bandit (on alipne 3.7) reports some potential issues in dscanner/docker related code
Job #210327308 failed for uniqx/fdroidserver@853193ee:
Test results:
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: /builds/uniqx/fdroidserver/docker/drozer.py:10
More Info: https://bandit.readthedocs.io/en/latest/plugins/b108_hardcoded_tmp_directory.html
9 drozer = pexpect.spawn("drozer console connect")
10 drozer.logfile = open("/tmp/drozer_report.log", "w")
11
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:10
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
9 print("Ensuring device is online")
10 call("adb wait-for-device", shell=True)
11
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:22
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
21 while attempts < 8:
22 output = check_output('adb shell "pm list packages"', shell=True)
23 print("Checking whether the package manager is up...")
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:36
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
35 try:
36 install_output = check_output("adb install /home/drozer/drozer-agent.apk", shell=True)
37 except Exception:
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:47
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
46
47 pm_list_output = check_output('adb shell "pm list packages"', shell=True)
48
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:56
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
55 print("Starting the drozer agent main activity: com.mwr.dz/.activities.MainActivity")
56 call('adb shell "am start com.mwr.dz/.activities.MainActivity"', shell=True, stdout=FNULL)
57
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:60
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
59 # start the service
60 call("python /home/drozer/enable_service.py", shell=True, stdout=FNULL)
61
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell
Severity: Low Confidence: High
Location: /builds/uniqx/fdroidserver/docker/install_agent.py:63
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
62 print("Forward dem ports mon.")
63 call("adb forward tcp:31415 tcp:31415", shell=True, stdout=FNULL)
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: /builds/uniqx/fdroidserver/fdroidserver/dscanner.py:102
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
101 try:
102 check_output(command, shell=True)
103 except CalledProcessError as e:
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: /builds/uniqx/fdroidserver/fdroidserver/dscanner.py:118
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
117 try:
118 check_output(command, shell=True)
119 except CalledProcessError as e:
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: /builds/uniqx/fdroidserver/fdroidserver/dscanner.py:228
More Info: https://bandit.readthedocs.io/en/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html
227 output = check_output(command,
228 shell=True).decode('utf-8')
229 except CalledProcessError as e:
230 logging.error(('Command "{command}" failed with '
--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
Severity: Medium Confidence: Medium
Location: /builds/uniqx/fdroidserver/fdroidserver/dscanner.py:397
More Info: https://bandit.readthedocs.io/en/latest/plugins/b108_hardcoded_tmp_directory.html
396 dest = apk_path + '.drozer'
397 self._copy_from_container('/tmp/drozer_report.log', dest)
398 self._adb_uninstall_apk(app_id)
--------------------------------------------------
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'android'
Severity: Low Confidence: Medium
Location: /builds/uniqx/fdroidserver/fdroidserver/nightly.py:42
More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
41 KEYSTORE_FILE = os.path.join(os.getenv('HOME'), '.android', 'debug.keystore')
42 PASSWORD = 'android'
43 KEY_ALIAS = 'androiddebugkey'
Edited by Michael Pöhn