Running bandit using relative paths inside a subdirectory when the current
directory contains __init__.py causes bandit to be stuck in an infinite
loop.
Co-Authored-By: Calvin Li
Closes-Bug: #1743042
Change-Id: I247108c1365847134ee561073ea0eb43c57b54cc
Implements: custom formatter
Custom formatter can be used to output a machine-readable, easily
parsable and customizable format using set of predefined tags
to suite various needs.
Output string is formatted using python string.format() standards
and therefore provides familiar usage.
Usage: bandit --format custom [--msg-template MSG-TEMPLATE] targets
See bandit --help for additional information and list of available tags
modified: bandit/cli/main.py
modified: bandit/core/manager.py
modified: README.rst
modified: setup.cfg
new file: bandit/formatters/custom.py
Change-Id: I900c9689cddb048db58608c443305e05e7a4be14
Signed-off-by: Marek Cermak <macermak@redhat.com>
Currently, insecure hash function usage by calling hashlib.md5()
is flagged in B303. But these hash functions can also be obtained using
hashlib.new(), by passing 'md4' or 'md5' as an argument. This plugin
checks such usage.
Change-Id: I8d368aea287e1287e5f638b48c4297d355037839
Closes-Bug: #1708582
* Consistently use single space after period, not double
* Keep line width at 80 where possible
* Replace Pythion 3.4 references with 3.5 since the gate no longer
tests 3.4.
Change-Id: Ia6a1b9a5582f37e359b069b4a97f7c180e32ab3a
Python 3.5 support was added to the gate jobs. Since Bandit fully
passes those tests, we can now claim Python 3.5 support in the
classifier.
Change-Id: Ia733ec36ce2350b5273031e4ab2491b344fd2bd2
Along with a 'try, except, pass' check, we should also check for the
similar existance of 'try, except, continue', which raises the same
type of security implications, given the similar type of functionality.
Using 'continue' in place of 'pass' (inside a loop) currently allows
code to bypass the 'try, except, pass' warning.
Change-Id: I3e7ce037518875c5f5e46e26e1d72ef878f78a2f
The docs for these tests were very out of date. This fixes them
and also removes the old wordlist, as its not used by anything.
Change-Id: I28c047dfd0041824e08e28e1239ccbae8c7141a0
According to the wheel docs, [bdist_wheel] should be used. Apparently
[wheel] is the legacy, deprecated way.
https://goo.gl/B8tFgs
Change-Id: I7cf882175d724776f861fb82ffd7e0c8682b647e
This change removes the old blacklist plugins and replaces them
with new built in functionality that loads blacklist item data
from a new plugin entry point. The new test also improve on the
old functionality that was broken in the following way:
import xml.sax # issue found OK
from xml import sax # no issue found, wrong
Finally, this patch removes the use of filename style wild cards
such as * from the import blacklist matching, as this was not being
used. Both this test and the old ones will alert on any import from
within the blacklisted namespace.
Change-Id: I98af6daf3c54561c0e4b399605ea615b42b7b283
This work relates to efforts to remove the config file (see spec).
Here we are adding a new formatter plugin "screen" to produce the
VT100 colored output report that is dumped to a terminal. Before
this was done by some detection logic in the txt formatter. This
chnges the txt formatter so it now always dumps simple text output.
Work has also been done to move logic relating to specific formats
out of the manager class. Formatters are plugins and as such
should be entirely opaque to the manager.
Change-Id: Ifc76eace1f84e8808480a352f403eff757641e8f
Rather than having separate rst documentation files, this patch auto
generates the docs from the docstrings in the modules. Should
make it easier to maintain.
Also renamed directory docs to doc to be consistent with all other
OpenStack projects.
Change-Id: Iaed77f8358ccb6edaf2627fbabdcc855272b4ea2
This commit adds a tool which will run Bandit against the parent
commit of a current branch, and then run Bandit in baseline mode
using the parent's results as the baseline. Any options that are
supplied to the script will be passed as options to Bandit (for
example severity filters, targets, etc).
