This patch set adds pyCrypto to bandit's blacklist, so bandit will
strongly advise against using pyCrypto. As mentioned in the bug,
this may cause false positives if people use pyCrytodome, but will be
tracked and addressed in follow up patch set.
Depends-On: I0b1a90c3a47ad6d3b18597e5315e9f017854a146
Change-Id: I81f695cd31dee393ab4530dbcdb20dd925bbece2
Closes-Bug: #1655973
Currently, outputting bandit findings as YAML does not put the
``more_info`` URL in the output as it would if the output format
is HTML or JSON. This patch set updates the YAML formatter to
include the ``more_info`` URL to be inline with the HTML and JSON
formatters.
Change-Id: Ice134e3bbf67c59feb7a88b299e60838b6ad80d5
Closes-Bug: #1746827
Running bandit using relative paths inside a subdirectory when the current
directory contains __init__.py causes bandit to be stuck in an infinite
loop.
Co-Authored-By: Calvin Li
Closes-Bug: #1743042
Change-Id: I247108c1365847134ee561073ea0eb43c57b54cc
Currently, outputting bandit findings as JSON does not put the ``more_info``
URL in the output as it would if the output format is HTML. This patch
set updates the JSON formatter to include the ``more_info`` URL to be inline
with the HTML display.
Change-Id: I58a8490b427fe146d517a8aff124f4443562f48b
Closes-Bug: #1695890
Signed-off-by: Tin Lam <tin@irrational.io>
Bandit only checks if imports is done using keyword ``import`` or
``__import__()`` and does not check for blacklisted module loaded
via importlib. This patch set adds additional check for blacklisted
modules loaded via importlib.
Change-Id: I97ed93af1066fa39dfc5be0868ab814c8eadd147
Closes-Bug: #1718516
Signed-off-by: Tin Lam <tin@irrational.io>
Implements: custom formatter
Custom formatter can be used to output a machine-readable, easily
parsable and customizable format using set of predefined tags
to suite various needs.
Output string is formatted using python string.format() standards
and therefore provides familiar usage.
Usage: bandit --format custom [--msg-template MSG-TEMPLATE] targets
See bandit --help for additional information and list of available tags
modified: bandit/cli/main.py
modified: bandit/core/manager.py
modified: README.rst
modified: setup.cfg
new file: bandit/formatters/custom.py
Change-Id: I900c9689cddb048db58608c443305e05e7a4be14
Signed-off-by: Marek Cermak <macermak@redhat.com>
this patch makes 'targets' args optional and allows to specify them
in the ini file.
This makes it possible to keep most of bandit configuration right in
the ini file.
OpenStack projects can now populate their tox.ini with [bandit] section
and do 'bandit --ini {toxinidir}/tox.ini -r' almost uniformly
accross all projects.
Change-Id: Ia0153e0aaa602171690ca8f66635fbea69b1cfab
Closes-Bug: #1730307
Currently, insecure hash function usage by calling hashlib.md5()
is flagged in B303. But these hash functions can also be obtained using
hashlib.new(), by passing 'md4' or 'md5' as an argument. This plugin
checks such usage.
Change-Id: I8d368aea287e1287e5f638b48c4297d355037839
Closes-Bug: #1708582
Since the default value is None when can't get a key from a dict,
So there is no need to use dict.get('key', None).
Change-Id: If22a4a6dbfd010a0b9574b42c23ba19a2c54dd6d
Makes escaping using select_autoescape function valid by checking
for ast.Call instance and if func id == select_autoescape.
Example:
from jinja2 import Environment, select_autoescape
env = Environment(autoescape=select_autoescape(['html', 'htm', 'xml']),
loader=PackageLoader('mypackage'))
Change-Id: I47c6b346332a6d9f7c4c57dd45ab7636c78996a1
Closes-Bug: #1684249
Some tests used incorrect order of arguments in
assertEqual(observed, expected). The correct order expected
by testtool is assertEqual(expected, observed).
Change-Id: I64138c2b08c44a970e7fdd96a634e8a0acd2bfa4
1.As mentioned in [1], we should avoid using six.iteritems to achieve
iterators. We can use dict.items instead, as it will return iterators
in PY3 as well. And dict.items/keys will more readable.
2.In py2, the performance about list should be negligible, see the
link [2].
[1] https://wiki.openstack.org/wiki/Python3
[2] http://lists.openstack.org/pipermail/openstack-dev/2015-June/066391.html
Change-Id: I5340fa3d71b6fba76e8fcf75f9f30432329023d2
The ssl._create_unverified_context creates a context for use with
such classes as HTTPSConnection which will do no certificate or
hostname verification. This should be flagged.
