Thursday, 2016-01-21

Ryan_Laneneeds work with the regexes and safe functions, but I think it's a good start00:00
*** bpokorny_ has joined #openstack-security00:00
*** dave-mccowan has joined #openstack-security00:03
*** bpokorny has quit IRC00:04
tmcpeakRyan_Lane: I'm going to have a play with it now00:05
Ryan_Lanecool :) feel free to send in PRs00:05
Ryan_Lanewe do require a CLA, though00:05
Ryan_Lanethe joys of the law00:06
*** elo has joined #openstack-security00:06
Ryan_Lanealso feel free to open issues :)00:06
*** ccneill_ has joined #openstack-security00:14
tmcpeakRyan_Lane: cool, running against a bunch of things00:15
tmcpeakwill hopefully find bugs, issues, or both00:15
*** austin987 has quit IRC00:15
Ryan_Lanecool :)00:16
tmcpeakRyan_Lane: have you seen this one? AttributeError: 'Name' object has no attribute 's'00:16
Ryan_LaneI'm probably not skipping names somewhere00:17
tmcpeakRyan_Lane: jk, that's actually not your issue :P00:17
Ryan_Laneah. heh00:17
tmcpeakit's got to do with tkelsey's refactor00:17
Ryan_LaneI ran against 0.17.000:18
Ryan_Laneyou'll likely see a bunch of warnings about not being able to determine the entropy00:18
*** ccneill_ has quit IRC00:18
Ryan_Lanevery large strings will trigger that. I haven't decided what to do about that00:19
Ryan_LaneI currently mark it as 0 entropy, because if it's that large, it's probably not a secret.00:19
*** woodrow has joined #openstack-security00:22
*** elo has quit IRC00:23
tmcpeakhow large?00:25
Ryan_Lanenot sure. pretty large, though00:25
Ryan_Laneit also throws errors on unicode00:25
Ryan_Lanewhich is generally unlikely to be a secret00:25
tmcpeakwe'd want to make sure it catches RSA private keys etc00:25
Ryan_LaneI flag those immediately00:26
tmcpeakahh cool00:26
Ryan_Laneanything that matches a flagged regex gets 3/3 confidence/severity00:26
*** elo has joined #openstack-security00:26
tmcpeakcool, makes sense as long as regex's are tight enough00:27
Ryan_Laneyep. they're a bit loose right now00:28
Ryan_Laneah. you mean for flags?00:28
Ryan_Laneyeah, the flags are pretty good right now00:28
Ryan_Lanethe discounts, not so much.00:29
*** austin987 has joined #openstack-security00:31
*** jhfeng has joined #openstack-security00:34
*** jhfeng has quit IRC00:37
*** ccneill_ has joined #openstack-security00:37
tmcpeakahh ok, so loose discounts would lead to false negatives?00:39
tmcpeaka general design goal of Bandit has been to reduce false negatives as much as possible.  If anything false positives can be sifted through and filtered out.  That being said, you're free to write it whichever way is most useful to you :)00:40
*** jhfeng has joined #openstack-security00:41
*** markvoelker_ has quit IRC00:41
*** jhfeng has quit IRC00:45
*** bpokorny_ has quit IRC00:55
*** bpokorny has joined #openstack-security00:55
*** bpokorny has quit IRC01:01
*** salv-orlando has quit IRC01:09
Ryan_Lanetmcpeak: yeah01:16
Ryan_Lanethe ideal is to have the discounts as accurate as possible01:17
tmcpeakcool, that's the kind of thing we could tweak with time too01:17
Ryan_Lanethe issue here is that secrets are generally high entropy, which makes them difficult to identify01:17
Ryan_Laneso it's easier to filter out the crap you can01:17
Ryan_Laneand everything you can't match gets a higher confidence01:18
tmcpeakyeah, that makes sense01:18
Ryan_Lanewe also go with the approach you folks had in the original test where it checks the targets01:18
