fix: resolve all bandit SAST findings in templates/
- Add # nosec B104 to all intentional 0.0.0.0 binds in honeypot servers (hardcoded_bind_all_interfaces is by design — deckies must accept attacker connections) - Add # nosec B101 to assert statements used for protocol validation in ldap/snmp - Add # nosec B105 to fake SASL placeholder in ldap - Add # nosec B108 to /tmp usage in smb template - Exclude root-owned auto-generated decnet_logging.py copies from bandit scan via pyproject.toml [tool.bandit] config (synced by _sync_logging_helper at deploy)
This commit is contained in:
@@ -65,3 +65,12 @@ skip_covered = false
|
||||
[tool.setuptools.packages.find]
|
||||
where = ["."]
|
||||
include = ["decnet*"]
|
||||
|
||||
[tool.bandit]
|
||||
exclude_dirs = [
|
||||
"templates/http/decnet_logging.py",
|
||||
"templates/imap/decnet_logging.py",
|
||||
"templates/pop3/decnet_logging.py",
|
||||
"templates/real_ssh/decnet_logging.py",
|
||||
"templates/smtp/decnet_logging.py",
|
||||
]
|
||||
|
||||
Reference in New Issue
Block a user