Change up how CWE is formatted

Currently the CWE information is inserted by the various formatters
between severity and confidence. This change puts the CWE after the
confidence on a separate line for better clarity.

Signed-off-by: Eric Brown <browne@vmware.com>

bandit/formatters/csv.py

@@ -11,9 +11,10 @@
 
 .. code-block:: none
 
-    filename,test_name,test_id,issue_severity,issue_confidence,issue_text,
-    line_number,line_range,more_info
-    examples/yaml_load.py,blacklist_calls,B301,MEDIUM,HIGH,"Use of unsafe yaml
+    filename,test_name,test_id,issue_severity,issue_confidence,issue_cwe,
+    issue_text,line_number,line_range,more_info
+    examples/yaml_load.py,blacklist_calls,B301,MEDIUM,HIGH,
+    https://cwe.mitre.org/data/definitions/20.html,"Use of unsafe yaml
     load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
     ",5,[5],https://bandit.readthedocs.io/en/latest/
 
@@ -22,6 +23,9 @@
 .. versionchanged:: 1.5.0
     New field `more_info` added to output
 
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 # Necessary for this formatter to work when imported on Python 2. Importing
 # the standard library's csv module conflicts with the name of this module.
@@ -54,8 +58,8 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
             "test_name",
             "test_id",
             "issue_severity",
-            "issue_cwe",
             "issue_confidence",
+            "issue_cwe",
             "issue_text",
             "line_number",
             "col_offset",

bandit/formatters/custom.py

@@ -21,6 +21,9 @@
 
 .. versionadded:: 1.5.0
 
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 import logging
 import os
@@ -78,6 +81,7 @@ def report(manager, fileobj, sev_level, conf_level, template=None):
         "msg": lambda issue: issue.text,
         "confidence": lambda issue: issue.confidence,
         "range": lambda issue: issue.linerange,
+        "cwe": lambda issue: issue.cwe,
     }
 
     # Create dictionary with tag sets to speed up search for similar tags

bandit/formatters/html.py

@@ -112,6 +112,7 @@
         <b>Test ID:</b> B506<br>
         <b>Severity: </b>MEDIUM<br>
         <b>Confidence: </b>HIGH<br>
+        <b>CWE: </b>CWE-20 (https://cwe.mitre.org/data/definitions/20.html)<br>
         <b>File: </b><a href="examples/yaml_load.py"
         target="_blank">examples/yaml_load.py</a> <br>
         <b>More info: </b><a href="https://bandit.readthedocs.io/en/latest/
@@ -138,6 +139,12 @@
 
 .. versionadded:: 0.14.0
 
+.. versionchanged:: 1.5.0
+    New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 import logging
 import sys
@@ -258,8 +265,8 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
     <b>{test_name}: </b> {test_text}<br>
     <b>Test ID:</b> {test_id}<br>
     <b>Severity: </b>{severity}<br>
-    <b>CWE: </b>{cwe}<br>
     <b>Confidence: </b>{confidence}<br>
+    <b>CWE: </b>{cwe}<br>
     <b>File: </b><a href="{path}" target="_blank">{path}</a> <br>
     <b>Line number: </b>{line_number}<br>
     <b>More info: </b><a href="{url}" target="_blank">{url}</a><br>
@@ -358,8 +365,8 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
             test_id=issue.test_id,
             test_text=issue.text,
             severity=issue.severity,
-            cwe=issue.cwe,
             confidence=issue.confidence,
+            cwe=issue.cwe,
             path=issue.fname,
             code=code,
             candidates=candidates,

bandit/formatters/json.py

@@ -47,6 +47,10 @@
           "filename": "examples/yaml_load.py",
           "issue_confidence": "HIGH",
           "issue_severity": "MEDIUM",
+          "issue_cwe": {
+            "id": 20,
+            "link": "https://cwe.mitre.org/data/definitions/20.html"
+          },
           "issue_text": "Use of unsafe yaml load. Allows instantiation of
                          arbitrary objects. Consider yaml.safe_load().\n",
           "line_number": 5,
@@ -62,6 +66,12 @@
 
 .. versionadded:: 0.10.0
 
+.. versionchanged:: 1.5.0
+    New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 # Necessary so we can import the standard library json module while continuing
 # to name this file json.py. (Python 2 only)

bandit/formatters/screen.py

@@ -16,6 +16,7 @@
        instantiation of arbitrary objects. Consider yaml.safe_load().
 
