I reviewed dasbus 1.7-1 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
dasbus is a DBus library written in python.
- CVE History
- no CVE found
- Build-Depends
- python builtins (`os`, `threading`, and `logging`)
- uses these two - minor bug without security impacts
- dasbus/xml.py:from xml.etree import ElementTree
- dasbus/xml.py:from xml.dom import minidom
- pre/post inst/rm scripts
- autogenerated by `dh_python3`
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- none
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- it has a comprehensive set of unit tests
- tests can be run locally and `autopkgtest` is available
- cron jobs
- none
- Build logs
- nothing major
- Processes spawned
- none
- Memory management
- none
- File IO
- nothing significant or concerning
- Logging
- logging is used fairly well, but sparse
- Environment variable usage
- none
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- nothing concerning
- Use of temp files
- none
- Use of networking
- nothing concerning
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- none
- Any significant bandit results
- minor bug without security impacts
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- minor bug without security impacts
- The package is well-maintained by developers and issues are addressed shortly
after being created.
- There is a minor bug regarding the validation of the `xml` which does not
seem to have security implications
(https://github.com/rhinstaller/dasbus/issues/121#issue-1867395487).
- It is recommended for the owning team to consider porting `dasbus` from
`elementtree` to `defusedxml`, as `bandit` suggests
I reviewed dasbus 1.7-1 as checked into lunar. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
dasbus is a DBus library written in python.
- CVE History
- no CVE found
- Build-Depends
- python builtins (`os`, `threading`, and `logging`)
- uses these two - minor bug without security impacts
- dasbus/xml.py:from xml.etree import ElementTree
- dasbus/xml.py:from xml.dom import minidom
- pre/post inst/rm scripts
- autogenerated by `dh_python3`
- init scripts
- none
- systemd units
- none
- dbus services
- none
- setuid binaries
- none
- binaries in PATH
- none
- sudo fragments
- none
- polkit files
- none
- udev rules
- none
- unit tests / autopkgtests
- it has a comprehensive set of unit tests
- tests can be run locally and `autopkgtest` is available
- cron jobs
- none
- Build logs
- nothing major
- Processes spawned
- none
- Memory management
- none
- File IO
- nothing significant or concerning
- Logging
- logging is used fairly well, but sparse
- Environment variable usage
- none
- Use of privileged functions
- none
- Use of cryptography / random number sources etc
- nothing concerning
- Use of temp files
- none
- Use of networking
- nothing concerning
- Use of WebKit
- none
- Use of PolicyKit
- none
- Any significant cppcheck results
- none
- Any significant Coverity results
- none
- Any significant shellcheck results
- none
- Any significant bandit results
- minor bug without security impacts
- Any significant govulncheck results
- N/A
- Any significant Semgrep results
- minor bug without security impacts
- The package is well-maintained by developers and issues are addressed shortly /github. com/rhinstaller /dasbus/ issues/ 121#issue- 1867395487).
after being created.
- There is a minor bug regarding the validation of the `xml` which does not
seem to have security implications
(https:/
- It is recommended for the owning team to consider porting `dasbus` from
`elementtree` to `defusedxml`, as `bandit` suggests
Security team ACK for promoting dasbus to main.