tmcpeakI guess with the hardcoded password stuff we're going to miss stuff by definition.  High quality results are more likely to find issues than a bunch of low quality results that will eventually be disabled01:18
*** elo has quit IRC01:19
Ryan_Lanethat was my thought process. our devs aren't going to be willing to sift through a bunch of false negatives in the hopes of finding something01:19
Ryan_Laneso, yeah. ideally going to tighten the discount regexs enough to where they don't weed out legitimate secrets01:20
Ryan_Laneand have enough to where we can filter out likely known good strings01:20
Ryan_LaneI've also been considering adding scikit to this01:20
Ryan_Lanebut I need my girlfriend to teach me how to use it effectively for this particular case. I'm only good at the really basic use-case for that :D01:21
tmcpeakoooh, that would be cool01:22
Ryan_Laneyeah. the idea would be to build a model that we can tweak01:22
Ryan_Laneuse svm for classification01:22
tmcpeakwe'd need a training set from somewhere too01:22
Ryan_Laneyep. we'll likely need to generate that ;)01:23
tmcpeakcould be a huge manual slog.. would be easier if we could feed it a password set01:23
tmcpeakpasswords and non password strings01:24
Ryan_Laneah. true01:24
tmcpeakthat would be cool01:24
tmcpeaklooks pretty simple to implement something like that:
*** elo has joined #openstack-security01:27
Ryan_Laneyeah, doing something with bag of words is easy01:27
tmcpeakI read this book over the break where he was doing everything in Excel :P01:27
Ryan_Lanehm. does setuptools work correctly if you pip install -e ?01:28
Ryan_Laneto a git+https remote?01:28
tmcpeakyeah, it doesn't look like it01:29
* Ryan_Lane grumbles01:29
Ryan_Laneit works if you git clone then pip install -e .01:29
Ryan_LaneI guess I'll need to publish this to pypi :(01:29
tmcpeakoh you know what?01:29
tmcpeakI think it's because we're now discarding all tests without IDs01:29
tmcpeakyou'll need to add some IDs01:30
tmcpeakmaybe test with 9xx01:30
Ryan_Lanemaybe a different letter prefix?01:30
Ryan_Lanebe- maybe?01:30
tmcpeakwhat's the e for?01:31
Ryan_Lanemaybe bp01:31
Ryan_Lanefor plugin?01:31
tmcpeakyeah, we should come up with some way to make sure plugins don't step on eachother01:31
tmcpeakBPxx sounds good for now01:31
tmcpeakas a temporary01:31
tmcpeakwe should probably have a list of assignments on the wiki or something01:32
Ryan_Lanemore of an issue when it's possible to do something like # nosec-BP10001:32
tmcpeakyeah, you nosec out somebody else's plugin by accident, etc01:32
tmcpeakallright I'm off for the night, catch you later01:35
Ryan_Lanesee ya01:35
*** tmcpeak has quit IRC01:35
*** elo has quit IRC01:52
*** elo has joined #openstack-security01:54
*** ccneill_ has quit IRC02:05
*** eric_lopez has joined #openstack-security02:10
*** elo has quit IRC02:12
*** bpokorny has joined #openstack-security02:48
*** eric_lopez has quit IRC03:07
*** tricksters has joined #openstack-security03:08
*** agireud has quit IRC03:11
*** agireud has joined #openstack-security03:15
*** bpokorny_ has joined #openstack-security03:17
*** bpokorny has quit IRC03:21
*** _et_ has quit IRC03:21
*** bpokorny_ has quit IRC03:22
*** browne has quit IRC03:25
*** tricksters has quit IRC03:26
*** elo has joined #openstack-security03:26
*** agireud has quit IRC03:27
*** eric_lopez has joined #openstack-security03:46
*** elo has quit IRC03:46
