The three lines of code in pegleg.engine.errorcodes, and
pegleg.engine.util.pegleg_secret_management are giving false positive
bandit errors. This patchset address these by adding # nosec label
to each line, instructing Bandit to ignore that line of code.
The three errors detected are all B105, details below from Bandit:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'P009'
Severity: Low Confidence: Medium
Location: pegleg/engine/errorcodes.py:22
20 FILE_CONTAINS_INVALID_YAML = 'P007'
21 DOCUMENT_LAYER_MISMATCH = 'P008'
22 SECRET_NOT_ENCRYPTED_POLICY = 'P009'
23
24 ALL_CODES = (
25 SCHEMA_STORAGE_POLICY_MISMATCH_FLAG,
# nosec reasoning: The variable 'SECRET_NOT_ENCRYPTED_POLICY' does not
map to a hardcoded password.
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'^.{24,}$'
Severity: Low Confidence: Medium
Location: pegleg/engine/util/pegleg_secret_management.py:30
28
29 LOG = logging.getLogger(__name__)
30 PASSPHRASE_PATTERN = '^.{24,}$'
31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
32 ENV_SALT = 'PEGLEG_SALT'
# nosec reasoning: The variable 'PASSPHRASE_PATTERN' does not map to a
hardcoded password
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password:
'PEGLEG_PASSPHRASE'
Severity: Low Confidence: Medium
Location: pegleg/engine/util/pegleg_secret_management.py:31
29 LOG = logging.getLogger(__name__)
30 PASSPHRASE_PATTERN = '^.{24,}$'
31 ENV_PASSPHRASE = 'PEGLEG_PASSPHRASE'
32 ENV_SALT = 'PEGLEG_SALT'
33
# nosec reasoning: The variable 'ENV_PASSPHRASE' does not map to a
hardcoded password. This is setting the environment variable name that
passwords are stored in as 'PEGLEG_PASSPHRASE'. The passphrases are not
hardcoded on disk, but retrieved from environment variables later via
os.environ.get(ENV_PASSPHRASE)
Change-Id: I4508b30b763f25e4466c2e2159fbaf3c7df68b5b
This patch set expands on the unit test coverage for lint checks
in test_selectable_linting which only covers a small subset of
the lint checks handled by Pegleg. This logic should be properly
tested as linting is fundamental to Pegleg functionality.
Change-Id: I6a59295982abd22bba8036827cefd4186b68e2fb
This patch set drops unused lint code P002 from Pegleg. The
variable for P002 is called:
DECKHAND_RENDERING_INCOMPLETE_FLAG
It is not clear what this even means, so the assumption here is
that it is a mishap so there is nothing to implement behind the
scenes. The recourse is to remove it.
Change-Id: I3bc99e5f48aa1fa9ea652f073fd4e147b4283e10
This patch set standardizes the Pegleg directory
structure because of the following reasons:
1) src/bin/pegleg is not necessary and only makes
building (e.g. documentation building) and running
of tox targets unnecessarily difficult.
2) src/bin/pegleg is a Java-like standard that
bears no relevance to Python.
Change-Id: I37d39d3d6186b92f8fbfe234221c9e44da48cf10
Alexander Hughes