Updates to address docstring code scan issues, add flake8 configuration

.flake8

@@ -0,0 +1,2 @@
+[flake8]
+max-line-length=120

bandit/__init__.py

@@ -13,7 +13,7 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-
+"""Bandit is a tool designed to find common security issues in Python code."""
 import pbr.version
 
 from bandit.core import config  # noqa

bandit/__main__.py

@@ -1,3 +1,30 @@
 #!/usr/bin/env python
+# -*- coding:utf-8 -*-
+#
+# Copyright 2014 Hewlett-Packard Development Company, L.P.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+"""Bandit is a tool designed to find common security issues in Python code.
+
+Bandit is a tool designed to find common security issues in Python code.
+To do this Bandit processes each file, builds an AST from it, and runs appropriate
+plugins against the AST nodes. Once Bandit has finished scanning all the files
+it generates a report.
+
+Bandit was originally developed within the OpenStack Security Project and
+later rehomed to PyCQA.
+
+https://bandit.readthedocs.io/
+"""
 from bandit.cli import main
 main.main()

bandit/blacklists/__init__.py

@@ -0,0 +1 @@
+"""Bandit is a tool designed to find common security issues in Python code."""

bandit/blacklists/calls.py

@@ -3,11 +3,8 @@
 # Copyright 2016 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
-
 r"""
-====================================================
-Blacklist various Python calls known to be dangerous
-====================================================
+Blacklist various Python calls known to be dangerous.
 
 This blacklist data checks for a number of Python calls known to have possible
 security implications. The following blacklist tests are run against any
@@ -329,7 +326,6 @@ def gen_blacklist():
 
     :return: a dictionary mapping node types to a list of blacklist data
     """
-
     sets = []
     sets.append(utils.build_conf_dict(
         'pickle', 'B301',
@@ -346,12 +342,12 @@ def gen_blacklist():
          'shelve.DbfilenameShelf'],
         'Pickle and modules that wrap it can be unsafe when used to '
         'deserialize untrusted data, possible security issue.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'marshal', 'B302', ['marshal.load', 'marshal.loads'],
         'Deserialization with the marshal module is possibly dangerous.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'md5', 'B303',
@@ -368,7 +364,7 @@ def gen_blacklist():
          'cryptography.hazmat.primitives.hashes.MD5',
          'cryptography.hazmat.primitives.hashes.SHA1'],
         'Use of insecure MD2, MD4, MD5, or SHA1 hash function.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'ciphers', 'B304',
@@ -388,30 +384,30 @@ def gen_blacklist():
         'Use of insecure cipher {name}. Replace with a known secure'
         ' cipher such as AES.',
         'HIGH'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'cipher_modes', 'B305',
         ['cryptography.hazmat.primitives.ciphers.modes.ECB'],
         'Use of insecure cipher mode {name}.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'mktemp_q', 'B306', ['tempfile.mktemp'],
         'Use of insecure and deprecated function (mktemp).'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'eval', 'B307', ['eval'],
         'Use of possibly insecure function - consider using safer '
         'ast.literal_eval.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'mark_safe', 'B308', ['django.utils.safestring.mark_safe'],
         'Use of mark_safe() may expose cross-site scripting '
         'vulnerabilities and should be reviewed.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'httpsconnection', 'B309',
@@ -421,7 +417,7 @@ def gen_blacklist():
         'Use of HTTPSConnection on older versions of Python prior to 2.7.9 '
         'and 3.4.3 do not provide security, see '
         'https://wiki.openstack.org/wiki/OSSN/OSSN-0033'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'urllib_urlopen', 'B310',
@@ -441,7 +437,7 @@ def gen_blacklist():
          'six.moves.urllib.request.FancyURLopener'],
         'Audit url open for permitted schemes. Allowing use of file:/ or '
         'custom schemes is often unexpected.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'random', 'B311',
@@ -454,14 +450,14 @@ def gen_blacklist():
         'Standard pseudo-random generators are not suitable for '
         'security/cryptographic purposes.',
         'LOW'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'telnetlib', 'B312', ['telnetlib.*'],
         'Telnet-related functions are being called. Telnet is considered '
         'insecure. Use SSH or some other encrypted protocol.',
         'HIGH'
-        ))
+    ))
 
     # Most of this is based off of Christian Heimes' work on defusedxml:
     #   https://pypi.org/project/defusedxml/#defusedxml-sax
@@ -478,7 +474,7 @@ def gen_blacklist():
          'xml.etree.cElementTree.fromstring',
          'xml.etree.cElementTree.XMLParser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_ElementTree', 'B314',
@@ -487,41 +483,41 @@ def gen_blacklist():
          'xml.etree.ElementTree.fromstring',
          'xml.etree.ElementTree.XMLParser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_expatreader', 'B315', ['xml.sax.expatreader.create_parser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_expatbuilder', 'B316',
         ['xml.dom.expatbuilder.parse',
          'xml.dom.expatbuilder.parseString'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_sax', 'B317',
         ['xml.sax.parse',
          'xml.sax.parseString',
          'xml.sax.make_parser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_minidom', 'B318',
         ['xml.dom.minidom.parse',
          'xml.dom.minidom.parseString'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_pulldom', 'B319',
         ['xml.dom.pulldom.parse',
          'xml.dom.pulldom.parseString'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_etree', 'B320',
@@ -534,7 +530,7 @@ def gen_blacklist():
         ('Using {name} to parse untrusted XML data is known to be '
          'vulnerable to XML attacks. Replace {name} with its '
          'defusedxml equivalent function.')
-        ))
+    ))
 
