mirror of
https://gitlab.com/fdroid/fdroidserver.git
synced 2024-10-03 17:50:11 +02:00
gitlab-ci: add 'bandit' security scanner to all runs
bandit is used by Radically Open Security and is part of the GitLab Ultimate Static Application Security Testing (SAST) suite. https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
This commit is contained in:
parent
4d13a904f3
commit
3ffe2860f3
@ -119,16 +119,22 @@ pip_install:
|
||||
- fdroid readmeta
|
||||
- fdroid update --help
|
||||
|
||||
lint_format_safety_checks:
|
||||
lint_format_safety_bandit_checks:
|
||||
image: alpine:3.7
|
||||
variables:
|
||||
LANG: C.UTF-8
|
||||
script:
|
||||
- apk add --no-cache bash dash ca-certificates python3
|
||||
- python3 -m ensurepip
|
||||
- pip3 install pycodestyle pyflakes 'pylint<2.0' safety
|
||||
- pip3 install bandit pycodestyle pyflakes 'pylint<2.0' safety
|
||||
- export EXITVALUE=0
|
||||
- ./hooks/pre-commit || export EXITVALUE=1
|
||||
- bandit
|
||||
-ii
|
||||
-s B110,B310,B322,B404,B408,B410,B603,B607
|
||||
-x fdroidserver/dscanner.py,docker/install_agent.py,docker/drozer.py
|
||||
-r $CI_PROJECT_DIR
|
||||
|| export EXITVALUE=1
|
||||
- safety check --full-report || export EXITVALUE=1
|
||||
- pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n
|
||||
fdroid
|
||||
|
@ -283,7 +283,7 @@ def read_config(opts, config_file='config.py'):
|
||||
logging.debug(_("Reading '{config_file}'").format(config_file=config_file))
|
||||
with io.open(config_file, "rb") as f:
|
||||
code = compile(f.read(), config_file, 'exec')
|
||||
exec(code, None, config)
|
||||
exec(code, None, config) # nosec TODO switch to YAML file
|
||||
else:
|
||||
logging.warning(_("No 'config.py' found, using defaults."))
|
||||
|
||||
|
@ -27,7 +27,7 @@ import re
|
||||
import socket
|
||||
import zipfile
|
||||
import hashlib
|
||||
import pickle
|
||||
import pickle # nosec TODO
|
||||
import time
|
||||
import copy
|
||||
from datetime import datetime
|
||||
@ -461,7 +461,7 @@ def get_cache():
|
||||
ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms']
|
||||
if not options.clean and os.path.exists(apkcachefile):
|
||||
with open(apkcachefile, 'rb') as cf:
|
||||
apkcache = pickle.load(cf, encoding='utf-8')
|
||||
apkcache = pickle.load(cf, encoding='utf-8') # nosec TODO
|
||||
if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
|
||||
or apkcache.get('allow_disabled_algorithms') != ada:
|
||||
apkcache = {}
|
||||
|
Loading…
Reference in New Issue
Block a user