Change-Id: I326316e20ee11034c0a794f41c1bd8ae75720142
With the news of a first collison implemented [1], bandit should
now start blacklisting the use of sha-1.
The sha-1 hash was added to the existing blacklist check B303 which
currently checks for MD5 and variants.
[1]: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
Change-Id: I411d8d4aeb4d740635c60b559ecda72ab951b629
Currently the check_example in test_functional computes sums and
on error tells the developer the difference in sums, which is
confusing and error prone.
It also leads to false positives where sums may be correct, but
the exact number of MEDIUM, HIGH, etc is different. This was the
case for two tests: test_xml and test_secret_config_option.
The general_hardcoded_password test was also broken for py35
because it was assuming function args are ast.Name not ast.arg.
But surprisingly the tests passed because of a syntax error in
the example.
Change-Id: Icd06fb7ca27a8a01d6442f199775d474d436371b
Currently when using the bandit-config-generator to dump out a
config file, it looks rather messy because config option values
that are lists are dumped onto one long line.
So rather than dumping on one line, use the vertical yaml list
format by specifying default_flow_style=False.
Change-Id: Ic0dc97f19d067471b507421dcb98ac749874e49c
As stated in the bug, the PyCryptodomex package reintroduces
PyCrypto, but with a different namespace. Therefore Bandit should
also include Cryptodome in its checks.
Change-Id: I6a02f97747420cedfb4523917ea0083ed5792d7a
Closes-Bug: #1655975
The previous version assumed the SQL query would start with `select`,
`insert into`, `update` or `delete from` which rules out queries that
are not so simple, for example queries using `with` such as:
WITH cte AS (query)
SELECT something FROM cte;
This version losens the criteria and considers any string with simple
SQL grammar (e.g. `select` followed by `from` anywhere within) as SQL.
Change-Id: I4c95842474e71aed61abc4bc878f3565a907f7c7
This commit removes 'stats' from the JSON output formatter. The
same information is available in the metrics section and
duplicating the data is pointless.
Closes-Bug: #1643723
Change-Id: Ia80a177fdc03c9769c35c824d8d907c93da2ebf7
This commit updates the check for a partial path in the shell
plugin to recognize Windows paths (c:\something\) as complete
paths.
Change-Id: I0e6e3b83f5464e2fe4b06bc72632bb950b5e3d7e
Closes-Bug: #1650392
Bandit's HTML report previously generated invalid markup, according to
https://validator.w3.org/. Changes:
- Add a character set
- Fix duplicate IDs
- Avoid <div>s inside of <span>s
- Remove excess slashes from <br> tags
- Use double quotes for attributes (stylistic)
Change-Id: Ie811299b05bc5229d4e76511e06db6d8c89110d6
Closes-Bug: #1650391
This commit removes our logic that checks for special characters
in shell injection tests. Really, all we care about is whether
format string characters are being used - if so we're probably
taking some kind of user input. If not, it doesn't matter
whether we're calling something with special characters.
Change-Id: I7e6a8c45a25608e3a8ab8a7eca8d8f2de5dd9837
Closes-Bug: #1650393
Several checks lack any functional test as described in the bug.
This patch adds mark_safe and ftplib tests.
There was also a typo in the calls doc where mark_safe was listed
under httpsconnection.
Also, the mark_safe check wasn't working because the full import
path for the call was not specified. That was also corrected.
Change-Id: I6f35fb65cb8c25a474175de99fcac04ea2b7d81e
Closes-Bug: #1648257
The weak_cryptographic_key check was missing the handling of a
curve keyword argument.
Change-Id: I716e4cde550866fe4a99011b7dc945c5f8357eae
Closes-Bug: #1650387
"logging.warn" which is functionally identical to "logging.warning",
is deprecated in Python 3 as guideline [1].
we'd better use "logging.warning" instead.
[1]https://docs.python.org/3/library/logging.html#logging.warning
Change-Id: I3567e04b3d2c358a3e5b520b8c21598e2f0be70d
Allows someone to feed a file/text into bandit from a pipe rather
than just the 'targets' argument.
Usage example:
cat examples/imports.py | bandit -
Change-Id: I1566684c0ae5476374960095816cb1720ff465a2
* Constants should be in caps
* Redundant ( ) in if statements
* Use isinstance instead of type ==
* Indentation
Change-Id: I79fda14112a9dd02fe867f6d850762216e0ca9a1
This patch fixes the two problems introduced with the latest version
of GitPython (namely 2.0.9).
The GitCommandNotFound exception now requires two new arguments,
'command' and 'cause'. And the 'command' parameter requires a
non-empty string.
Change-Id: Icf95ac057cc4df3c56da81c7d0a1ec2fd2104bf1
Closes-Bug: #1637143