Monday, 2015-02-23

« Sunday, 2015-02-22 Index Tuesday, 2015-02-24 »
*** dave-mccowan has joined #openstack-security00:15
*** markvoelker has joined #openstack-security00:16
*** markvoelker has quit IRC00:20
*** tmcpeak has joined #openstack-security00:49
*** markvoelker has joined #openstack-security00:50
*** tmcpeak has quit IRC00:53
*** markvoelker has quit IRC00:55
*** salv-orlando has quit IRC01:22
*** tmcpeak has joined #openstack-security01:32
*** markvoelker has joined #openstack-security01:51
*** markvoelker has quit IRC01:57
*** markvoelker has joined #openstack-security02:00
*** tmcpeak has quit IRC02:13
*** markvoelker has quit IRC02:26
*** markvoelker has joined #openstack-security02:27
*** markvoelker has quit IRC02:31
*** amrith is now known as _amrith_03:01
*** bpokorny has quit IRC04:01
*** _amrith_ is now known as amrith04:04
*** dave-mccowan has quit IRC05:17
*** pcaruana has quit IRC05:45
*** lionelz has joined #openstack-security09:24
*** salv-orlando has joined #openstack-security09:33
*** salv-orlando has quit IRC10:04
*** salv-orlando has joined #openstack-security10:14
*** lionelz has quit IRC10:21
*** salv-orlando has quit IRC11:19
*** salv-orlando has joined #openstack-security11:25
*** salv-orlando has quit IRC11:29
*** salv-orl_ has joined #openstack-security11:29
*** salv-orl_ has quit IRC12:38
*** salv-orlando has joined #openstack-security12:39
*** salv-orlando has quit IRC12:42
*** salv-orlando has joined #openstack-security12:43
*** salv-orlando has quit IRC13:04
*** salv-orlando has joined #openstack-security13:23
*** salv-orlando has quit IRC13:28
*** salv-orlando has joined #openstack-security13:33
*** amrith is now known as _amrith_13:40
*** salv-orlando has quit IRC13:41
*** bknudson has quit IRC13:41
*** lorenz_esz has joined #openstack-security13:41
*** lorenz_esz has left #openstack-security13:43
*** salv-orlando has joined #openstack-security13:46
*** salv-orlando has quit IRC13:53
*** ljfisher has joined #openstack-security13:55
*** bknudson has joined #openstack-security14:05
*** Guest28285 is now known as mgagne14:13
*** mgagne has joined #openstack-security14:13
*** nkinder has quit IRC14:26
*** singlethink has joined #openstack-security14:35
*** dave-mccowan has joined #openstack-security14:54
*** tmcpeak has joined #openstack-security14:59
*** _amrith_ is now known as amrith15:02
*** JAHoagie has joined #openstack-security15:14
*** Guest-Pirc has joined #openstack-security15:16
*** nkinder has joined #openstack-security15:17
*** Guest-Pirc has quit IRC15:18
*** JAHoagie has quit IRC15:18
*** voodookid has joined #openstack-security15:39
*** amrith is now known as _amrith_15:39
*** voodookid has quit IRC15:43
*** _amrith_ is now known as amrith15:54
*** bpokorny has joined #openstack-security15:54
*** voodookid has joined #openstack-security16:00
*** tmcpeak has quit IRC16:06
*** tmcpeak has joined #openstack-security16:16
*** tmcpeak has quit IRC16:19
openstackgerritShellee Arnold proposed openstack/security-doc: Sentence revision  https://review.openstack.org/15835416:45
*** tmcpeak has joined #openstack-security16:49
openstackgerritMerged stackforge/bandit: Adds jinja2 autocomplete=false test  https://review.openstack.org/15800617:20
*** tkelsey has joined #openstack-security17:20
openstackgerritShellee Arnold proposed openstack/security-doc: Sentence revision  https://review.openstack.org/15835417:34
openstackgerritShellee Arnold proposed openstack/security-doc: Sentence revision  https://review.openstack.org/15835417:44
*** salv-orlando has joined #openstack-security17:46
*** optik_ has joined #openstack-security17:50
*** optik_ has quit IRC17:50
*** pdesai has joined #openstack-security17:56
*** tkelsey has quit IRC18:41
*** pdesai1 has joined #openstack-security18:49
*** pdesai has quit IRC18:52
*** pdesai has joined #openstack-security18:59
*** pdesai1 has quit IRC19:03
*** raok has joined #openstack-security19:05
*** raok has left #openstack-security19:06
openstackgerritTravis McPeak proposed stackforge/bandit: Adding file discovery and directory exclusion  https://review.openstack.org/15840519:09
