Removal of the CWEMAP dict

There is a lookup dictionary defined that maps bandit check IDs to a CWE. This is mostly unnecessary as the check can specify the exact CWE that applies to it. And this would work better for 3rd party plugins that also wish to set a CWE for their check. Maintaining a map is just another bit of maintenance. Signed-off-by: Eric Brown <browne@vmware.com>
PyCQA · Feb 2, 2022 · aea480c · aea480c
1 parent 7d6ab4a
commit aea480c
Show file tree

Hide file tree

Showing 26 changed files with 332 additions and 113 deletions.
diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py
@@ -13,8 +13,8 @@ def report_issue(check, name):
     return issue.Issue(
         severity=check.get("level", "MEDIUM"),
         confidence="HIGH",
-        text=check["message"].replace("{name}", name),
         cwe=cwemap.CWEMAP[check.get("id", "LEGACY")],
+        text=check["message"].replace("{name}", name),
         ident=name,
         test_id=check.get("id", "LEGACY"),
     )

diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py
@@ -5,37 +5,6 @@
 CWEMAP = {
     "B000": issue.Cwe.NOTSET,
     "LEGACY": issue.Cwe.NOTSET,
-    # Plugins
-    "B101": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
-    "B102": issue.Cwe.OS_COMMAND_INJECTION,
-    "B103": issue.Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
-    "B104": issue.Cwe.MULTIPLE_BINDS,
-    "B105": issue.Cwe.HARD_CODED_PASSWORD,
-    "B108": issue.Cwe.INSECURE_TEMP_FILE,
-    "B110": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
-    "B112": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
-    "B201": issue.Cwe.CODE_INJECTION,
-    "B324": issue.Cwe.BROKEN_CRYPTO,
-    "B501": issue.Cwe.IMPROPER_CERT_VALIDATION,
-    "B502": issue.Cwe.BROKEN_CRYPTO,
-    "B503": issue.Cwe.BROKEN_CRYPTO,
-    "B504": issue.Cwe.BROKEN_CRYPTO,
-    "B505": issue.Cwe.INADEQUATE_ENCRYPTION_STRENGTH,
-    "B506": issue.Cwe.IMPROPER_INPUT_VALIDATION,
-    "B507": issue.Cwe.IMPROPER_CERT_VALIDATION,
-    "B601": issue.Cwe.OS_COMMAND_INJECTION,
-    "B602": issue.Cwe.OS_COMMAND_INJECTION,
-    "B603": issue.Cwe.OS_COMMAND_INJECTION,
-    "B604": issue.Cwe.OS_COMMAND_INJECTION,
-    "B605": issue.Cwe.OS_COMMAND_INJECTION,
-    "B606": issue.Cwe.OS_COMMAND_INJECTION,
-    "B607": issue.Cwe.OS_COMMAND_INJECTION,
-    "B608": issue.Cwe.SQL_INJECTION,
-    "B609": issue.Cwe.IMPROPER_WILDCARD_NEUTRALIZATION,
-    "B611": issue.Cwe.SQL_INJECTION,
-    "B701": issue.Cwe.CODE_INJECTION,
-    "B702": issue.Cwe.BASIC_XSS,
-    "B703": issue.Cwe.BASIC_XSS,
     # Calls
     "B301": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
     "B302": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,

diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py
@@ -22,22 +22,27 @@
     >> Issue: A Flask app appears to be run with debug=True, which exposes
     the Werkzeug debugger and allows the execution of arbitrary code.
        Severity: High   Confidence: High
-          Location: examples/flask_debug.py:10
-          9 #bad
-          10    app.run(debug=True)
-          11
+       CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html)
+       Location: examples/flask_debug.py:10
+    9 #bad
+    10    app.run(debug=True)
+    11
 
 .. seealso::
 
  .. [1] https://flask.palletsprojects.com/en/1.1.x/quickstart/#debug-mode
  .. [2] https://werkzeug.palletsprojects.com/en/1.0.x/debug/
  .. [3] https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
+ .. [4] https://cwe.mitre.org/data/definitions/94.html
 
