mirrors/fdroidserver
1
0
Fork 0
mirror of https://github.com/f-droid/fdroidserver.git synced 2025-11-04 14:30:30 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

gitlab-ci: add 'bandit' security scanner to all runs

Browse source 
bandit is used by Radically Open Security and is part of the GitLab Ultimate
Static Application Security Testing (SAST) suite.

https://docs.gitlab.com/ee/user/project/merge_requests/sast.html
This commit is contained in:
Hans-Christoph Steiner 2018-08-29 17:48:06 +02:00
parent 4d13a904f3
commit 3ffe2860f3
3 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
.gitlab-ci.yml
View file

@ -119,16 +119,22 @@ pip_install:
- fdroid readmeta - fdroid readmeta
- fdroid update --help - fdroid update --help
lint_format_safety_checks: lint_format_safety_bandit_checks:
image: alpine:3.7 image: alpine:3.7
variables: variables:
LANG: C.UTF-8 LANG: C.UTF-8
script: script:
- apk add --no-cache bash dash ca-certificates python3 - apk add --no-cache bash dash ca-certificates python3
- python3 -m ensurepip - python3 -m ensurepip
- pip3 install pycodestyle pyflakes 'pylint<2.0' safety - pip3 install bandit pycodestyle pyflakes 'pylint<2.0' safety
- export EXITVALUE=0 - export EXITVALUE=0
- ./hooks/pre-commit || export EXITVALUE=1 - ./hooks/pre-commit || export EXITVALUE=1
- bandit
-ii
-s B110,B310,B322,B404,B408,B410,B603,B607
-x fdroidserver/dscanner.py,docker/install_agent.py,docker/drozer.py
-r $CI_PROJECT_DIR
|| export EXITVALUE=1
- safety check --full-report || export EXITVALUE=1 - safety check --full-report || export EXITVALUE=1
- pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n - pylint --rcfile=.pylint-rcfile --output-format=colorized --reports=n
fdroid fdroid

2
fdroidserver/common.py
View file

@ -283,7 +283,7 @@ def read_config(opts, config_file='config.py'):
logging.debug(_("Reading '{config_file}'").format(config_file=config_file)) logging.debug(_("Reading '{config_file}'").format(config_file=config_file))
with io.open(config_file, "rb") as f: with io.open(config_file, "rb") as f:
code = compile(f.read(), config_file, 'exec') code = compile(f.read(), config_file, 'exec')
exec(code, None, config) exec(code, None, config) # nosec TODO switch to YAML file
else: else:
logging.warning(_("No 'config.py' found, using defaults.")) logging.warning(_("No 'config.py' found, using defaults."))

4
fdroidserver/update.py
View file

@ -27,7 +27,7 @@ import re
import socket import socket
import zipfile import zipfile
import hashlib import hashlib
import pickle import pickle # nosec TODO
import time import time
import copy import copy
from datetime import datetime from datetime import datetime
@ -461,7 +461,7 @@ def get_cache():
ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms'] ada = options.allow_disabled_algorithms or config['allow_disabled_algorithms']
if not options.clean and os.path.exists(apkcachefile): if not options.clean and os.path.exists(apkcachefile):
with open(apkcachefile, 'rb') as cf: with open(apkcachefile, 'rb') as cf:
apkcache = pickle.load(cf, encoding='utf-8') apkcache = pickle.load(cf, encoding='utf-8') # nosec TODO
if apkcache.get("METADATA_VERSION") != METADATA_VERSION \ if apkcache.get("METADATA_VERSION") != METADATA_VERSION \
or apkcache.get('allow_disabled_algorithms') != ada: or apkcache.get('allow_disabled_algorithms') != ada:
apkcache = {} apkcache = {}