*** agireud has joined #openstack-security03:52
*** austin987 has quit IRC04:10
*** eric_lopez has quit IRC04:15
*** browne has joined #openstack-security04:18
*** browne has quit IRC04:28
*** browne has joined #openstack-security04:29
*** bpokorny has joined #openstack-security04:38
*** browne has quit IRC04:40
*** markvoelker has joined #openstack-security05:07
*** markvoelker has quit IRC05:12
*** markvoelker has joined #openstack-security05:12
*** yuanying has joined #openstack-security05:32
*** yuanying_ has quit IRC05:36
*** dave-mccowan has quit IRC05:57
*** markvoelker_ has joined #openstack-security06:01
*** markvoelker has quit IRC06:05
*** markvoelker has joined #openstack-security06:05
*** markvoelker_ has quit IRC06:06
*** bpokorny has quit IRC06:12
*** liverpooler has quit IRC06:19
openstackgerritvenkatamahesh proposed openstack/security-doc: Fix rst markups
*** agireud has quit IRC07:04
openstackgerritKATO Tomoyuki proposed openstack/security-doc: Fix rst markups
*** agireud has joined #openstack-security07:16
*** rcernin has joined #openstack-security07:20
*** shohel has joined #openstack-security07:21
*** ccneill has joined #openstack-security07:24
*** ccneill has quit IRC07:41
*** shohel has quit IRC07:50
*** shohel has joined #openstack-security07:52
*** liverpooler has joined #openstack-security07:54
*** liverpooler has quit IRC07:55
*** liverpooler has joined #openstack-security07:55
*** austin987 has joined #openstack-security07:59
*** agireud has quit IRC08:35
*** agireud has joined #openstack-security08:47
*** agireud has quit IRC09:05
*** agireud has joined #openstack-security09:09
*** markvoelker has quit IRC09:12
*** markvoelker has joined #openstack-security09:42
*** markvoelker has quit IRC09:48
*** openstackgerrit has quit IRC10:02
*** openstackgerrit has joined #openstack-security10:02
*** markvoelker has joined #openstack-security10:39
*** markvoelker has quit IRC10:44
*** markvoelker has joined #openstack-security11:34
*** markvoelker has quit IRC11:39
*** dave-mccowan has joined #openstack-security12:17
*** markvoelker has joined #openstack-security12:29
openstackgerritTim Kelsey proposed openstack/bandit: Adding some test coverage for config_generator
*** markvoelker has quit IRC12:35
*** jamielennox is now known as jamielennox|away13:07
*** markvoelker has joined #openstack-security13:24
*** alejandrito has joined #openstack-security13:26
*** markvoelker has quit IRC13:29
*** markvoelker has joined #openstack-security13:50
*** markvoelker has quit IRC13:53
*** markvoelker has joined #openstack-security13:53
*** ninag has joined #openstack-security13:53
*** markvoelker has quit IRC13:57
*** markvoelker has joined #openstack-security13:59
*** edmondsw has joined #openstack-security14:08
*** alejandrito has quit IRC14:26
*** dslev has joined #openstack-security14:39
*** jmckind has joined #openstack-security14:42
openstackgerritTim Kelsey proposed openstack/bandit: Fixing a bug and cleaning up in blacklisting code
*** avarner has joined #openstack-security14:49
*** liverpooler has quit IRC14:50
*** sigmavirus24_awa is now known as sigmavirus2415:03
elmikohey sigmavirus24, i really appreciate your comments on
elmikodo you think it's worth holding this review up to get it broken up more? (i'm leaning towards giving it +2 with a strongly worded comment about future patches)15:06
*** cjschaef has joined #openstack-security15:06
openstackgerritTim Kelsey proposed openstack/bandit: Cleaning code
