From 362f25bf369671263477f51e5bcc7d7593aeda8d Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Wed, 13 May 2020 22:46:44 +0200 Subject: [PATCH] Add CWE mappings to bandit vulnerabilities --- bandit/formatters/csv.py | 1 + bandit/formatters/html.py | 2 ++ bandit/formatters/screen.py | 10 ++++++---- bandit/formatters/text.py | 7 ++++--- bandit/formatters/xml.py | 8 +++++--- tests/unit/core/test_issue.py | 11 ++++++----- tests/unit/core/test_manager.py | 9 +++++---- tests/unit/formatters/test_html.py | 3 ++- tests/unit/formatters/test_json.py | 10 ++++++---- tests/unit/formatters/test_screen.py | 6 ++++-- tests/unit/formatters/test_text.py | 7 +++++-- tests/unit/formatters/test_yaml.py | 8 ++++---- 12 files changed, 50 insertions(+), 32 deletions(-) diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py index 1fc5878e8..93135d6fd 100644 --- a/bandit/formatters/csv.py +++ b/bandit/formatters/csv.py @@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): 'test_name', 'test_id', 'issue_severity', + 'issue_cwe', 'issue_confidence', 'issue_text', 'line_number', diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py index 29c008b70..ed3bc2ea6 100644 --- a/bandit/formatters/html.py +++ b/bandit/formatters/html.py @@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): {test_name}: {test_text}
Test ID: {test_id}
Severity: {severity}
+ CWE: {cwe}
Confidence: {confidence}
File: {path}
More info: {url}
@@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): test_id=issue.test_id, test_text=issue.text, severity=issue.severity, + cwe=issue.cwe, confidence=issue.confidence, path=issue.fname, code=code, candidates=candidates, diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py index 1641f1afa..8407b9320 100644 --- a/bandit/formatters/screen.py +++ b/bandit/formatters/screen.py @@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, # returns a list of lines that should be added to the existing lines list bits = [] bits.append("%s%s>> Issue: [%s:%s] %s" % ( - indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text)) + indent, COLOR[issue.severity], issue.test_id, issue.test, + issue.text)) - bits.append("%s Severity: %s Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.confidence.capitalize())) + bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( + indent, issue.severity.capitalize(), issue.cwe, + issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( indent, issue.fname, @@ -110,7 +112,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, docs_utils.get_url(issue.test_id), COLOR['DEFAULT'])) if show_code: - bits.extend([indent + l for l in + bits.extend([indent + x for x in issue.get_code(lines, True).split('\n')]) return '\n'.join([bit for bit in bits]) diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 33fcba83f..5f47bbc00 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, bits.append("%s>> Issue: [%s:%s] %s" % ( indent, issue.test_id, issue.test, issue.text)) - bits.append("%s Severity: %s Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.confidence.capitalize())) + bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( + indent, issue.severity.capitalize(), issue.cwe, + issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( indent, issue.fname, issue.lineno if show_lineno else "")) @@ -83,7 +84,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, docs_utils.get_url(issue.test_id))) if show_code: - bits.extend([indent + l for l in + bits.extend([indent + x for x in issue.get_code(lines, True).split('\n')]) return '\n'.join([bit for bit in bits]) diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index a21e80024..720ccbe82 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): testcase = ET.SubElement(root, 'testcase', classname=issue.fname, name=test) - text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s' - text = text % (issue.test_id, issue.severity, issue.confidence, - issue.text, issue.fname, issue.lineno) + text = 'Test ID: %s Severity: %s CWE: %s ' \ + 'Confidence: %s\n%s\nLocation %s:%s' + text = text % (issue.test_id, issue.severity, issue.cwe, + issue.confidence, issue.text, issue.fname, + issue.lineno) ET.SubElement(testcase, 'error', more_info=docs_utils.get_url(issue.test_id), type=issue.severity, diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index bfe431451..d3057001b 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -21,8 +21,8 @@ def test_issue_create(self): def test_issue_str(self): test_issue = _get_issue_instance() self.assertEqual( - ("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123, Severity: MEDIUM " - "Confidence: MEDIUM at code.py:1"), + ("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123," + " Severity: MEDIUM Confidence: MEDIUM at