        Severity: Medium   Confidence: High
+       CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
        Location: examples/yaml_load.py:5
        More Info: https://bandit.readthedocs.io/en/latest/
     4       ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
@@ -24,6 +25,12 @@
 
 .. versionadded:: 0.9.0
 
+.. versionchanged:: 1.5.0
+    New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 import datetime
 import logging
@@ -111,15 +118,16 @@ def _output_issue_str(
     )
 
     bits.append(
-        "%s   Severity: %s CWE: %s Confidence: %s"
+        "%s   Severity: %s   Confidence: %s"
         % (
             indent,
             issue.severity.capitalize(),
-            str(issue.cwe),
             issue.confidence.capitalize(),
         )
     )
 
+    bits.append(f"{indent}   CWE: {str(issue.cwe)}")
+
     bits.append(
         "%s   Location: %s:%s:%s"
         % (

bandit/formatters/text.py

@@ -24,6 +24,12 @@
 
 .. versionadded:: 0.9.0
 
+.. versionchanged:: 1.5.0
+    New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 import datetime
 import logging
@@ -79,15 +85,16 @@ def _output_issue_str(
     )
 
     bits.append(
-        "%s   Severity: %s CWE: %s Confidence: %s"
+        "%s   Severity: %s   Confidence: %s"
         % (
             indent,
             issue.severity.capitalize(),
-            str(issue.cwe),
             issue.confidence.capitalize(),
         )
     )
 
+    bits.append(f"{indent}   CWE: {str(issue.cwe)}")
+
     bits.append(
         "%s   Location: %s:%s:%s"
         % (

bandit/formatters/xml.py

@@ -17,13 +17,21 @@
     message="Use of unsafe yaml load. Allows instantiation of arbitrary
     objects. Consider yaml.safe_load().
" type="MEDIUM"
     more_info="https://bandit.readthedocs.io/en/latest/">Test ID: B301
-    Severity: MEDIUM Confidence: HIGH Use of unsafe yaml load. Allows
-    instantiation of arbitrary objects. Consider yaml.safe_load().
+    Severity: MEDIUM Confidence: HIGH
+    CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) Use of unsafe
+    yaml load.
+    Allows instantiation of arbitrary objects. Consider yaml.safe_load().
 
     Location examples/yaml_load.py:5</error></testcase></testsuite>
 
 .. versionadded:: 0.12.0
 
+.. versionchanged:: 1.5.0
+    New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 # This future import is necessary here due to the xml import below on Python
 # 2.7
@@ -56,14 +64,14 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         )
 
         text = (
-            "Test ID: %s Severity: %s CWE: %s Confidence: %s\n%s\n"
+            "Test ID: %s Severity: %s Confidence: %s\nCWE: %s\n%s\n"
             "Location %s:%s"
         )
         text = text % (
             issue.test_id,
             issue.severity,
-            issue.cwe,
             issue.confidence,
+            issue.cwe,
             issue.text,
             issue.fname,
             issue.lineno,

bandit/formatters/yaml.py

@@ -55,6 +55,9 @@
 
 .. versionadded:: 1.5.0
 
+.. versionchanged:: 1.7.3
+    New field `CWE` added to output
+
 """
 # Necessary for this formatter to work when imported on Python 2. Importing
 # the standard library's yaml module conflicts with the name of this module.

tests/unit/formatters/test_screen.py

@@ -35,12 +35,15 @@ def _template(_issue, _indent_val, _code, _color):
                     _issue.test,
                     _issue.text,
                 ),
-                "{}   Severity: {} CWE: {} Confidence: {}".format(
+                "{}   Severity: {}   Confidence: {}".format(
                     _indent_val,
                     _issue.severity.capitalize(),
-                    _issue.cwe,
                     _issue.confidence.capitalize(),
                 ),
+                "{}   CWE: {}".format(
+                    _indent_val,
+                    _issue.cwe,
+                ),
                 "{}   Location: {}:{}:{}".format(
                     _indent_val, _issue.fname, _issue.lineno, _issue.col_offset
                 ),

tests/unit/formatters/test_text.py

@@ -31,12 +31,12 @@ def _template(_issue, _indent_val, _code):
                 "{}>> Issue: [{}:{}] {}".format(
                     _indent_val, _issue.test_id, _issue.test, _issue.text
                 ),
-                "{}   Severity: {} CWE: {} Confidence: {}".format(
+                "{}   Severity: {}   Confidence: {}".format(
                     _indent_val,
                     _issue.severity.capitalize(),
-                    _issue.cwe,
                     _issue.confidence.capitalize(),
                 ),
+                f"{_indent_val}   CWE: {_issue.cwe}",
                 "{}   Location: {}:{}:{}".format(
                     _indent_val, _issue.fname, _issue.lineno, _issue.col_offset
                 ),