*** jhfeng has joined #openstack-security15:15
*** shohel has quit IRC15:18
*** tmcpeak has joined #openstack-security15:26
*** cjschaef has quit IRC15:26
*** cjschaef has joined #openstack-security15:26
openstackgerritTim Kelsey proposed openstack/bandit: Fixing a bug and cleaning up in blacklisting code
*** wenwei has quit IRC15:30
*** markvoelker has quit IRC15:38
*** jmckind has quit IRC15:41
*** jmckind has joined #openstack-security15:43
*** diazjf has joined #openstack-security16:00
*** markvoelker has joined #openstack-security16:01
*** rcernin has quit IRC16:09
elmikosigmavirus24: any thoughts about that review?16:10
sigmavirus24elmiko: beyond the -1 I left?16:10
elmikoyea, like, should we work to get it broken up?16:11
elmikoi'm at a loss here, i totally agree with what you said, but i don't want to be overly nit-picky since KATO seems ok with it16:11
elmikobut i mean, everything you said + no bug in the commit message... i dunno, i feel like consistency/self-control is being lost on this patch16:12
sigmavirus24elmiko: exactly16:12
elmikoand given the content of the patch i don't feel it's worth getting into some giant breakdown about it... /sigh16:13
elmikosicarie: ping16:14
tmcpeakgiant breakdowns are always fun :D16:15
*** browne has joined #openstack-security16:29
*** ccneill_ has joined #openstack-security16:42
*** bpokorny has joined #openstack-security16:44
*** rcernin has joined #openstack-security16:49
*** ccneill_ is now known as ccneill16:49
*** bpokorny has quit IRC16:51
*** bpokorny has joined #openstack-security16:52
openstackgerritHenry Yamauchi proposed openstack/bandit: Broken link in file
*** bpokorny has quit IRC16:53
*** mvaldes has joined #openstack-security16:55
*** tkelsey has joined #openstack-security16:57
sicarieelmiko: hello17:01
elmikosicarie: hey, lets talk in the ossp meeting17:02
sicariesure, but i'm only going to be in it for the first 3017:02
sicarieso maybe after if the sec-guide isn't hit yet?17:02
*** edtubill has joined #openstack-security17:06
*** salv-orlando has joined #openstack-security17:10
*** hyakuhei_ has joined #openstack-security17:19
*** austin987 has quit IRC17:23
*** sigmavirus24 is now known as sigmavirus24_awa17:27
openstackgerritTim Kelsey proposed openstack/bandit: This fixes the blacklist to look like a plugin so we can filter it
*** austin987 has joined #openstack-security17:38
openstackgerritMerged openstack/bandit: Adding some test coverage for config_generator
openstackgerritTim Kelsey proposed openstack/bandit: This fixes the blacklist to look like a plugin so we can filter it
tmcpeakRyan_Lane: out of curiosity how did you find out about Bandit17:56
hyakuhei_This is an interesting project, with some (but not completel) overlap with Anchor18:01
*** dg_ has joined #openstack-security18:01
tkelseyo/ all18:01
elmikolater tkelsey18:01
elmikohyakuhei_: we had some discussions about that and overlaps with barbican18:02
*** wayward710 has joined #openstack-security18:02
elmikoseems interesting18:02
tmcpeaktkelsey: laters18:02
hyakuhei_Yeah, so it’s probably always going to want some Keystone auth in front of it18:02
hyakuhei_Which could be Barbican18:02
hyakuhei_It could even be Anchor18:02
hyakuhei_Interesting project all the same18:02
*** sicarie has quit IRC18:03
hyakuhei_Vault in general is interesting18:03
ccneillquestion: anyone using Qubes OS?