By including this tool we can allow projects to run Bandit
baseline as part of their existing tox jobs.
Change-Id: Iaa1314aa348c7c5ca03c5c8b7dcfee456f279e56
This allows project developers to generate a valid configuration for their
project, that can easily be updated. Example of use:
$ cat oslo_messaging.yaml
profile_name: gate
exclude_checkers: [assert_used, try_except_pass]
$ bandit_config_generator.py \
--out /tmp/bandit.yaml \
bandit.yaml \
oslo_messaging.yaml
Change-Id: I0b678b26ffa7dbe6034bdc7b35862e15c61c3670
Blueprint: bandit-conf-generator
When executed with debug=True, Flask applications expose the Werkzeug
debugger which includes an abritrary code execution function.
This check looks for a combination of the flask module being imported,
a .run() call, and a named argument debug=True.
Setting it up in plugins/app_debug.py so we can add checks for Django
and perhaps other frameworks in future.
Change-Id: If49e53d0807dfc2fccad6433edc5ef43f5464f22
Implements: blueprint detect-werkzeug-debug-enabled
This replaces the existing hardcoded password test with a number of
smarter tests. None of the new tests utilize a word dictionary, we
now trigger the warnings based on matching variable names and the
like against a list of candidate names:
- "password"
- "pass"
- "passwd"
- "pwd"
- "secret"
- "token"
hardcoded_password_string looks for:
candidate = "some_string_literal"
dict[candidate] = "some_string_literal"
candidate == "some_string_literal"
hardcoded_password_funcarg looks for:
func_call(candidate="some_string_literal")
hardcoded_password_default looks for:
def func_def(candidate="some_string_literal"):
All issues are reported as MEDIUM confidence, LOW severity
Closes-bug: #1502348
Closes-bug: #1502343
Closes-bug: #1432887
Change-Id: I36d97ee838a7f08234b759c352649721d07e8ab0
This patch adds the ability to output results in HTML format. It
currently doesn't support syntax highlighting due to fact that the Pygments
library is not in OpenStack's list of blessed requirements.
Change-Id: Ia9087a01856c1c743abba9fe4492130403b0f0d4
As we increase the number of formatters, it doesn't make sense to
cram each into a single module. This patch splits them up by
output format type.
Any new formatter should also be implemented as a separate module.
Change-Id: Ibbd0edb9af06a52bef28804a6619a07f323931e6
We don't need two separate checks:
weak_crypto_key_size_cryptography_io
weak_crypto_key_size_pycrypto
This patch combines them into a single check:
weak_cryptographic_key
Change-Id: I9626341a6f00a52fcc0eb11621c261fbc3f656e5
This patch adds a new check to bandit that scans for key sizes of
RSA and DSA algorithms when using the pycrypto or cryptography.io
modules.
Change-Id: I7d740eccc73a49f7ee133d90177d19d5ef7b02ba
Previously, we were claiming to default to
/etc/bandit/bandit.yaml for config location, but we were
neither installing a config there, nor trying to use it at
run time.
This makes use of appdirs for locations to use platform
declared config locations. This also tries to install
the bandit.yaml in /etc/bandit.yaml. (Or on a local
pip install: /usr/local/etc/bandit/bandit.yaml)
The searched paths are also added to the README to help
avoid ambiguity.
Change-Id: I29a9ff738ebb402a069b9750d26e4c94f85e861a
Closes-Bug: #1475510
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
The XML test plugins were all checking for a specific function call
or a specific module import. This functionality exists in a generic
form via blacklist_imports and blacklist_calls. This changes removes
the specific XML tests and replaces the functionality using these
blacklist checks.
Closes-bug: 1477542
Change-Id: I7bcd5a9c2d9343e6306285afca59012579ab0a9a
This adds documentation framework for Bandit. To build the new
documentation you can use the new tox target:
tox -e docs
This will spit out various formatted output into the docs/build
folder.