     # end of XML tests
 
@@ -543,7 +539,7 @@ def gen_blacklist():
         'FTP-related functions are being called. FTP is considered '
         'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
         'HIGH'
-        ))
+    ))
 
     # skipped B322 as the check for a call to input() has been removed
 
@@ -554,14 +550,14 @@ def gen_blacklist():
         'using an insecure context via the _create_unverified_context that '
         'reverts to the previous behavior that does not validate certificates '
         'or perform hostname checks.'
-        ))
+    ))
 
     # skipped B324 (used in bandit/plugins/hashlib_new_insecure_functions.py)
 
     sets.append(utils.build_conf_dict(
         'tempnam', 'B325', ['os.tempnam', 'os.tmpnam'],
         'Use of os.tempnam() and os.tmpnam() is vulnerable to symlink '
         'attacks. Consider using tmpfile() instead.'
-        ))
+    ))
 
     return {'Call': sets}

bandit/blacklists/imports.py

@@ -5,9 +5,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 r"""
-======================================================
-Blacklist various Python imports known to be dangerous
-======================================================
+Blacklist various Python imports known to be dangerous.
 
 This blacklist data checks for a number of Python modules known to have
 possible security implications. The following blacklist tests are run against
@@ -215,7 +213,6 @@
 +------+---------------------+------------------------------------+-----------+
 
 """
-
 from bandit.blacklists import utils
 
 
@@ -230,7 +227,6 @@ def gen_blacklist():
 
     :return: a dictionary mapping node types to a list of blacklist data
     """
-
     sets = []
     sets.append(utils.build_conf_dict(
         'import_telnetlib', 'B401', ['telnetlib'],

bandit/blacklists/utils.py

@@ -3,10 +3,10 @@
 # Copyright 2016 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
+r"""Utils module."""
 
 
 def build_conf_dict(name, bid, qualnames, message, level='MEDIUM'):
     """Build and return a blacklist configuration dict."""
-
     return {'name': name, 'id': bid, 'message': message,
             'qualnames': qualnames, 'level': level}

bandit/cli/__init__.py

@@ -0,0 +1 @@
+"""Bandit is a tool designed to find common security issues in Python code."""

bandit/cli/baseline.py

@@ -13,6 +13,9 @@
 # reports on any new findings.
 # #############################################################################
 
+"""Bandit is a tool designed to find common security issues in Python code."""
+
+
 import argparse
 import contextlib
 import logging
@@ -33,8 +36,11 @@
 report_basename = 'bandit_baseline_result'
 valid_baseline_formats = ['txt', 'html', 'json']
 
+"""baseline.py"""
+
 
 def main():
+    """Execute Bandit."""
     # our cleanup function needs this and can't be passed arguments
     global current_commit
     global repo
@@ -120,6 +126,7 @@ def main():
 # #################### Clean up before exit ###################################
 @contextlib.contextmanager
 def baseline_setup():
+    """Baseline setup by creating temp folder and resetting repo."""
     d = tempfile.mkdtemp()
     yield d
     shutil.rmtree(d, True)
@@ -130,6 +137,7 @@ def baseline_setup():
 
 # #################### Setup logging ##########################################
 def init_logger():
+    """Init logger."""
     LOG.handlers = []
     log_level = logging.INFO
     log_format_string = "[%(levelname)7s ] %(message)s"
@@ -142,6 +150,7 @@ def init_logger():
 
 # #################### Perform initialization and validate assumptions ########
 def initialize():
+    """Initialize arguments and output formats."""
     valid = True
 
     # #################### Parse Args #########################################

bandit/cli/config_generator.py

@@ -1,6 +1,9 @@
 # Copyright 2015 Red Hat Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
+"""Bandit is a tool designed to find common security issues in Python code."""
+
+
 from __future__ import print_function
 
 import argparse
@@ -49,6 +52,7 @@
 
 
 def init_logger():
+    """Init logger."""
     LOG.handlers = []
     log_level = logging.INFO
     log_format_string = "[%(levelname)5s]: %(message)s"
@@ -60,6 +64,7 @@ def init_logger():
 
 
 def parse_args():
+    """Parse arguments."""
     help_description = """Bandit Config Generator
 
     This tool is used to generate an optional profile.  The profile may be used
@@ -100,6 +105,7 @@ def parse_args():
 
 
 def get_config_settings():
+    """Get configuration settings."""
     config = {}
     for plugin in extension_loader.MANAGER.plugins:
         fn_name = plugin.name
@@ -117,6 +123,7 @@ def get_config_settings():
 
 
 def main():
+    """Config generator to write configuration file."""
     init_logger()
     args = parse_args()