airship
/
pegleg
Code Issues Proposed changes

Add nosec to Bandit False Positives 

The three lines of code in pegleg.engine.errorcodes, and
pegleg.engine.util.pegleg_secret_management are giving false positive
bandit errors.  This patchset address these by adding # nosec label
to each line, instructing Bandit to ignore that line of code.

The three errors detected are all B105, details below from Bandit:

>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'P009'
   Severity: Low   Confidence: Medium
   Location: pegleg/engine/errorcodes.py:22
20      FILE_CONTAINS_INVALID_YAML = 'P007'
21      DOCUMENT_LAYER_MISMATCH = 'P008'
22      SECRET_NOT_ENCRYPTED_POLICY = 'P009'
23
24      ALL_CODES = (
25          SCHEMA_STORAGE_POLICY_MISMATCH_FLAG,

# nosec reasoning: The variable 'SECRET_NOT_ENCRYPTED_POLICY' does not
map to a hardcoded password.

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'^.{24,}$'
   Severity: Low   Confidence: Medium
   Location: pegleg/engine/util/pegleg_secret_management.py:30
28
29      LOG = logging.getLogger(__name__)
30      PASSPHRASE_PATTERN = '^.{24,}$'
31      ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
32      ENV_SALT = 'PEGLEG_SALT'

# nosec reasoning: The variable 'PASSPHRASE_PATTERN' does not map to a
hardcoded password

--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'PEGLEG_PASSPHRASE'
   Severity: Low   Confidence: Medium
   Location: pegleg/engine/util/pegleg_secret_management.py:31

29      LOG = logging.getLogger(__name__)
30      PASSPHRASE_PATTERN = '^.{24,}$'
31      ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
32      ENV_SALT = 'PEGLEG_SALT'
33

# nosec reasoning: The variable 'ENV_PASSPHRASE' does not map to a
hardcoded password.  This is setting the environment variable name that
passwords are stored in as 'PEGLEG_PASSPHRASE'.  The passphrases are not
hardcoded on disk, but retrieved from environment variables later via
os.environ.get(ENV_PASSPHRASE)

Change-Id: I4508b30b763f25e4466c2e2159fbaf3c7df68b5b
This commit is contained in:
Alexander Hughes 2019-05-09 09:55:09 -05:00 committed by Alexander Hughes
parent c40ecd1ce9
commit 498d5c078f
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pegleg/engine/errorcodes.py
View File

@ -19,7 +19,7 @@ DECKHAND_RENDER_EXCEPTION = 'P005'
FILE_MISSING_YAML_DOCUMENT_HEADER = 'P006'
FILE_CONTAINS_INVALID_YAML = 'P007'
DOCUMENT_LAYER_MISMATCH = 'P008'
SECRET_NOT_ENCRYPTED_POLICY = 'P009'
SECRET_NOT_ENCRYPTED_POLICY = 'P009' # nosec (alexanderhughes)
ALL_CODES = (
SCHEMA_STORAGE_POLICY_MISMATCH_FLAG,

4
pegleg/engine/util/pegleg_secret_management.py
View File

@ -27,8 +27,8 @@ from pegleg.engine.util.pegleg_managed_document import \
PeglegManagedSecretsDocument as PeglegManagedSecret
LOG = logging.getLogger(__name__)
PASSPHRASE_PATTERN = '^.{24,}$'
ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
PASSPHRASE_PATTERN = '^.{24,}$' # nosec (alexanderhughes)
ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' # nosec (alexanderhughes)
ENV_SALT = 'PEGLEG_SALT'