Change-Id: I3497e26052021900ad55ecdd2517198b22e82f0e
Partial-Bug: 1474796
Previously, we tried to load the default plugins by using the path to
bandit to import them dynamically and load them. This is unreliable on
systems where the default path and the actual path are different
depending on how bandit is installed. By using entry-points, we can
completely side-step this problem.
_______
< FIXED >
-------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
Closes-Bug: #1475681
Co-Authored-By: Ian Cordasco <graffatcolmingov@gmail.com>
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
Change-Id: I19eed3b312c921e98bdabfb346cddd406186d963
Previously, the default bandit.yaml config file had an entry
for a relative word-list which is only really useful if
running bandit from git, as the path is both relative but
also the default word-list is not installed by the bandit
python package.
If the word-list from the config cannot be found, the
current behavior is to silently continue with an empty set,
meaning that this test does not function at all - giving a
false sense of assurance.
This change installs the default word_list to:
- /usr/local/share/bandit/wordlist/default-passwords
The config file now supports "(site_data_dir)" for
substitution, which is replaced by distro standard site_data
locations (including /usr/local and /usr).
The first substitution attempted is still relative to the
pwd, to allow the current working tree (and unit tests) to
function).
Crucially, this change now raises an exception if the
declared word-list cannot be found.
Closes-Bug: #1451575
Signed-off-by: Dave Walker (Daviey) <email@daviey.com>
Change-Id: Ia090ee6b16866d374191c03de55529fbd6a10c99
This allows Bandit to be extended by third-party packages with both
plugins and formatters. It also updates Bandit's existing in-tree
formatters to be loaded by the plugin manager. When running
$ bandit -h
The loaded plugins will be displayed to the user if any are installed.
Change-Id: I102277dcd9481f2573028a436e910eda10011d91
This includes a number of changes to make this happen:
- We handle the fact that in Python 3.3 and later, ast.TryExcept and
ast.TryFinally were replaced by ast.Try
- We handle the fact that ast.NameConstant is now the node type for
True/False
- We handle the cases where map and range need to return lists
- We remove a property from the result store to prevent errors assigning
to the underlying attribute
- We check for exec conditionally based on the version of Python
- We use proper octal notation, e.g., 0o755
Change-Id: I71c0bb61c9ee0bf1b751a719a4eb95bf7a0b4943
The readme file has been updated to:
- Be more concise up front about the purpose of Bandit
- Reflect new install methods (from PyPI)
- Update configuration section
- Convert to markdown format (we had this anyway, it was just
called .rst for some reason)
Change-Id: Ibb39e9fe64760323240c1180d4df8c8e21349ecb
This commit changes the location that the Bandit config file,
bandit.yaml, is stored and how it is packaged. Previously, the
config file was listed as a data_file which is supposed to be
outside of the Bandit installed package. This meant that
depending on the system it might be installed in different places
(/etc, or /usr/lcoal/etc, for example). When Bandit was installed
in a virutal environment the installed location would change once
again. Another disadvantage to this approach is that installing
Bandit might require sudo, and Bandit might not clean up its
config properly.
This commit changes the packaging so that bandit.yaml is always
installed in bandit/config/bandit.yaml. If there is a bandit
config file in the current directory or the user's home directory,
these are still preferred.
Change-Id: I5f971aa208dd2599f852b5253b4401990201cc8f
This will now look for a 'bandit.yaml' file in the local folder
before falling back to ${HOME}/.config/bandit/bandit.yaml and
finally /etc/bandit/bandit.yaml. If -c is used to explicitly
specifiy a config file this will override all other behaviour.
If the specified file is not found then an error is reported.
Change-Id: Ie49a98f970ab31e9709e93ce06687f6457f03dce
This large change makes bandit into an installable packahge, needed
for tox testing. I have added the tox testing scaffolding but no
real tests, they will come in a later change. I have also disabled
all failing PEP8 test (lots) since I have changed enough stuff for
one patch. I'll start re-enabling and fixing PEP8 stuff soon.
Change-Id: I774ed9149f285e4e2bceacda0484a7e2a934a3aa