Follow up patch for review/marek_cermak/formatter-custom.
Adressing comment by Gage Hugo: remove extra section from README.rst
Change-Id: I177861d404592ba4b9d7b953bbb983963d53b653
modified: README.rst
Implements: custom formatter
Custom formatter can be used to output a machine-readable, easily
parsable and customizable format using set of predefined tags
to suite various needs.
Output string is formatted using python string.format() standards
and therefore provides familiar usage.
Usage: bandit --format custom [--msg-template MSG-TEMPLATE] targets
See bandit --help for additional information and list of available tags
modified: bandit/cli/main.py
modified: bandit/core/manager.py
modified: README.rst
modified: setup.cfg
new file: bandit/formatters/custom.py
Change-Id: I900c9689cddb048db58608c443305e05e7a4be14
Signed-off-by: Marek Cermak <macermak@redhat.com>
this patch makes 'targets' args optional and allows to specify them
in the ini file.
This makes it possible to keep most of bandit configuration right in
the ini file.
OpenStack projects can now populate their tox.ini with [bandit] section
and do 'bandit --ini {toxinidir}/tox.ini -r' almost uniformly
accross all projects.
Change-Id: Ia0153e0aaa602171690ca8f66635fbea69b1cfab
Closes-Bug: #1730307
Currently, insecure hash function usage by calling hashlib.md5()
is flagged in B303. But these hash functions can also be obtained using
hashlib.new(), by passing 'md4' or 'md5' as an argument. This plugin
checks such usage.
Change-Id: I8d368aea287e1287e5f638b48c4297d355037839
Closes-Bug: #1708582
The ssl._create_unverified_context creates a context for use with
such classes as HTTPSConnection which will do no certificate or
hostname verification. This should be flagged.
Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
* Consistently use single space after period, not double
* Keep line width at 80 where possible
* Replace Pythion 3.4 references with 3.5 since the gate no longer
tests 3.4.
Change-Id: Ia6a1b9a5582f37e359b069b4a97f7c180e32ab3a
Allows someone to feed a file/text into bandit from a pipe rather
than just the 'targets' argument.
Usage example:
cat examples/imports.py | bandit -
Change-Id: I1566684c0ae5476374960095816cb1720ff465a2
The argparse module already has the capability to default to stdout
at CLI parameter definition time. This patch utilizes this and avoids
the opening of the output file by each formatter.
Change-Id: Ib1e89492558fe1fc06966711b6014bd5b86b84c8
This commit contains a number of relatively minor changes to the help
text displayed by Bandit when 'bandit -h' is executed.
It is an attempt to normalize (capitalization, formatting, and usage of
certain terms) and edit for clarity.
It also updates the README to include the new help text, and the test
that checks the README is up-to-date.
Change-Id: Ic583f891a295ac13339db1f65bcf38d66bd2abcd
Along with a 'try, except, pass' check, we should also check for the
similar existance of 'try, except, continue', which raises the same
type of security implications, given the similar type of functionality.
Using 'continue' in place of 'pass' (inside a loop) currently allows
code to bypass the 'try, except, pass' warning.
Change-Id: I3e7ce037518875c5f5e46e26e1d72ef878f78a2f
This patch breaks up the blacklist imports sets to be one import
per ID (with the exception of things like pickle/cPickle etc).
This is done to give us more control over filtering stuff. It is
important to make any changes to IDs before 1.0 release as they
will form part of the 1.0 API contract (this renumbers some XML
IDs).
Change-Id: Ib575f6155a58f1795fe2c05fabdba4dbf1a89519
The command line help for the baseline parameter is misleading.
The passed output has to be JSON, but the output formatters for
the result are different for baseline (another command line option).
Change-Id: I1f6d760af96b48472027dba94e585872768103c8
Closes-Bug: #1534358
This patch updates the logic that handles profiles in preparation
for deprecation. If no profile name is given then we use
"exculded_tests" and "included_tests" to read in the test filters
("exclude" and "include" were already used). If a profile name is
given then we will read in the filter as before.
In addition, this makes -s/-t/-p no longer mutually exclusive. If
-t/-s are used on the CLI then they will update the profile filter
read from the config (legacy or otherwise). This is handy for
adding in extra tests during a one-off manual run.
