X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=master_list.yaml;h=0247250aee58e2583bbbbe1ef98fb464682d93f9;hb=5ec542bc5f72941eefeda5613e639242a603dd38;hp=001565ad5c6f621e41d0c4ee5f4dc98c3ed19159;hpb=94cdec68f6f4ec882d101752ecc663412c5e32e5;p=releng-anteater.git diff --git a/master_list.yaml b/master_list.yaml index 001565a..0247250 100644 --- a/master_list.yaml +++ b/master_list.yaml @@ -1,7 +1,4 @@ --- -# When adding projects all `arrays: []` sections must have -# a value, Use 'nullvalue' if no waivers are available. -# # This file uses standard regular expression syntax, however be mindful # of escaping YAML delimiters too (such as `:`) using double quotes "". @@ -47,6 +44,7 @@ file_audits: - omniauth\.rb - carrierwave\.rb - schema\.rb + - knife\.rb - database\.yml - settings\.py - keychain @@ -56,40 +54,164 @@ file_audits: - kwallet - aws_access_key_id - aws_secret_access_key + - otr\.private_key + - ovpn + - agilekeychain + - \.log + - gnucash + - backup + - jenkins\.plugins\.publish_over_ssh\.BapSshPublisherPlugin\.xml + - LocalSettings\.php + - tblk + - Favorites\.plist + - configuration\.user\.xpl + - tugboat + - git-credentials + - git-config + - proftpdpasswd + - robomongo\.json + - filezilla\.xml + - recentservers\.xml + - ventrilo_srv\.ini file_contents: - - -----BEGIN\sRSA\sPRIVATE\sKEY---- - - (password|passwd)(.*:|.*=.*) - - curl - - git.*clone - - dual_ec_drbg - - base64_decode - - gost - - md[245] - - panama - - private_key - - rc4 - - ripemd - - secret - - sha0 - - snefru - - ssh_key - - sslv[12] - - streebog - - tlsv1 - - wget - - run_as_root.*=.*True - - exec\s*(\"|\().+(\"|\)) - - \beval\b - - app\.run\s*\(.*debug.*=.*True.*\) - - autoescape.*=.*False - - safestring\.mark_safe.*\(.*\) - - shell.*=.*True - - \/tmp\/ - - \yaml\.load - - telnet - - ftp - - finger + private_key: + regex: -----BEGIN\sRSA\sPRIVATE\sKEY---- + desc: "This looks like it could be a private key" + + password: + regex: (password|passwd)(.*:|.*=.*) + desc: "Possible hardcoded password" + + curl: + regex: \bcurl\b + desc: "Curl can be used for retrieving objects from untrusted sources" + + clone: + regex: git.*clone + desc: "clone blocked as using an non approved external source" + + dual_ec_drbg: + regex: dual_ec_drbg + desc: "Insecure cryptographic algorithm" + + base64_decode: + regex: base64_decode + desc: "Insecure cryptographic algorithm" + + gost: + regex: gost + desc: "Insecure cryptographic algorithm" + + md245: + regex: md[245] + desc: "Insecure hashing algorithm" + + panama: + regex: panama + desc: "Insecure cryptographic algorithm" + + private_key2: + regex: private_key + desc: "This looks like it could be a private key" + + rc4: + regex: rc4 + desc: "Rivest Cipher 4 is an insecure stream cipher" + + ripemd: + regex: ripemd + desc: "RACE Message Digest is an insecure hashing algorithm" + + secret: + regex: secret + desc: "Possible leak of sensitive information" + + sha: + regex: sha[01] + desc: "Insecure hashing algorithm" + + snefru: + regex: snefru + desc: "Insecure hashing algorithm" + + ssh_key: + regex: ssh_key + desc: "Possible leak of private SSH key" + + sslv: + regex: sslv[12] + desc: "Insecure SSL Version" + + streebog: + regex: sslv[12] + desc: "Insecure cryptographic hashing algorithm" + + tlsv1: + regex: tlsv1 + desc: "Insecure TLS Version" + + wget: + regex: wget + desc: "WGET is blocked to unknown / untrusted destinations" + + run_as_root: + regex: run_as_root.*=.*True + desc: "Its better to use sudo or a rootwrapper" + + exec: + regex: \sexec\s*(\"|\().+(\"|\)) + desc: "Exec can be dangerous when used with arbitrary, untrusted code." + + eval: + regex: \beval\b + desc: "Eval can be dangerous when used with arbitrary, untrusted code." + + apprun: + regex: app\.run\s*\(.*debug.*=.*True.*\) + desc: | + "Running flask in debug mode can give away sensitive data" + + autoescape: + regex: autoescape.*=.*False + desc: "Not escaping HTML input is vulnerable to XSS attacks." + + safestring: + regex: safestring\.mark_safe.*\(.*\) + desc: "Not escaping HTML input is vulnerable to XSS attacks." + + shelltrue: + regex: shell.*=.*True + desc: "Shell=True can lead to dangerous shell escapes" + + tmp: + regex: \/tmp\/ + desc: | + "tmp directories are risky. They are world writable and easily guessed" + + yamlload: + regex: \yaml\.load + desc: | + "Avoid dangerous file parsing & serialization libs, use yaml.safe_load" + + telnet: + regex: telnet + desc: "Avoid coms applications that transmit credentials in clear text" + + ftp: + regex: \bftp\b + desc: "Avoid coms applications that transmit credentials in clear text" + + finger: + regex: \bfinger\b + desc: "Avoid coms applications that transmit credentials in clear text" + allint: + regex: 0\.0\.0\.0 + desc: "Interface listening on all addresses - may break security zones" + +file_ignore: + - '.rst' + - '.md' licence: licence_ext: @@ -112,8 +234,26 @@ project_exceptions: - compass4nfv: exceptions/compass4nfv.yaml - conductor: exceptions/conductor.yaml - copper: exceptions/copper.yaml + - cperf: exceptions/cperf.yaml + - daisy: exceptions/daisy.yaml + - doctor: exceptions/doctor.yaml + - dovetail: exceptions/dovetail.yaml + - dpacc: exceptions/dpacc.yaml + - enfv: exceptions/enfv.yaml + - escalator: exceptions/escalator.yaml + - fds: exceptions/fds.yaml - functest: exceptions/functest.yaml - octopus: exceptions/octopus.yaml - pharos: exceptions/pharos.yaml - releng: exceptions/releng.yaml - sandbox: exceptions/sandbox.yaml + - yardstick: exceptions/yardstick.yaml + - infra: exceptions/infra.yaml + - ipv6: exceptions/ipv6.yaml + - joid: exceptions/joid.yaml + - kvmfornfv: exceptions/kvmfornfv.yaml + - lsoapi: exceptions/lsoapi.yaml + - models: exceptions/models.yaml + - moon: exceptions/moon.yaml + - multisite: exceptions/multisite.yaml + - netready: exceptions/netready.yaml