code.py:1"), str(test_issue) ) @@ -41,7 +41,7 @@ def test_issue_as_dict(self): def test_issue_filter_severity(self): levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH] - issues = [_get_issue_instance(l, bandit.HIGH) for l in levels] + issues = [_get_issue_instance(x, bandit.HIGH) for x in levels] for level in levels: rank = constants.RANKING.index(level) @@ -52,7 +52,7 @@ def test_issue_filter_severity(self): def test_issue_filter_confidence(self): levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH] - issues = [_get_issue_instance(bandit.HIGH, l) for l in levels] + issues = [_get_issue_instance(bandit.HIGH, x) for x in levels] for level in levels: rank = constants.RANKING.index(level) @@ -116,7 +116,8 @@ def test_get_code(self, getline): self.fail('Bytes not properly decoded in issue.get_code()') -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM): +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index 6a8d879da..a098a316f 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -18,7 +18,8 @@ class ManagerTests(testtools.TestCase): - def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123, conf=constants.MEDIUM): + def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123, + conf=constants.MEDIUM): new_issue = issue.Issue(sev, cwe, conf, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' @@ -145,10 +146,10 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning): def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = ( - [issue.Issue(severity=l, cwe=123, confidence=l) for l in levels]) + [issue.Issue(severity=x, cwe=123, confidence=x) for x in levels]) - r = [self.manager.results_count(sev_filter=l, conf_filter=l) - for l in levels] + r = [self.manager.results_count(sev_filter=x, conf_filter=x) + for x in levels] self.assertEqual([3, 2, 1], r) diff --git a/tests/unit/formatters/test_html.py b/tests/unit/formatters/test_html.py index aef64e340..c04793ae8 100644 --- a/tests/unit/formatters/test_html.py +++ b/tests/unit/formatters/test_html.py @@ -142,7 +142,8 @@ def test_escaping(self, get_issue_list, get_code): self.assertNotIn(marker, contents) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM): +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index aeb68cba8..0f51d9e30 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -29,11 +29,13 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, + 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW, 'Candidate A', lineno=1), - issue.Issue(bandit.HIGH, 123, bandit.HIGH, 'Candiate B', - lineno=2)] + self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW, + 'Candidate A', lineno=1), + issue.Issue(bandit.HIGH, 123, bandit.HIGH, + 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py index 8adef01aa..37913b05a 100644 --- a/tests/unit/formatters/test_screen.py +++ b/tests/unit/formatters/test_screen.py @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code, _color): return_val = ["{}{}>> Issue: [{}:{}] {}". format(_indent_val, _color, _issue.test_id, _issue.test, _issue.text), - "{} Severity: {} Confidence: {}". + "{} Severity: {} CWE: {} Confidence: {}". format(_indent_val, _issue.severity.capitalize(), + _issue.cwe, _issue.confidence.capitalize()), "{} Location: {}:{}". format(_indent_val, _issue.fname, _issue.lineno), @@ -198,7 +199,8 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM): +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index bdac7a11b..585df1e1b 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code): return_val = ["{}>> Issue: [{}:{}] {}". format(_indent_val, _issue.test_id, _issue.test, _issue.text), - "{} Severity: {} Confidence: {}". + "{} Severity: {} CWE: {} Confidence: {}". format(_indent_val, _issue.severity.capitalize(), + _issue.cwe, _issue.confidence.capitalize()), "{} Location: {}:{}". format(_indent_val, _issue.fname, _issue.lineno), @@ -130,6 +131,7 @@ def test_report_nobaseline(self, get_issue_list): 'binding.py (score: ', "CONFIDENCE: 1", "SEVERITY: 1", + "CWE: 123", 'Files excluded (1):', 'def.py', 'Undefined: 1', @@ -186,7 +188,8 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM): +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' diff --git a/tests/unit/formatters/test_yaml.py b/tests/unit/formatters/test_yaml.py index f4d4057d9..aeaceee85 100644 --- a/tests/unit/formatters/test_yaml.py +++ b/tests/unit/formatters/test_yaml.py @@ -32,10 +32,10 @@ def setUp(self): self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW, 'Candidate A', - lineno=1), - issue.Issue(bandit.HIGH, 123, bandit.HIGH, 'Candiate B', - lineno=2)] + self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW, + 'Candidate A', lineno=1), + issue.Issue(bandit.HIGH, 123, bandit.HIGH, + 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname