opensourcemirror
/
fdroid-server
mirror of https://gitlab.com/fdroid/fdroidserver.git
1
0
Fork 0
Code Issues Releases Wiki Activity

gitlab-ci: add 'bandit' security scanner to all runs 

bandit is used by Radically Open Security and is part of the GitLab Ultimate
Static Application Security Testing (SAST) suite.

https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
This commit is contained in:
Hans-Christoph Steiner 2018-08-29 17:48:06 +02:00
parent 4d13a904f3
commit 3ffe2860f3
3 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitlab-ci.yml
View File

@ -119,16 +119,22 @@ pip_install:
- fdroid readmeta
- fdroid update --help
lint_format_safety_checks:
lint_format_safety_bandit_checks:
image: alpine:3.7
variables:
LANG: C.UTF-8
script:
- apk add --no-cache bash dash ca-certificates python3
- python3 -m ensurepip
- pip3 install pycodestyle pyflakes 'pylint<2.0' safety
- pip3 install bandit pycodestyle pyflakes 'pylint<2.0' safety
- export EXITVALUE=0
- ./hooks/pre-commit || export EXITVALUE=1
- bandit
-ii
-s B110,B310,B322,B404,B408,B410,B603,B607
-x fdroidserver/dscanner.py,docker/install_agent.py,docker/drozer.py
-r $CI_PROJECT_DIR
|| export EXITVALUE=1
- safety check --full-report || export EXITVALUE=1
- pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n
fdroid

2
fdroidserver/common.py
View File

@ -283,7 +283,7 @@ def read_config(opts, config_file='config.py'):
logging.debug(_("Reading '{config_file}'").format(config_file=config_file))
with io.open(config_file, "rb") as f:
code = compile(f.read(), config_file, 'exec')
exec(code, None, config)
exec(code, None, config) # nosec TODO switch to YAML file
else:
logging.warning(_("No 'config.py' found, using defaults."))

4
fdroidserver/update.py
View File

@ -27,7 +27,7 @@ import re
import socket
import zipfile
import hashlib
import pickle
import pickle # nosec TODO
import time
import copy
from datetime import datetime
@ -461,7 +461,7 @@ def get_cache():
ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms']
if not options.clean and os.path.exists(apkcachefile):
with open(apkcachefile, 'rb') as cf:
apkcache = pickle.load(cf, encoding='utf-8')
apkcache = pickle.load(cf, encoding='utf-8') # nosec TODO
if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
or apkcache.get('allow_disabled_algorithms') != ada:
apkcache = {}