ccneillsorry, totally off topic lol18:03
elmikohyakuhei_: yea, definitely18:03
elmikoccneill: seen it, but have not tried it18:03
ccneilljust been seeing lots of buzz about it, and it sounds like an interesting concept18:04
tmcpeakit looks interesting but I haven't played with it18:04
elmikosimilarly off-topic, you may find this interesting
hyakuhei_Interesing, didn’t realize Rutkowska was behind it.18:05
hyakuhei_Might take another look at qubes18:05
ccneillelmiko: thanks for the link, I've been meaning to figure out what this unikernel business is18:06
hyakuhei_“Qubes brings to your personal computer the security of the Xen Project hypervisor”18:06
elmikoccneill: np, looks cool too18:06
ccneillhyakuhei_: haha what makes you say that?18:07
hyakuhei_Stastically Xen gets more big vulns than KVM18:07
ccneillgranted Xen has its share of issues security-wise, but I doubt they'd be as relevant in the personal computer space18:07
hyakuhei_but mainly I’m just being snarky18:07
ccneillhaha gotcha18:07
hyakuhei_and I’ve got a lot of time for the invisible-things tema18:07
hyakuhei_Right, I’m out - got to walk the doggies.18:10
*** hyakuhei_ is now known as hyakuhei_afk18:11
elmikolater ccneill18:11
Ryan_Lanehyakuhei_afk: it's similar to barbican, yeah18:11
Ryan_Laneit would have been nice if openstack did a project closer to AWS's KMS, rather than closer to something like vault, keywhiz or confidant18:12
hyakuhei_afkI think there’s space for both18:12
hyakuhei_afkI mean, Vault is a soft-HSM18:12
hyakuhei_afkBarbican is an abstraction to real HSMs18:12
*** tkelsey has quit IRC18:12
Ryan_Lanethen, for instance, support could be added to confidant to use the KMS like service in openstack18:12
hyakuhei_afkDifferent security models for a start18:12
Ryan_LaneKMS is like the HSM18:12
hyakuhei_afkVault says if you loose access to disk then you’re boned18:12
Ryan_Lanewell, I'm not saying you should use vault :)18:13
hyakuhei_afk(integrity/confidentialty wisE)18:13
Ryan_Lanevault is.... an odd beast18:13
elmikohow so?18:13
hyakuhei_afkI’m very happy that people are investing money in these areas18:13
Ryan_Laneconfidant only handles the storage and access control of secrets18:13
Ryan_Lanethe encryption is done via KMS18:13
Ryan_Laneso confidant can be completely stateless18:14
Ryan_LaneI'm also adding something to confidant right now where confidant doesn't even have access to decrypt the secrets18:14
Ryan_Laneit's only used as storage/access control/revision history/api18:15
Ryan_Lanebut that's possible because there's an encryption service ;)18:15
Ryan_Lanevault combines encryption, storage and access control18:15
*** hyakuhei_afk has quit IRC18:15
Ryan_Lanekeywhiz is likely the closest analog to barbican18:16
elmikonot familiar with keywhiz18:16
Ryan_Lanemade by square. written in java18:16
Ryan_Laneuses HSMs by default18:16
Ryan_Lanebarbican could probably pretty easily just expose a KMS-like interface18:17
elmikoi don't know the internal of KMS18:18
Ryan_Laneone of the nicest things about KMS is that it exposes an API endpoint for random18:18
Ryan_Laneso you can use KMS as your seed rather than pollinate in ubuntu18:18
elmikointeresting, do you have a doc link?18:18
elmikoRyan_Lane: tyvm!18:19
elmikoso tough to keep track of all these moving parts lol18:19
Ryan_Lanethe best feature for sure, though, is the ability to do RBAC on its AAD (which is what it calls encryption context)18:20
Ryan_Laneso one user can encrypt using a key, if the AAD has specific data and another user could decrypt using the key, if the AAD has specific data18:20
elmikothat's cool18:20
Ryan_Laneit's basically giving you primitives you can use to build more interesting things18:21
elmikoyea, totally18:21
Ryan_Laneazure has a similar service18:22
elmikowhich i love about the higher level abstractions that are starting to occur in the cloud world18:22
Ryan_Lanewhat I really want next is a PKI service. so that the cloud service can hold a CA and I can just get certs18:23
Ryan_Laneanchor is looking really nice for that ;)18:23
elmikoyea, that seems necessary for just about any secure cloud work18:23
elmikoRyan_Lane: we were curious, how did you learn about bandit?18:25
