Review of pegasus-integrity-check

[von]

• Mats to send link. Done: https://github.com/pegasus-isi/pegasus/blob/master/bin/pegasus-integrity
• This assumes it is running in directory with metadata files already in it. Mats to send test case.
• Be aware this is just a prototype.

[von]

Steve and Omkar to look at this.

[obisec]

Couldn't successfully run pegasus-integrity through SWAMP, kept hitting build errors (will give it another try). Thus manually scanned the python pegasus-integrity code through popular python security code scanners like Bandit, PyLint and Flake8. Pylint and Flake didn't give out any specific security threats other than styling errors. One specific high level threat identified by Bandit was about "subprocess call with shell=True identified".

Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
Location: pegasus-integrity:231

This vulnerability would allow arbitrary code execution, as well as privilege escalation if the input is not validated properly.

[rheiland]

I'm guessing the problem w/ SWAMP was the missing ".py" suffix. Rf. #8 where I discussed this. Also rf. the "Python2/3" thread on our swip-l mailing list.