From 498d5c078f24dcc22d24a8172c263a0cdc03ead7 Mon Sep 17 00:00:00 2001 From: Alexander Hughes Date: Thu, 9 May 2019 09:55:09 -0500 Subject: [PATCH] Add nosec to Bandit False Positives The three lines of code in pegleg.engine.errorcodes, and pegleg.engine.util.pegleg_secret_management are giving false positive bandit errors. This patchset address these by adding # nosec label to each line, instructing Bandit to ignore that line of code. The three errors detected are all B105, details below from Bandit: >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'P009' Severity: Low Confidence: Medium Location: pegleg/engine/errorcodes.py:22 20 FILE_CONTAINS_INVALID_YAML = 'P007' 21 DOCUMENT_LAYER_MISMATCH = 'P008' 22 SECRET_NOT_ENCRYPTED_POLICY = 'P009' 23 24 ALL_CODES = ( 25 SCHEMA_STORAGE_POLICY_MISMATCH_FLAG, # nosec reasoning: The variable 'SECRET_NOT_ENCRYPTED_POLICY' does not map to a hardcoded password. -------------------------------------------------- >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: '^.{24,}$' Severity: Low Confidence: Medium Location: pegleg/engine/util/pegleg_secret_management.py:30 28 29 LOG = logging.getLogger(__name__) 30 PASSPHRASE_PATTERN = '^.{24,}$' 31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' 32 ENV_SALT = 'PEGLEG_SALT' # nosec reasoning: The variable 'PASSPHRASE_PATTERN' does not map to a hardcoded password -------------------------------------------------- >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'PEGLEG_PASSPHRASE' Severity: Low Confidence: Medium Location: pegleg/engine/util/pegleg_secret_management.py:31 29 LOG = logging.getLogger(__name__) 30 PASSPHRASE_PATTERN = '^.{24,}$' 31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' 32 ENV_SALT = 'PEGLEG_SALT' 33 # nosec reasoning: The variable 'ENV_PASSPHRASE' does not map to a hardcoded password. This is setting the environment variable name that passwords are stored in as 'PEGLEG_PASSPHRASE'. The passphrases are not hardcoded on disk, but retrieved from environment variables later via os.environ.get(ENV_PASSPHRASE) Change-Id: I4508b30b763f25e4466c2e2159fbaf3c7df68b5b --- pegleg/engine/errorcodes.py | 2 +- pegleg/engine/util/pegleg_secret_management.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pegleg/engine/errorcodes.py b/pegleg/engine/errorcodes.py index 08261cbf..1ce3b2a9 100644 --- a/pegleg/engine/errorcodes.py +++ b/pegleg/engine/errorcodes.py @@ -19,7 +19,7 @@ DECKHAND_RENDER_EXCEPTION = 'P005' FILE_MISSING_YAML_DOCUMENT_HEADER = 'P006' FILE_CONTAINS_INVALID_YAML = 'P007' DOCUMENT_LAYER_MISMATCH = 'P008' -SECRET_NOT_ENCRYPTED_POLICY = 'P009' +SECRET_NOT_ENCRYPTED_POLICY = 'P009' # nosec (alexanderhughes) ALL_CODES = ( SCHEMA_STORAGE_POLICY_MISMATCH_FLAG, diff --git a/pegleg/engine/util/pegleg_secret_management.py b/pegleg/engine/util/pegleg_secret_management.py index 7a18589d..d832a2b6 100644 --- a/pegleg/engine/util/pegleg_secret_management.py +++ b/pegleg/engine/util/pegleg_secret_management.py @@ -27,8 +27,8 @@ from pegleg.engine.util.pegleg_managed_document import \ PeglegManagedSecretsDocument as PeglegManagedSecret LOG = logging.getLogger(__name__) -PASSPHRASE_PATTERN = '^.{24,}$' -ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' +PASSPHRASE_PATTERN = '^.{24,}$' # nosec (alexanderhughes) +ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE' # nosec (alexanderhughes) ENV_SALT = 'PEGLEG_SALT'