*** jmckind has quit IRC18:25
Ryan_Laneelmiko: our security lead found it18:25
Ryan_Laneasking him18:25
Ryan_Lanehe thinks someone at dropbox mentioned it18:26
elmikovery cool, thanks18:26
elmikotmcpeak: ^^18:26
elmikowe've been working on increasing our outreach efforts as a group and it always helps to learn how folks outside the openstack community are finding things like bandit18:26
Ryan_Laneopenstack security specifically, or openstack as a whole?18:27
Ryan_Laneopenstack itself is screwed because the vast majority of its services aren't usable on their own18:28
Ryan_Lane(I was a former openstack user committee member)18:28
elmikogood point18:28
elmikoah, very cool18:28
elmikoyea, i mean, when you buy into openstack there is a certain level of kool-aid drinking that occurs18:28
Ryan_Laneevery conference I'd talk to people making new projects that sounded like they'd be great on their own and I'd ask them "is this going to be usable outside of the ecosystem?"18:29
elmikowould be interesting to see if certain parts of the openstack core could be abstracted to allow for other implementations18:29
Ryan_Laneand their answer was along the lines of "what's the point?"18:29
elmikoyea, it's tough18:29
elmikoalthough, i think projects like swift have handled this well, no?18:30
*** mvaldes has quit IRC18:30
Ryan_Laneyeah. swift does this well. but they have a company behind it that is selling it as its own product18:30
Ryan_LaneI think designate also does this ok, but it took forever for it to be added as an incubated project18:31
Ryan_Lane(I tried pushing that through for incubation 3 times)18:31
tmcpeakRyan_Lane, elmiko: awesome :)  looks like Bandit is getting some great traction then18:32
Ryan_Laneyeah :)18:32
elmikoi would think that removing the project-id stuff from many projects will be problematic, in some ways this is painting ourselves into a corner18:33
elmikoRyan_Lane: fwiw, i work a bunch on the sahara project (data processing service), and i think it would be pretty difficult, if not impossible, to make it more generic by removing the openstack dependency18:38
Ryan_Laneyeah. nova is another example of a service that would be difficult to be standalone ;)18:39
Ryan_Lanenot saying all of them should be, but a lot of them could be.18:39
*** tkelsey has joined #openstack-security18:39
elmikoi could see that18:39
*** edmondsw has quit IRC18:41
*** tkelsey has quit IRC18:44
*** bpokorny has joined #openstack-security18:44
*** ccneill has quit IRC18:50
*** ccneill has joined #openstack-security18:58
*** sigmavirus24_awa is now known as sigmavirus2419:02
*** jmckind has joined #openstack-security19:04
*** elo has joined #openstack-security19:18
*** dg_ has quit IRC19:24
*** edmondsw has joined #openstack-security19:29
openstackgerritMerged openstack/bandit: Broken link in file
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals
*** jmckind has quit IRC19:39
*** jmckind has joined #openstack-security19:39
*** jmckind_ has joined #openstack-security19:41
*** jmckind_ has quit IRC19:41
*** salv-orlando has quit IRC19:42
*** jmckind has quit IRC19:44
openstackgerritMerged openstack/bandit: Fixing a bug and cleaning up in blacklisting code
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals
*** hyakuhei_ has joined #openstack-security20:06
*** elo has quit IRC20:09
*** markvoelker has quit IRC20:11
*** jhfeng has quit IRC20:12
*** jhfeng has joined #openstack-security20:13
*** alejandro12 has joined #openstack-security20:19
*** alejandro12 has left #openstack-security20:23
*** jhfeng has quit IRC20:24
*** jhfeng has joined #openstack-security20:29
*** hyakuhei_ has quit IRC20:30
*** markvoelker has joined #openstack-security20:31
*** hyakuhei has joined #openstack-security20:41
*** jhfeng has quit IRC20:43
*** yarkot has joined #openstack-security20:45
*** hyakuhei has quit IRC20:45
*** jamielennox|away is now known as jamielennox20:47
*** dslev has quit IRC21:00
*** tkelsey has joined #openstack-security21:05
*** salv-orlando has joined #openstack-security21:11
*** yarkot has quit IRC21:18
*** dslev has joined #openstack-security21:19
*** mvaldes has joined #openstack-security21:33
*** markvoelker has quit IRC21:39
*** alejandro12 has joined #openstack-security21:39
*** alejandro12 has left #openstack-security21:40
*** markvoelker has joined #openstack-security21:41
*** tkelsey has quit IRC21:46
*** tmcpeak has quit IRC21:51
*** tmcpeak has joined #openstack-security21:53
*** tmcpeak has quit IRC21:54
*** dslev has quit IRC21:59
*** markvoelker has quit IRC22:04
*** jhfeng has joined #openstack-security22:10
*** cjschaef has quit IRC22:13
*** dslev has joined #openstack-security22:14
openstackgerritHenry Yamauchi proposed openstack/bandit: Misspelling in main developers doc title
