In a recent commit [1], the names of the plugin doc files changed
to include the bandit ID as a prefix. Unfortunately, the doc_utils
wasn't updated at the time, so it still pointed to the previous
docs, thus resulting in 404 errors when browsing to the link.
This patch modifies doc_utils to properly prefix the bandit ID to
reference the doc for a particular plugin.
[1] https://review.openstack.org/#/c/540170/
Change-Id: Ia4b4c87e880ba39a677a84fc53943bc7a37849ef
Closes-Bug: #1761254
This patch set fixes an issue where modules whose names begin with
string ``Crypto`` are incorrectly flagged for pyCrypto imports. The
fix will now explicitly calls out pyCrypto module one sub-level to
avoid the false positives.
Change-Id: Iafd3fae2fc7a13a0a93800ee570c4e1354be1391
Closes-Bug: #1749603
Signed-off-by: Tin Lam <tin@irrational.io>
This patch set adds pyCrypto to bandit's blacklist, so bandit will
strongly advise against using pyCrypto. As mentioned in the bug,
this may cause false positives if people use pyCrytodome, but will be
tracked and addressed in follow up patch set.
Depends-On: I0b1a90c3a47ad6d3b18597e5315e9f017854a146
Change-Id: I81f695cd31dee393ab4530dbcdb20dd925bbece2
Closes-Bug: #1655973
Currently, outputting bandit findings as YAML does not put the
``more_info`` URL in the output as it would if the output format
is HTML or JSON. This patch set updates the YAML formatter to
include the ``more_info`` URL to be inline with the HTML and JSON
formatters.
Change-Id: Ice134e3bbf67c59feb7a88b299e60838b6ad80d5
Closes-Bug: #1746827
Running bandit using relative paths inside a subdirectory when the current
directory contains __init__.py causes bandit to be stuck in an infinite
loop.
Co-Authored-By: Calvin Li
Closes-Bug: #1743042
Change-Id: I247108c1365847134ee561073ea0eb43c57b54cc
The links for more_info were pointing to the old location for
bandit's documents, which would redirect to an index.html page.
This change updates the docs to the new location in order to
allow the "more info" link to point to the correct page.
Change-Id: I950ea4601248065dce68a5d21b144703817cf675
Closes-Bug: #1745006
Currently, outputting bandit findings as JSON does not put the ``more_info``
URL in the output as it would if the output format is HTML. This patch
set updates the JSON formatter to include the ``more_info`` URL to be inline
with the HTML display.
Change-Id: I58a8490b427fe146d517a8aff124f4443562f48b
Closes-Bug: #1695890
Signed-off-by: Tin Lam <tin@irrational.io>
Bandit only checks if imports is done using keyword ``import`` or
``__import__()`` and does not check for blacklisted module loaded
via importlib. This patch set adds additional check for blacklisted
modules loaded via importlib.
Change-Id: I97ed93af1066fa39dfc5be0868ab814c8eadd147
Closes-Bug: #1718516
Signed-off-by: Tin Lam <tin@irrational.io>
Implements: custom formatter
Custom formatter can be used to output a machine-readable, easily
parsable and customizable format using set of predefined tags
to suite various needs.
Output string is formatted using python string.format() standards
and therefore provides familiar usage.
Usage: bandit --format custom [--msg-template MSG-TEMPLATE] targets
See bandit --help for additional information and list of available tags
modified: bandit/cli/main.py
modified: bandit/core/manager.py
modified: README.rst
modified: setup.cfg
new file: bandit/formatters/custom.py
Change-Id: I900c9689cddb048db58608c443305e05e7a4be14
Signed-off-by: Marek Cermak <macermak@redhat.com>
this patch makes 'targets' args optional and allows to specify them
in the ini file.
This makes it possible to keep most of bandit configuration right in
the ini file.
OpenStack projects can now populate their tox.ini with [bandit] section
and do 'bandit --ini {toxinidir}/tox.ini -r' almost uniformly
accross all projects.
Change-Id: Ia0153e0aaa602171690ca8f66635fbea69b1cfab
Closes-Bug: #1730307
Currently, insecure hash function usage by calling hashlib.md5()
is flagged in B303. But these hash functions can also be obtained using
hashlib.new(), by passing 'md4' or 'md5' as an argument. This plugin
checks such usage.
Change-Id: I8d368aea287e1287e5f638b48c4297d355037839
Closes-Bug: #1708582
Since the default value is None when can't get a key from a dict,
So there is no need to use dict.get('key', None).
Change-Id: If22a4a6dbfd010a0b9574b42c23ba19a2c54dd6d
Change adds `as err` handler to provide line number, if config yaml
fails to parse.