Eventually -p will be deprecated in favour of using -c to pick
from a set of new style config files.
This also adds -s/-t to the config gen tool.
Change-Id: Ibf701f68106195f0153a37303fb1bdf5a8c2df9c
This commit removes the requirement for having a config file.
Sometimes projects may want to use one to list out tests, define
a profile, or override a setting, but they are no longer required.
Change-Id: I6e467f58b2b27cae647901ac2c3f75a764e74c0c
This commit adds baseline functionality to the JSON formatter.
Issues will be listed as normal, however if multiple candidates
exist for an issue they'll be listed in 'candidates' with a value
of the list of prospective candidates.
Change-Id: Iaf5bcad52678f768375182175cde8d3efb17b6a3
This test ensures the contents of the readme no longer get out
of sync. It makes sure the output of 'bandit -h' is contained
in the readme.
Change-Id: I9b4302a18b724df43e0f6ee746a602bd7bcb0c0e
Currently none of the blacklist plugins get printed to the help
output. This patch appends them to the plugin list and updates
the README.
Closes-Bug: #1543882
Change-Id: I0eebf73b5a4f0a364ae204b69551d805e9aa3def
PyPi supports super cool badges in the README. They can show
latest version, # of downloads, docs, CI, code coverage, etc.
Change-Id: I2686e98fb8e047af4a587ebc0eeb7a09a3a0fe3d
This commit allows the use of a .bandit file, which will be in
the ini format and used to pass command line arguments. This is
useful for multiple projects which are running in the same gate,
want to be able to exclude different files per-project, and
aren't using tox.
Change-Id: I4256bdb7df2416f3cc01798882fb7e2e229790a3
This commit adds a command line option '--exclude' where comma
separated paths to exclude can be provided. These will be
excluded in addition to whatever exclusions are defined in the
exclude section of the Bandit config.
Change-Id: I0ab992fea5b4683feb7af12fb80022012e417395
Adds a flag '--ignore-nosec' to address the situation where a user is
auditing a code base and wants to see all identified issues, not just
those that haven't been nosec'd.
Also removes SKIP_FLAGS from core/constants.py, as that is no longer
used within the Bandit code base.
Change-Id: I1cef004660ff4abedb7128844cc0f26b9fdcda42
Closes-Bug: #1499467
When running bandit without the '-c' parameter, it has the inability
to find bandit.yaml within a virtualenv.
This patch detects if running in a virtualenv and prepends that path
to an appropriate location of bandit.yaml (depending on platform).
Change-Id: I6b7faa8f4eefd91c9fff9da47dc1074075ad9494
Closes-Bug: #1484757
Release tooling expects Source and Bug information to be in
a certain format. This adds it to the README.rst so this
can be processed.
In addition, this also adds a section to README.rst making
Bug reporting clearer.
Change-Id: I738d45e5a5c68066957f1fc2eae526fda0a055e5
Closes-Bug: #1480062
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
Previously, we were claiming to default to
/etc/bandit/bandit.yaml for config location, but we were
neither installing a config there, nor trying to use it at
run time.
This makes use of appdirs for locations to use platform
declared config locations. This also tries to install
the bandit.yaml in /etc/bandit.yaml. (Or on a local
pip install: /usr/local/etc/bandit/bandit.yaml)
The searched paths are also added to the README to help
avoid ambiguity.
Change-Id: I29a9ff738ebb402a069b9750d26e4c94f85e861a
Closes-Bug: #1475510
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
The usage help for the bandit CLI has changed and needs updating.
* The help for --level had been updated and was not reflected in
the README.
* The new option --confidence was missing
Change-Id: I3990ddd8548dc7903f6b0524fb2debdd3d0dc385
The readme file has been updated to:
- Be more concise up front about the purpose of Bandit
- Reflect new install methods (from PyPI)
- Update configuration section
- Convert to markdown format (we had this anyway, it was just
called .rst for some reason)
Change-Id: Ibb39e9fe64760323240c1180d4df8c8e21349ecb
The README doc was out of date in a couple of regards. It still
showed the old way of calling bandit with 'find', rather than the
new way of just specifying a directory. It also showed the old
style of decorators, rather than the new style which are just
marked with the AST node type that they check.
Change-Id: If32a7135c4ff4eb91506b5203f3f2af4f9b7935e
lhinds