I reviewed python-prometheus-client 0.9.0-1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
python-prometheus-client is a middleware layer to provide metrics for
openstack software. (It could probably be asked to work outside the
openstack ecosystem.)
- CVE History:
None
- Build-Depends: debhelper-compat (= 13),
Build-Depends-Indep: dh-python, python3-all, python3-decorator (>= 4.0.10), python3-pytest, python3-setuptools,
- pre/post inst/rm scripts?
automatically added by dh_python3 -- (funny trailing space in there)
- init scripts?
None
- systemd units?
None
- dbus services?
None
- setuid binaries?
None
- binaries in PATH?
None
- sudo fragments?
None
- polkit files?
None
- udev rules?
None
- unit tests / autopkgtests?
large selection of tests, run during build
- cron jobs?
None
- Build logs:
E: python-prometheus-client changes: bad-distribution-in-changes-file unstable
(meh)
- Processes spawned?
None
- Memory management?
None
- File IO?
I believe it's all under control of the application that embeds this
middleware -- though this uses the 'prometheus_multiproc_dir'
environment variable when constructing paths to open
- Logging?
None
- Environment variable usage?
'prometheus_multiproc_dir', 'HTTP_ACCEPT', 'QUERY_STRING' -- looked fine
- Use of privileged functions?
None
- Use of cryptography / random number sources etc?
None
- Use of temp files?
Some -- though, in the same directory as the storage target, and
'simple' constructed names. Not quite as good as mkstemp(3) but not
blatantly out of line either.
- Use of networking?
Yes, both as a server and as a client; both parts are under control of
whichever program has embedded this toolkit. Probably the quality varies
drastically between the start_http_server method vs start_wsgi_server
method.
- Use of WebKit?
None
- Use of PolicyKit?
None
- Any significant cppcheck results?
None
- Any significant Coverity results?
Nothing substantial
- Any significant shellcheck results?
None
- Any significant bandit results?
Nothing substantial
This is very-generic middleware. Quite a lot of what it does will be
controlled by code elsewhere. So it's perhaps lacking checks / controls /
etc that feel like they should be here, but its inputs aren't entirely
wide open because code elsewhere should be doing something reasonable.
Security team ACK for promoting python-prometheus-client to main.
I reviewed python- prometheus- client 0.9.0-1 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
python- prometheus- client is a middleware layer to provide metrics for
openstack software. (It could probably be asked to work outside the
openstack ecosystem.)
- CVE History: Depends- Indep: dh-python,
python3- all,
python3- decorator (>= 4.0.10),
python3- pytest,
python3- setuptools, prometheus- client changes: bad-distributio n-in-changes- file unstable
None
- Build-Depends: debhelper-compat (= 13),
Build-
- pre/post inst/rm scripts?
automatically added by dh_python3 -- (funny trailing space in there)
- init scripts?
None
- systemd units?
None
- dbus services?
None
- setuid binaries?
None
- binaries in PATH?
None
- sudo fragments?
None
- polkit files?
None
- udev rules?
None
- unit tests / autopkgtests?
large selection of tests, run during build
- cron jobs?
None
- Build logs:
E: python-
(meh)
- Processes spawned? multiproc_ dir' multiproc_ dir', 'HTTP_ACCEPT', 'QUERY_STRING' -- looked fine
None
- Memory management?
None
- File IO?
I believe it's all under control of the application that embeds this
middleware -- though this uses the 'prometheus_
environment variable when constructing paths to open
- Logging?
None
- Environment variable usage?
'prometheus_
- Use of privileged functions?
None
- Use of cryptography / random number sources etc?
None
- Use of temp files?
Some -- though, in the same directory as the storage target, and
'simple' constructed names. Not quite as good as mkstemp(3) but not
blatantly out of line either.
- Use of networking?
Yes, both as a server and as a client; both parts are under control of
whichever program has embedded this toolkit. Probably the quality varies
drastically between the start_http_server method vs start_wsgi_server
method.
- Use of WebKit?
None
- Use of PolicyKit?
None
- Any significant cppcheck results?
None
- Any significant Coverity results?
Nothing substantial
- Any significant shellcheck results?
None
- Any significant bandit results?
Nothing substantial
This is very-generic middleware. Quite a lot of what it does will be
controlled by code elsewhere. So it's perhaps lacking checks / controls /
etc that feel like they should be here, but its inputs aren't entirely
wide open because code elsewhere should be doing something reasonable.
Security team ACK for promoting python- prometheus- client to main.