*** tmcpeak has quit IRC19:12
*** tmcpeak has joined #openstack-security19:15
openstackgerritTravis McPeak proposed stackforge/bandit: Adding file discovery and directory exclusion  https://review.openstack.org/15840519:21
tmcpeakljfisher chair6 bknudson: come and get it ^19:23
*** tmcpeak has quit IRC19:26
*** dave-mccowan has quit IRC19:30
*** tmcpeak has joined #openstack-security19:32
openstackgerritPriti Desai proposed openstack/security-doc: Enhancement - Additional ways to configure SSL  https://review.openstack.org/15755019:33
*** salv-orlando has quit IRC19:40
*** amrith is now known as _amrith_19:49
*** openstackgerrit has quit IRC19:51
*** openstackgerrit has joined #openstack-security19:52
*** bdpayne has joined #openstack-security19:56
*** dave-mccowan has joined #openstack-security19:58
*** bpokorny_ has joined #openstack-security20:00
*** tmcpeak has quit IRC20:01
*** pdesai1 has joined #openstack-security20:01
*** tmcpeak has joined #openstack-security20:01
*** bpokorny has quit IRC20:02
*** pdesai has quit IRC20:03
*** tkelsey has joined #openstack-security20:05
*** markvoelker has joined #openstack-security20:07
*** tmcpeak has quit IRC20:15
*** singlethink has quit IRC20:26
*** singlethink has joined #openstack-security20:33
openstackgerritMerged openstack/security-doc: Fixed grammatical error  https://review.openstack.org/15808120:36
*** salv-orlando has joined #openstack-security20:41
*** markvoelker has quit IRC20:51
*** tkelsey has quit IRC21:00
*** browne has joined #openstack-security21:01
*** bknudson has quit IRC21:05
*** salv-orlando has quit IRC21:12
*** markvoelker has joined #openstack-security21:15
*** markvoelker has quit IRC21:15
*** markvoelker has joined #openstack-security21:16
*** salv-orlando has joined #openstack-security21:17
*** pdesai1 has quit IRC21:22
*** _amrith_ is now known as amrith21:26
*** pdesai has joined #openstack-security21:31
*** tmcpeak has joined #openstack-security21:35
dave-mccowanI have a bandit question.  I opened bug https://bugs.launchpad.net/bandit/+bug/1422907 because bandit is reporting sql injection possibilities in strings that are docstrings.21:40
openstackLaunchpad bug 1422907 in Bandit "False Positive: SqlInjection warnings found in docstrings" [Undecided,New]21:40
dave-mccowani'm willing to submit a patch for this bug.  looking at the code now, it does not look like there is enough info in the node to determine if a string is a docstring.  (the code needs to know the parent of the current node).  are there any plans to add this sort of AST Meta Data to Bandit processing?21:42
*** fletcher has joined #openstack-security21:45
fletcherWhen is the weekly openstack security meeting? I want to add it to my calendar21:45
tmcpeakfletcher: Thurs at 9am PST21:50
tmcpeakdave-mccowan: yeah, better docstring handling is definitely on our radar, but it isn't a simple change (as you mentioned).  I've seen the same problem with our hardcoded password test  The same issue you mentioned has made that test useless and we currently have it disabled21:52
tmcpeakdave-mccowan: how would you patch it?21:52
fletchertmcpeak: boom, thanks!21:53
tmcpeakdave-mccowan: in regards to your question about adding parent-node awareness, yeah.. that's pretty much next on our list21:53
tmcpeakfletcher: cool, see you there21:53
dave-mccowantmcpeak astmonkey has an is_docstring() method.  it uses info from the parent node to make the determination.21:55
tmcpeakdave-mccowan: oh interesting, so in that case we could actually use that to add a is_docstring attribute to context of each string node.  A good place to do that would be in string node visitor21:57
tmcpeakthat would be a great enhancement21:57
tmcpeakI'd love to revive the hardcoded password test…21:58
dave-mccowantmcpeak I agree.  what is the plan for adding parent node awareness?  using a library (like astmonkey) or roll our own?21:59
