Bandit

general_hardcoded_password plugin needs better documentation

Bug #1502348 reported by vamshi basupalli on 2015-10-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	Undecided	Tim Kelsey

Bug Description

general_hardcoded_password plugin reports "WARNING Could not substitute '%(site_data_dir)s' to a path with a valid word_list file".

No where in the documentation it is mentioned that on Unix, XDG_DATA_DIRS environment variable must be set to <path-to-venv>/share

Revision history for this message

Travis McPeak (travis-mcpeak) wrote on 2015-10-06:

Tim's upcoming hardcoded password plugin change should address this.

Changed in bandit:
status:	New → Confirmed

Tim Kelsey (tim-kelsey) on 2015-10-06

Changed in bandit:
assignee:	nobody → Tim Kelsey (tim-kelsey)

OpenStack Infra (hudson-openstack) on 2015-10-06

Changed in bandit:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-06: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/230384
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=604ca79759b3d23a01ce661fad58469e525e13b8
Submitter: Jenkins
Branch: master

commit 604ca79759b3d23a01ce661fad58469e525e13b8
Author: Tim Kelsey <email address hidden>
Date: Fri Oct 2 12:41:00 2015 +0100

Improved tests for hardcoded passwords

    This replaces the existing hardcoded password test with a number of
    smarter tests. None of the new tests utilize a word dictionary, we
    now trigger the warnings based on matching variable names and the
    like against a list of candidate names:

     - "password"
     - "pass"
     - "passwd"
     - "pwd"
     - "secret"
     - "token"

    hardcoded_password_string looks for:
     candidate = "some_string_literal"
     dict[candidate] = "some_string_literal"
     candidate == "some_string_literal"

hardcoded_password_funcarg looks for:
func_call(candidate="some_string_literal")

hardcoded_password_default looks for:
def func_def(candidate="some_string_literal"):

All issues are reported as MEDIUM confidence, LOW severity

    Closes-bug: #1502348
    Closes-bug: #1502343
    Closes-bug: #1432887

Change-Id: I36d97ee838a7f08234b759c352649721d07e8ab0

Changed in bandit:
status:	In Progress → Fix Committed

Tim Kelsey (tim-kelsey) on 2015-10-13

Changed in bandit:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.