf3c7df68b5b