tmcpeakdave-mccowan: I think we'll shy away from third party libraries - mostly because we have to be careful not to introduce additional dependancies in upstream projects which use Bandit22:01
tmcpeakdave-mccowan: I think some of the folks were working on this at mid-cycle, I don't know how far they got22:01
*** pdesai has quit IRC22:02
tmcpeakchair6, fletcher, ljfisher: ?22:02
tmcpeak^22:02
ljfisherjust posted my comments22:02
*** bpokorny has joined #openstack-security22:02
*** bpokorny_ has quit IRC22:05
*** tkelsey has joined #openstack-security22:06
ljfisherWe had discussed a different way of getting additional context in that we could provide the node of the statement and the node of the function.  You coudl traverse down from there.22:06
ljfisherBut astmonkey looks like it is monkey patching the nodes to add parent links which would be nice.  I haven’t been around long enough to understand how much a problem another dependency would be. It woudl sure save us time.22:10
dave-mccowanfor identifying docstrings, i think the function's node and the and string's node would be sufficient.  is that enhancement in progress?22:11
ljfishernot sure, ukbelch was looking at it22:13
*** pdesai has joined #openstack-security22:15
openstackgerritTravis McPeak proposed stackforge/bandit: Adding file discovery and directory exclusion  https://review.openstack.org/15840522:22
*** bpokorny_ has joined #openstack-security22:23
*** tmcpeak has quit IRC22:26
*** bpokorny has quit IRC22:26
*** tmcpeak has joined #openstack-security22:27
tmcpeakdave-mccowan ljfisher: another dependency which isn't in Openstack global requirements already is not possible for us22:29
tmcpeakastmonkey is not in there22:29
tmcpeakso we'll have to do something that doesn't rely on that22:29
ljfisheror just end up reimplementing it22:29
tmcpeakyeah, that's probably what we'll have to do22:29
tmcpeakljfisher: re-submitted that change with your feedback22:30
ljfishercoo22:30
ljfishercool22:30
tmcpeakI want to get it merged before fletcher does more work and forces me to rebase in a significant way22:30
ljfisherare you going to write tests separately then?22:31
*** pdesai has quit IRC22:32
tmcpeakljfisher: which tests?22:34
tmcpeakfunctional tests?22:34
tmcpeakljfisher: like unit tests I mean?22:35
tmcpeakin the past we haven't really done them, I noticed you have with your recent one, but I've just done testing by hand22:35
tmcpeakwe should do something more sustainable long term22:35
ljfisheryeah, I think fletcher had suggested to be sure exclude was working ??22:35
tmcpeakyeah I have tested myself by hand, but haven't added unit tests22:36
tmcpeakI guess I'd see overall code coverage as a future enhancement22:36
tmcpeakthere are tons of things we don't have coverage for already though22:37
tmcpeakI'd really have to spin up a bandit instance and a dummy directory with dummy tests in it22:38
fletcherI've got line range fix almost done, once I'm finished with that. I plan on hitting tests hard22:38
fletchertmcpeak, ljfisher ^22:38
tmcpeakfletcher: awesome, that would be great22:38
tmcpeakI'll pitch in on that too22:38
tmcpeakpain in the ass to test by hand all the time22:38
fletcherI think first step is getting one small test that uses subprocess.Popen() to call bandit from CLI and then check things22:39
fletcherso we can all agree on approach22:39
fletcherthen start cranking them out22:39
fletcheryah, i'm in the same boat22:39
fletchertmcpeak: nice catch on report_json, I'll need to add in the ignore functionality22:39
tmcpeakfletcher: yeah, that sounds good.  We can have a few test config files to use in testing too22:40
tmcpeakfletcher: you mean skipped and excluded tests? I thought you just intentionally didn't include it22:40
tmcpeakif the goal is to have everything in json that is available on command line, we should include it.  If the goal is to compare two test runs results, we can probably get by without it22:40
fletcherCool, so being completely honest, it wasn't intentional22:42
