mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-05 18:50:09 +02:00
gitlab-ci: add 'bandit' security scanner to all runs
bandit is used by Radically Open Security and is part of the GitLab Ultimate Static Application Security Testing (SAST) suite. https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
This commit is contained in:
parent
4d13a904f3
commit
3ffe2860f3
@ -119,16 +119,22 @@ pip_install:
|
|||||||
- fdroid readmeta
|
- fdroid readmeta
|
||||||
- fdroid update --help
|
- fdroid update --help
|
||||||
|
|
||||||
lint_format_safety_checks:
|
lint_format_safety_bandit_checks:
|
||||||
image: alpine:3.7
|
image: alpine:3.7
|
||||||
variables:
|
variables:
|
||||||
LANG: C.UTF-8
|
LANG: C.UTF-8
|
||||||
script:
|
script:
|
||||||
- apk add --no-cache bash dash ca-certificates python3
|
- apk add --no-cache bash dash ca-certificates python3
|
||||||
- python3 -m ensurepip
|
- python3 -m ensurepip
|
||||||
- pip3 install pycodestyle pyflakes 'pylint<2.0' safety
|
- pip3 install bandit pycodestyle pyflakes 'pylint<2.0' safety
|
||||||
- export EXITVALUE=0
|
- export EXITVALUE=0
|
||||||
- ./hooks/pre-commit || export EXITVALUE=1
|
- ./hooks/pre-commit || export EXITVALUE=1
|
||||||
|
- bandit
|
||||||
|
-ii
|
||||||
|
-s B110,B310,B322,B404,B408,B410,B603,B607
|
||||||
|
-x fdroidserver/dscanner.py,docker/install_agent.py,docker/drozer.py
|
||||||
|
-r $CI_PROJECT_DIR
|
||||||
|
|| export EXITVALUE=1
|
||||||
- safety check --full-report || export EXITVALUE=1
|
- safety check --full-report || export EXITVALUE=1
|
||||||
- pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n
|
- pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n
|
||||||
fdroid
|
fdroid
|
||||||
|
@ -283,7 +283,7 @@ def read_config(opts, config_file='config.py'):
|
|||||||
logging.debug(_("Reading '{config_file}'").format(config_file=config_file))
|
logging.debug(_("Reading '{config_file}'").format(config_file=config_file))
|
||||||
with io.open(config_file, "rb") as f:
|
with io.open(config_file, "rb") as f:
|
||||||
code = compile(f.read(), config_file, 'exec')
|
code = compile(f.read(), config_file, 'exec')
|
||||||
exec(code, None, config)
|
exec(code, None, config) # nosec TODO switch to YAML file
|
||||||
else:
|
else:
|
||||||
logging.warning(_("No 'config.py' found, using defaults."))
|
logging.warning(_("No 'config.py' found, using defaults."))
|
||||||
|
|
||||||
|
@ -27,7 +27,7 @@ import re
|
|||||||
import socket
|
import socket
|
||||||
import zipfile
|
import zipfile
|
||||||
import hashlib
|
import hashlib
|
||||||
import pickle
|
import pickle # nosec TODO
|
||||||
import time
|
import time
|
||||||
import copy
|
import copy
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
@ -461,7 +461,7 @@ def get_cache():
|
|||||||
ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms']
|
ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms']
|
||||||
if not options.clean and os.path.exists(apkcachefile):
|
if not options.clean and os.path.exists(apkcachefile):
|
||||||
with open(apkcachefile, 'rb') as cf:
|
with open(apkcachefile, 'rb') as cf:
|
||||||
apkcache = pickle.load(cf, encoding='utf-8')
|
apkcache = pickle.load(cf, encoding='utf-8') # nosec TODO
|
||||||
if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
|
if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
|
||||||
or apkcache.get('allow_disabled_algorithms') != ada:
|
or apkcache.get('allow_disabled_algorithms') != ada:
|
||||||
apkcache = {}
|
apkcache = {}
|
||||||
|
Loading…
Reference in New Issue
Block a user