Example output
[config] ERROR while scanning a simple key
in "config.yaml", line 5, column 1
could not find expected ':'
in "config.yaml", line 6, column 1
[main] ERROR config.yaml : Error parsing file.
Change-Id: If764a123c0dd8871dcd98f58be48c6bf0034f1d4
Closes-Bug: #1621552
Makes escaping using select_autoescape function valid by checking
for ast.Call instance and if func id == select_autoescape.
Example:
from jinja2 import Environment, select_autoescape
env = Environment(autoescape=select_autoescape(['html', 'htm', 'xml']),
loader=PackageLoader('mypackage'))
Change-Id: I47c6b346332a6d9f7c4c57dd45ab7636c78996a1
Closes-Bug: #1684249
1.As mentioned in [1], we should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will more readable.
2.In py2, the performance about list should be negligible, see the
link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: I5340fa3d71b6fba76e8fcf75f9f30432329023d2
The ssl._create_unverified_context creates a context for use with
such classes as HTTPSConnection which will do no certificate or
hostname verification. This should be flagged.
Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
The blacklist calls has some of documentation anchors combined [1].
As a result, the links don't correct point to the proper anchor in
the html. Therefore we need some exception cases for checks that
have doc combined. Namely B304-B305 and B313-B320.
This patch also fixes links where there is an underscore in the
plugin name and replaces it with a dash. Apparently sphinx will
substitute _ for - when building the doc anchors.
[1]: https://docs.openstack.org/developer/bandit/blacklists/blacklist_calls.html#b304-b305-ciphers-and-modes
Change-Id: I4dfa905425f2631fa488a9a066c427d4145f4aac
With the news of a first collison implemented [1], bandit should
now start blacklisting the use of sha-1.
The sha-1 hash was added to the existing blacklist check B303 which
currently checks for MD5 and variants.
[1]: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Change-Id: I411d8d4aeb4d740635c60b559ecda72ab951b629
Currently the check_example in test_functional computes sums and
on error tells the developer the difference in sums, which is
confusing and error prone.
It also leads to false positives where sums may be correct, but
the exact number of MEDIUM, HIGH, etc is different. This was the
case for two tests: test_xml and test_secret_config_option.
The general_hardcoded_password test was also broken for py35
because it was assuming function args are ast.Name not ast.arg.
But surprisingly the tests passed because of a syntax error in
the example.
Change-Id: Icd06fb7ca27a8a01d6442f199775d474d436371b
Currently when using the bandit-config-generator to dump out a
config file, it looks rather messy because config option values
that are lists are dumped onto one long line.
So rather than dumping on one line, use the vertical yaml list
format by specifying default_flow_style=False.
Change-Id: Ic0dc97f19d067471b507421dcb98ac749874e49c
The severity level of various key sizes of RSA, DSA, and EC are
currently hard-coded in the weak_cryptographic_key.py itself. This
patch allows the values to be overriden via the config file mechanism.
Change-Id: I38ad5384e0e6012818bbac10f449840de6fb14ed
In Python 2.7.9 [1] and 3.4.3 [2], the HTTPSConnection class has
been fixed to perform all the necessary certificate and hostname
checks by default.
Therefore, Bandit's warning is only applicable if the module is
using older versions of Python. Even though Bandit could detect
the version of Python used for its scan, it cannot ensure that is
the same version used for running the said scanned module.
This patch modifies the warning message to make this clearer.
[1]: https://docs.python.org/2/library/httplib.html#httplib.HTTPSConnection
[2]: https://docs.python.org/3.4/library/http.client.html#http.client.HTTPSConnection
Change-Id: I8105137d2cbbf0eb000729a18f43c3db443644d7
The openstack.org pages now support https and our references to
the site should by default be one signed by the organization.
Change-Id: I83d2df500e2e30047494c201a2ab39820ffd1502
As stated in the bug, the PyCryptodomex package reintroduces
PyCrypto, but with a different namespace. Therefore Bandit should
also include Cryptodome in its checks.
Change-Id: I6a02f97747420cedfb4523917ea0083ed5792d7a
Closes-Bug: #1655975
The previous version assumed the SQL query would start with `select`,
`insert into`, `update` or `delete from` which rules out queries that
are not so simple, for example queries using `with` such as:
WITH cte AS (query)
SELECT something FROM cte;
This version losens the criteria and considers any string with simple
SQL grammar (e.g. `select` followed by `from` anywhere within) as SQL.
Change-Id: I4c95842474e71aed61abc4bc878f3565a907f7c7
The names of skipped files were not being encoded properly in
output reports.
Change-Id: I38055512d71b3268b5241d50f1aa01a4b28ed332
Closes-Bug: #1647925