fletcherif we want to leave it the way it is, i'm fine with that22:42
fletcherbut it does seem a bit inconsistent22:42
fletcherwhat does everyone think?22:42
tmcpeakfletcher: yeah, I think we should probably add it22:43
tmcpeakfletcher: care to do it in a separate change? :)22:44
tmcpeakI'm very keen to get this current change merged22:44
tmcpeakonce we do that I'm going to try to add a tag for Bandit 0.9.1 and then push to PyPI and then add Bandit in global requirements with a pinned version, and then get it in Keystone's gate22:45
*** pdesai has joined #openstack-security22:46
fletcheryep, I can add that, nbd22:46
tmcpeakfletcher: cool22:46
*** tkelsey has quit IRC22:46
*** pdesai has quit IRC22:47
fletcherSo this is what i'm working on, and I'd love to get it in before the 0.9.1 freeze: line range fix, json add ability to ignore ranges based on type (e.g. -lll flag), adjust Jinja2 test to flag if autocomplete isn't directly set to true (since default is False), tests tests tests22:47
fletchertmcpeak ^22:47
tmcpeakfletcher: ok cool, we'll release after those are complete22:48
fletcherI'll be pushing things out as I go, but expect to be done by Weds22:48
fletcherswaheet, thanks22:48
tmcpeakI think those are great changes and we should have them in the pinned release22:48
tmcpeakfletcher: thanks for all the work22:48
tmcpeakyou're making some awesome progress on Bandit22:49
fletcheroh yah, no sweat. It's been fun :)22:49
*** tkelsey has joined #openstack-security22:50
*** tkelsey has quit IRC22:58
*** tmcpeak has quit IRC22:59
*** pdesai has joined #openstack-security23:00
*** tmcpeak has joined #openstack-security23:02
ljfishertmcpeak fletcher Should json include the skipped and excluded files? It seems if they are important enough to show in txt output the info would be valuable in json too?23:09
tmcpeakljfisher: yeah, we decided that fletcher will add them in another change23:10
ljfisherok23:11
fletcherUh oh, ok, I think I misunderstood23:13
tmcpeakfletcher: ?23:13
fletcherI don't mind to add either functionality, but I was thinking of enabling the -lll functionality for report_json() since its not in there right now23:13
fletcheronce tmcpeak's code lands, I can also add that functionality into report_json if desired23:14
tmcpeakyeah, that's fine - ljfisher is just saying to include the excluded and skipped files in json reporting23:14
tmcpeakwhat we said earlier - it is inconsistent with what other reporting does23:14
tmcpeakI didn't add excluded since you weren't already reporting "skipped" and they are pretty much the same23:14
fletcherCool deal, I'll sync up with you when I start working on that just to ensure I'm not crossing my wires23:15
tmcpeakfletcher: ok cool, it should be a pretty simple change23:17
tmcpeakjust a matter of deciding what section we want to put them in23:17
ljfishertmcpeak more review posted, feel free to tell if you think I’m being too anal. I want to get the semantic right so we don’t have to change it later.23:21
tmcpeakljfisher: cool, yeah looks like good points.  Thanks for quick review23:21
tmcpeaklet me check it out23:22
ljfishergot other stuff so won’t be able to look again til tomorrow23:22
tmcpeakljfisher: so about the excluded paths, excluded dirs thing23:25
tmcpeakgot a sec to answer a q about that?23:25
tmcpeakI'm not sure exactly what you mean23:25
openstackgerritTravis McPeak proposed stackforge/bandit: Adding file discovery and directory exclusion  https://review.openstack.org/15840523:45
*** salv-orlando has quit IRC23:45
*** singlethink has quit IRC23:50
openstackgerritTim Kelsey proposed stackforge/anchor: Adding more X509 name tests, now at 100% coverage  https://review.openstack.org/15849423:54
openstackgerritTravis McPeak proposed stackforge/bandit: Adding file discovery and directory exclusion  https://review.openstack.org/15840523:54
*** pdesai has quit IRC23:58
« Sunday, 2015-02-22 Index Tuesday, 2015-02-24 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!