Jump to: navigation, search

Difference between revisions of "Security/Projects/Bandit"

m (TODO)
m (TODO)
Line 25: Line 25:
 
Further development of Bandit framework:
 
Further development of Bandit framework:
 
* Fix bug with recognizing strings in docstrings.
 
* Fix bug with recognizing strings in docstrings.
* Consider reworking test decorator naming.  At present, @checks_functions is used to label tests against Call nodes rather than FunctionDef nodes, which is somewhat misleading.  Potentially line decorator names up with AST node types, for example @checks_FunctionDef, @checks_Call, @checks_Str, etc.  Tradeoff abstracting away from complexity of underlying AST, vs. alignment with AST.
+
* DONE -- Consider reworking test decorator naming.  At present, @checks_functions is used to label tests against Call nodes rather than FunctionDef nodes, which is somewhat misleading.  Potentially line decorator names up with AST node types, for example @checks_FunctionDef, @checks_Call, @checks_Str, etc.  Tradeoff abstracting away from complexity of underlying AST, vs. alignment with AST.
 
* Address case where an imported model or function is aliased to a different variable name with an = statement.
 
* Address case where an imported model or function is aliased to a different variable name with an = statement.
 
* Extend 'context' object to allow tests to be defined against more than just the currently-visited AST node.  Add a 'previous' node pointer, track and provide access to additional state information, etc?
 
* Extend 'context' object to allow tests to be defined against more than just the currently-visited AST node.  Add a 'previous' node pointer, track and provide access to additional state information, etc?
Line 37: Line 37:
 
* Review / revisit result collection structure / format.
 
* Review / revisit result collection structure / format.
 
* Tie reporting / output back to https://wiki.openstack.org/wiki/Security/Guidelines.
 
* Tie reporting / output back to https://wiki.openstack.org/wiki/Security/Guidelines.
 
+
* Allow stacking of profiles - let a user specify multiple profiles to include in a single run.
  
 
Existing tests:
 
Existing tests:

Revision as of 22:45, 19 February 2015

Overview

Bandit provides a framework for performing security analysis of Python source code, utilizing the ast module from the Python standard library.

The ast module is used to convert source code into a parsed tree of Python syntax nodes. Bandit allows users to define custom tests that are performed against those nodes. At the completion of testing, a report is generated that lists security issues identified within the target source code.

Bandit is currently a stand-alone tool which can be downloaded by end-users and run against arbitrary source code. As it matures and is proven to be useful, we see it being a possible addition to OpenStack CI gate tests with non-voting and eventually voting capabilities.

Bandit can be obtained by cloning the repository at https://git.openstack.org/stackforge/bandit.git. The README.md file contains documentation regarding installation, usage, and configuration.

Contributing

Bandit makes use of the OpenStack CI infrastructure provided through StackForge:


An easy way to contribute is to write a plugin/test that will allow Bandit to identify more security issues. Extensions and improvements to the underlying framework are also welcomed, although we'll be attempting to maintain stability in the interface that is presented to plugins.

See Development Workflow for information on the general contribution/review workflow.

TODO

Further development of Bandit framework:

  • Fix bug with recognizing strings in docstrings.
  • DONE -- Consider reworking test decorator naming. At present, @checks_functions is used to label tests against Call nodes rather than FunctionDef nodes, which is somewhat misleading. Potentially line decorator names up with AST node types, for example @checks_FunctionDef, @checks_Call, @checks_Str, etc. Tradeoff abstracting away from complexity of underlying AST, vs. alignment with AST.
  • Address case where an imported model or function is aliased to a different variable name with an = statement.
  • Extend 'context' object to allow tests to be defined against more than just the currently-visited AST node. Add a 'previous' node pointer, track and provide access to additional state information, etc?
  • Investigate whether 'symtable' module can be used as another layer of analysis.
  • Build out support for additional AST node types
  • Consider additional helper functions that could make writing tests simpler
  • Pretty printing - add flag or option to output to report (CSV/JSON/XML?)
  • Accept both filenames and directory names as input, instead of just filenames (avoid the find/xargs-based method we currently use to target directories). In directory case, traverse the tree finding *.py files and test them all.
  • Ability to exclude a directory or names, eg. exclude unit test directory.
  • Report statistics at end of run (number of files, lines of code, issues detected, nosec count, etc).
  • Review / revisit result collection structure / format.
  • Tie reporting / output back to https://wiki.openstack.org/wiki/Security/Guidelines.
  • Allow stacking of profiles - let a user specify multiple profiles to include in a single run.

Existing tests:

  • Review for accuracy or possible improvements.
  • Expand on test documentation - add explanation or link to external pointers about security vulnerabilities being identified.


Possible new tests:

  • Hardcoded passwords
  • Logging sensitive information
  • SQL commands into SQL Alchemy
  • sudo calls
  • De-serializing (Pickle? YAML? JSON?)
  • Taint checking / lack of input validation (e.g. object returned by requests.get()/.post() has headers, content, text, json attributes) - this will likely get complicated, and likely relies on building a more complete 'context' object as noted under framework above.
  • Others?

Team

Bandit is a project from the OpenStack Security Group.

Core project team:

  • Jamie Finnigan (chair6)
  • Travis McPeak (tmcpeak)
  • Nathan Kinder (nkinder)
  • Tim Kelsey (tkelsey)