Add bandit to CI, fix a few false positives

fbi-cde · Dec 21, 2016 · aa7d880 · aa7d880
1 parent 73549ea
commit aa7d880
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 7 deletions.
diff --git a/.bandit b/.bandit
@@ -0,0 +1,2 @@
+[bandit]
+exclude: /tests
diff --git a/README.md b/README.md
@@ -94,3 +94,24 @@ flask db migrate
 flask db upgrade
 flask run
 ```
+
+Security Scans
+--------------
+
+This repository uses the [bandit](https://github.com/openstack/bandit)
+tool to run automated static analysis of the project code for
+potential vulnerabilities. These are run automatically as part of
+continuous integration to identify potential vulnerabilities when they
+are introduced in pull requests.
+
+You can run bandit locally with the following command:
+
+``` shell
+bandit -r .
+```
+
+In some cases, bandit will identify false positives, code that looks
+like it could be a security vulnerability but that will likely never
+be triggered in a production environment. To disable reporting of
+these vulnerabilities, you can append a `#nosec` comment on the line
+of code where the vulnerability was identified.
diff --git a/circle.yml b/circle.yml
@@ -19,6 +19,7 @@ test:
     - py.test --cov=crime_data tests/
   post:
     - codeclimate-test-reporter
+    - bandit -r .
 deployment:
   production:
     branch: master

diff --git a/crime_data/app.py b/crime_data/app.py
@@ -26,7 +26,7 @@
 from crime_data.settings import ProdConfig
 
 if __name__ == '__main__':
-    app.run(debug=True)
+    app.run(debug=True) #nosec, this isn't called on production
 
 
 def create_app(config_object=ProdConfig):

diff --git a/crime_data/commands.py b/crime_data/commands.py
@@ -2,7 +2,7 @@
 """Click commands."""
 import os
 from glob import glob
-from subprocess import call
+from subprocess import call #nosec
 
 import click
 from flask import current_app
@@ -43,7 +43,7 @@ def execute_tool(description, *args):
         """Execute a checking tool with its arguments."""
         command_line = list(args) + files_and_directories
         click.echo('{}: {}'.format(description, ' '.join(command_line)))
-        rv = call(command_line)
+        rv = call(command_line) #nosec
         if rv != 0:
             exit(rv)
 

diff --git a/crime_data/common/base.py b/crime_data/common/base.py
@@ -3,6 +3,7 @@
 import math
 import os
 import random
+from ast import literal_eval
 from functools import wraps
 
 import sqltap
@@ -87,7 +88,7 @@ def use_follower(self):
 
     def get_bind(self, mapper=None, clause=None):
         if self.use_follower:
-            return random.choice(self.followers)
+            return random.choice(self.followers) #nosec
 
         return super().get_bind(mapper=mapper, clause=clause)
 
@@ -310,7 +311,7 @@ def output_serialize(self, data, schema=None, format='csv', aggregate_many = Fal
 
     def _jsonable(self, val):
         if isinstance(val, Decimal):
-            return eval(str(val))
+            return literal_eval(str(val))
         elif hasattr(val, '__pow__'):  # is numeric
             return val
         return str(val)
@@ -325,8 +326,6 @@ def _stringify(self, data):
     def _as_dict(self, fieldTuple, res):
         return dict(zip(fieldTuple, res))
 
-
-
     def _compile_query(self, query):
         """
         Gets String representation of an SQLAlchemy query.

diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -20,3 +20,5 @@ pep8-naming==0.3.3
 
 codeclimate-test-reporter
 pytest-cov
+
+bandit==1.3.0
Original file line number	Diff line number	Diff line change
Expand Up		@@ -20,3 +20,5 @@ pep8-naming==0.3.3

		codeclimate-test-reporter
		pytest-cov

		bandit==1.3.0