X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=master_list.yaml;h=af350761921bbefa1ea7f9306497fc73fdbbf5c9;hb=d1fe715a48749e6363b27e2479f5eca8c92043f9;hp=c40e138560d42dc2fafc928c4560335f69e3ea28;hpb=22ddce4febafed75bd16785352e105a8fbc1d60c;p=releng-anteater.git diff --git a/master_list.yaml b/master_list.yaml index c40e138..af35076 100644 --- a/master_list.yaml +++ b/master_list.yaml @@ -1,7 +1,4 @@ --- -# When adding projects all `arrays: []` sections must have -# a value, Use 'nullvalue' if no waivers are available. -# # This file uses standard regular expression syntax, however be mindful # of escaping YAML delimiters too (such as `:`) using double quotes "". @@ -58,38 +55,136 @@ file_audits: - aws_secret_access_key file_contents: - - -----BEGIN\sRSA\sPRIVATE\sKEY---- - - (password|passwd)(.*:|.*=.*) - - curl - - git.*clone - - dual_ec_drbg - - base64_decode - - gost - - md[245] - - panama - - private_key - - rc4 - - ripemd - - secret - - sha0 - - snefru - - ssh_key - - sslv[12] - - streebog - - tlsv1 - - wget - - run_as_root.*=.*True - - exec\s*(\"|\().+(\"|\)) - - \beval\b - - app\.run\s*\(.*debug.*=.*True.*\) - - autoescape.*=.*False - - safestring\.mark_safe.*\(.*\) - - shell.*=.*True - - \/tmp\/ - - \yaml\.load - - telnet - - ftp - - finger + private_key: + regex: -----BEGIN\sRSA\sPRIVATE\sKEY---- + desc: "This looks like it could be a private key" + + password: + regex: (password|passwd)(.*:|.*=.*) + desc: "Possible hardcoded password" + + curl: + regex: \bcurl\b + desc: "Curl can be used for retrieving objects from untrusted sources" + + clone: + regex: git.*clone + desc: "clone blocked as using an non approved external source" + + dual_ec_drbg: + regex: dual_ec_drbg + desc: "Insecure cryptographic algorithm" + + base64_decode: + regex: base64_decode + desc: "Insecure cryptographic algorithm" + + gost: + regex: gost + desc: "Insecure cryptographic algorithm" + + md245: + regex: md[245] + desc: "Insecure hashing algorithm" + + panama: + regex: panama + desc: "Insecure cryptographic algorithm" + + private_key2: + regex: private_key + desc: "This looks like it could be a private key" + + rc4: + regex: rc4 + desc: "Rivest Cipher 4 is an insecure stream cipher" + + ripemd: + regex: ripemd + desc: "RACE Message Digest is an insecure hashing algorithm" + + secret: + regex: secret + desc: "Possible leak of sensitive information" + + sha: + regex: sha[01] + desc: "Insecure hashing algorithm" + + snefru: + regex: snefru + desc: "Insecure hashing algorithm" + + ssh_key: + regex: ssh_key + desc: "Possible leak of private SSH key" + + sslv: + regex: sslv[12] + desc: "Insecure SSL Version" + + streebog: + regex: sslv[12] + desc: "Insecure cryptographic hashing algorithm" + + tlsv1: + regex: tlsv1 + desc: "Insecure TLS Version" + + wget: + regex: wget + desc: "WGET is blocked to unknown / untrusted destinations" + + run_as_root: + regex: run_as_root.*=.*True + desc: "Its better to use sudo or a rootwrapper" + + exec: + regex: \sexec\s*(\"|\().+(\"|\)) + desc: "Exec can be dangerous when used with arbitrary, untrusted code." + + eval: + regex: \beval\b + desc: "Eval can be dangerous when used with arbitrary, untrusted code." + + apprun: + regex: app\.run\s*\(.*debug.*=.*True.*\) + desc: | + "Running flask in debug mode can give away sensitive data" + + autoescape: + regex: autoescape.*=.*False + desc: "Not escaping HTML input is vulnerable to XSS attacks." + + safestring: + regex: safestring\.mark_safe.*\(.*\) + desc: "Not escaping HTML input is vulnerable to XSS attacks." + + shelltrue: + regex: shell.*=.*True + desc: "Shell=True can lead to dangerous shell escapes" + + tmp: + regex: \/tmp\/ + desc: | + "tmp directories are risky. They are world writable and easily guessed" + + yamlload: + regex: \yaml\.load + desc: | + "Avoid dangerous file parsing & serialization libs, use yaml.safe_load" + + telnet: + regex: telnet + desc: "Avoid coms applications that transmit credentials in clear text" + + ftp: + regex: \bftp\b + desc: "Avoid coms applications that transmit credentials in clear text" + + finger: + regex: \bfinger\b + desc: "Avoid coms applications that transmit credentials in clear text" licence: licence_ext: