From abc1b50ac4ddba1e55a3572fa736a0cba379510b Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Wed, 8 Aug 2018 00:08:30 -0500 Subject: [PATCH 1/3] Add new plugin to check use of pyghmi This patch set adds a new bandit plugin to check the use of pyghmi. Signed-off-by: Tin Lam --- README.rst | 3 +- bandit/plugins/import_pyghmi.py | 55 +++++++++++++++++++++++++++++ examples/pyghmi.py | 6 ++++ setup.cfg | 3 ++ tests/functional/test_functional.py | 8 +++++ 5 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 bandit/plugins/import_pyghmi.py create mode 100644 examples/pyghmi.py diff --git a/README.rst b/README.rst index 494a868b7..bfc5e7b64 100644 --- a/README.rst +++ b/README.rst @@ -37,7 +37,7 @@ this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report. -Bandit was originally developed within the OpenStack Security Project and +Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA. Installation @@ -224,6 +224,7 @@ Usage:: B412 import_httpoxy B413 import_pycrypto B414 import_pycryptodome + B415 pyghmi B501 request_with_no_cert_validation B502 ssl_with_bad_version B503 ssl_with_bad_defaults diff --git a/bandit/plugins/import_pyghmi.py b/bandit/plugins/import_pyghmi.py new file mode 100644 index 000000000..00281eb33 --- /dev/null +++ b/bandit/plugins/import_pyghmi.py @@ -0,0 +1,55 @@ +# Copyright (c) 2018 Accenture +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +r""" +========================================= +B415 Test for the usage of pyghmi library +========================================= + +:Example: + +.. code-block:: none + + >> Issue: [B415:pyghmi] Usage of pyghmi library detected. + IPMI is known to be a non-secure protocol. + Severity: Medium Confidence: Medium + Location: examples/pyghmi.py:4 + 3 + 4 cmd = command.Command(bmc="bmc", + 5 userid="userid", + 6 password="ZjE4ZjI0NTE4YmI2NGJj d") + +.. seealso:: + + - https://www.us-cert.gov/ncas/alerts/TA13-207A + +.. versionadded:: 1.5.0 + +""" + +import bandit +from bandit.core import test_properties as test + + +@test.checks('Call') +@test.test_id('B415') +def pyghmi(context): + issue_text = ('Usage of pyghmi library detected. ' + 'IPMI is known to be a non-secure protocol.') + for module in ['pyghmi']: + if context.is_module_imported_like(module): + return bandit.Issue( + severity=bandit.MEDIUM, + confidence=bandit.MEDIUM, + text=issue_text) diff --git a/examples/pyghmi.py b/examples/pyghmi.py new file mode 100644 index 000000000..369be3b59 --- /dev/null +++ b/examples/pyghmi.py @@ -0,0 +1,6 @@ +import pyghmi +from pyghmi.ipmi import command + +cmd = command.Command(bmc="bmc", + userid="userid", + password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK") diff --git a/setup.cfg b/setup.cfg index 154737ff4..150b3d35f 100644 --- a/setup.cfg +++ b/setup.cfg @@ -118,6 +118,9 @@ bandit.plugins = # bandit/plugins/yaml_load.py yaml_load = bandit.plugins.yaml_load:yaml_load + # bandit/plugins/import_pyghmi.py + pyghmi = bandit.plugins.import_pyghmi:pyghmi + [build_sphinx] all_files = 1 build-dir = doc/build diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 79d77e856..e1a6c3d37 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -771,3 +771,11 @@ def test_blacklist_pycryptodome(self): 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 2} } self.check_example('pycryptodome.py', expect) + + def test_pyghmi(self): + '''Test calling pyghmi methods''' + expect = { + 'SEVERITY': {'UNDEFINED': 0, 'LOW': 1, 'MEDIUM': 1, 'HIGH': 0}, + 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 2, 'HIGH': 0} + } + self.check_example('pyghmi.py', expect) From e96cd6b601fbb00e933d16fe065dad25e1d5d662 Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 13 Aug 2018 02:37:12 -0500 Subject: [PATCH 2/3] Fix example and polish te code. Signed-off-by: Tin Lam --- bandit/plugins/import_pyghmi.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bandit/plugins/import_pyghmi.py b/bandit/plugins/import_pyghmi.py index 00281eb33..23ebfa887 100644 --- a/bandit/plugins/import_pyghmi.py +++ b/bandit/plugins/import_pyghmi.py @@ -17,6 +17,8 @@ B415 Test for the usage of pyghmi library ========================================= +Warn the usage of pyghmi as IPMI is known to be a non-secure protocol. + :Example: .. code-block:: none @@ -28,7 +30,7 @@ 3 4 cmd = command.Command(bmc="bmc", 5 userid="userid", - 6 password="ZjE4ZjI0NTE4YmI2NGJj d") + 6 password="ZjE4ZjI0NTE4YmI2NGJjd") .. seealso:: From ec1e38e81885354867ee85edcef243a7eea221df Mon Sep 17 00:00:00 2001 From: Tin Lam Date: Mon, 13 Aug 2018 02:50:48 -0500 Subject: [PATCH 3/3] Add new plug-in to check pyghmi This patch set adds a new bandit plugin to check the use of the pyghmi library, as the IPMI is known to be an insecured protocol. Closes: #356 Signed-off-by: Tin Lam --- examples/pyghmi.py | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/pyghmi.py b/examples/pyghmi.py index 369be3b59..44eb197ac 100644 --- a/examples/pyghmi.py +++ b/examples/pyghmi.py @@ -1,4 +1,3 @@ -import pyghmi from pyghmi.ipmi import command cmd = command.Command(bmc="bmc",