*** diazjf has quit IRC22:23
*** markvoelker has joined #openstack-security22:24
*** dslev has quit IRC22:34
*** tmcpeak has joined #openstack-security22:40
tmcpeaksigmavirus24: ping22:40
tmcpeakhow are you guys handling multiple .flake8 files?22:40
sigmavirus24tmcpeak: can you give a bit more context22:41
tmcpeaklike if I point a few projects at flake8, each has it's own .flake8 file - do you have the logic to apply each flake8 file to the project it's associated with?22:41
tmcpeakor do you just somehow use one of them?22:41
tmcpeakso flake8 a/bunch/of/projects22:41
tmcpeaklots of those projects have .flake8 files in them22:41
sigmavirus24tmcpeak: like if I cloned keystone, glance, and nova and tried to run flake8 against all of them at once?22:42
sigmavirus24we don't presently handle that very well22:43
sigmavirus24we wouldn't pick up any of those config files actually22:43
tmcpeakok cool, yeah it would be nasty to implement that logic in Bandit too22:43
sigmavirus24you need to understand that each of those directories is meant to have it's own Style Guide (in flake8 parlance)22:43
sigmavirus24Which means a lot of headaches and mental gymnastics22:43
sigmavirus24and not every-time s omeone specifies multiple directories does it mean that22:44
openstackgerritMerged openstack/bandit: Misspelling in main developers doc title
tmcpeakso what do you recommend for Bandit?22:45
sigmavirus24tmcpeak: operate under the assumption that someone's only ever going to run it against one project and if you find multiple issue a warning and quit22:47
sigmavirus24that said22:47
sigmavirus24what flake8 does presently is look for the longest common path to those directories22:47
sigmavirus24it starts there looking for a directory22:47
tmcpeakquit or issue a warning that multiple were found and just pick the first one we got?22:47
sigmavirus24I can show you exactly the code that does that22:47
sigmavirus24tmcpeak: if you don't quit you'll do the wrong thing22:47
sigmavirus24because it will cause people to wonder why running bandit on just one project works when it doesn't when running it against more than one22:48
tmcpeakso if projects have a bunch of .bandit files I can no longer actually scan a big directory at all22:48
tmcpeak(sigh) I guess I need a flag to make it not do all of this22:48
tmcpeakbut yeah, you're right, it will do the wrong thing22:49
tmcpeakso sigmavirus24 I error out if I find multiple .bandit files, but I can also put a command line flag that will make it ignore the .bandit files?22:51
tmcpeakdoes that seem reasonable?22:52
tmcpeaksigmavirus24: ^22:52
sigmavirus24just make -c override that error22:53
sigmavirus24as in22:53
sigmavirus24You're giving me explicit direction what config file to use for this run, I will ignore other config files I find even if I find more than one22:54
sigmavirus24make sense?22:54
sigmavirus24(instead of adding yet another config option)22:54
tmcpeakhmm well that clashes with our existing -c22:54
tmcpeakI'd prefer to call it something else, but makes sense22:54
tmcpeakthose config files are totally different - existing config is going away, is YAML format, etc.  This one is ini file format, etc22:55
tmcpeakI'll come up with some other thing to call it and you guys can make suggestions on the patch22:56
tmcpeaksigmavirus24: thanks for the input22:57
*** mvaldes has quit IRC23:23
*** sigmavirus24 is now known as sigmavirus24_awa23:34
*** rcernin has quit IRC23:47
*** edtubill has quit IRC23:49
*** edmondsw has quit IRC23:55
*** bpokorny_ has joined #openstack-security23:58
*** bpokorny_ has quit IRC23:58
*** bpokorny_ has joined #openstack-security23:59

Generated by 2.14.0 by Marius Gedminas - find it at!