 .. versionadded:: 0.15.0
 
+.. versionchanged:: 1.7.3
+    CWE information added
+
 """  # noqa: E501
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
@@ -49,8 +54,8 @@ def flask_debug_true(context):
             if context.check_call_arg_value("debug", "True"):
                 return bandit.Issue(
                     severity=bandit.HIGH,
-                    cwe=cwemap.CWEMAP["B201"],
                     confidence=bandit.MEDIUM,
+                    cwe=issue.Cwe.CODE_INJECTION,
                     text="A Flask app appears to be run with debug=True, "
                     "which exposes the Werkzeug debugger and allows "
                     "the execution of arbitrary code.",

diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py
@@ -34,6 +34,7 @@
     >> Issue: Use of assert detected. The enclosed code will be removed when
        compiling to optimised byte code.
        Severity: Low   Confidence: High
+       CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
        Location: ./examples/assert.py:1
     1 assert logged_in
     2 display_assets()
@@ -43,14 +44,18 @@
  - https://bugs.launchpad.net/juniperopenstack/+bug/1456193
  - https://bugs.launchpad.net/heat/+bug/1397883
  - https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement
+ - https://cwe.mitre.org/data/definitions/703.html
 
 .. versionadded:: 0.11.0
 
+.. versionchanged:: 1.7.3
+    CWE information added
+
 """
 import fnmatch
 
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
@@ -69,8 +74,8 @@ def assert_used(context, config):
 
     return bandit.Issue(
         severity=bandit.LOW,
-        cwe=cwemap.CWEMAP["B101"],
         confidence=bandit.HIGH,
+        cwe=issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
         text=(
             "Use of assert detected. The enclosed code "
             "will be removed when compiling to optimised byte code."

diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py
@@ -25,6 +25,7 @@
     >> Issue: [request_with_no_cert_validation] Requests call with verify=False
     disabling SSL certificate checks, security issue.
        Severity: High   Confidence: High
+       CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html)
        Location: examples/requests-ssl-verify-disabled.py:4
     3   requests.get('https://gmail.com', verify=True)
     4   requests.get('https://gmail.com', verify=False)
@@ -34,12 +35,16 @@
 
  - https://security.openstack.org/guidelines/dg_move-data-securely.html
  - https://security.openstack.org/guidelines/dg_validate-certificates.html
+ - https://cwe.mitre.org/data/definitions/295.html
 
 .. versionadded:: 0.9.0
 
+.. versionchanged:: 1.7.3
+    CWE information added
+
 """
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
@@ -52,12 +57,11 @@ def request_with_no_cert_validation(context):
         and context.call_function_name in http_verbs
     ):
         if context.check_call_arg_value("verify", "False"):
-            issue = bandit.Issue(
+            return bandit.Issue(
                 severity=bandit.HIGH,
-                cwe=cwemap.CWEMAP["B501"],
                 confidence=bandit.HIGH,
+                cwe=issue.Cwe.IMPROPER_CERT_VALIDATION,
                 text="Requests call with verify=False disabling SSL "
                 "certificate checks, security issue.",
                 lineno=context.get_lineno_for_call_arg("verify"),
             )
-            return issue
diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py
@@ -5,7 +5,7 @@
 import ast
 
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
@@ -22,14 +22,30 @@ def keywords2dict(keywords):
 def django_extra_used(context):
     """**B610: Potential SQL injection on extra function**
 
+    :Example:
+
+    .. code-block:: none
+
+        >> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector.
+           Severity: Medium Confidence: Medium
+           CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
+           Location: examples/django_sql_injection_extra.py:29:0
+           More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html
+        28  tables_str = 'django_content_type" WHERE "auth_user"."username"="admin'
+        29  User.objects.all().extra(tables=[tables_str]).distinct()
+
     .. seealso::
 
      - https://docs.djangoproject.com/en/dev/topics/security/\
 #sql-injection-protection
+     - https://cwe.mitre.org/data/definitions/89.html
 
     .. versionadded:: 1.5.0
 
-    """
+    .. versionchanged:: 1.7.3
+        CWE information added
+
+    """  # noqa: E501
     description = "Use of extra potential SQL attack vector."
     if context.call_function_name == "extra":
         kwargs = keywords2dict(context.node.keywords)
@@ -75,8 +91,8 @@ def django_extra_used(context):
         if insecure:
             return bandit.Issue(
                 severity=bandit.MEDIUM,
-                cwe=cwemap.CWEMAP["B611"],
                 confidence=bandit.MEDIUM,
+                cwe=issue.Cwe.SQL_INJECTION,
                 text=description,
             )
 
@@ -86,22 +102,38 @@ def django_extra_used(context):
 def django_rawsql_used(context):
     """**B611: Potential SQL injection on RawSQL function**
 
+    :Example:
+
+    .. code-block:: none
+
+        >> Issue: [B611:django_rawsql_used] Use of RawSQL potential SQL attack vector.
+           Severity: Medium Confidence: Medium
+           CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
+           Location: examples/django_sql_injection_raw.py:11:26
+           More Info: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html
+        10        ' WHERE "username"="admin" OR 1=%s --'
+        11  User.objects.annotate(val=RawSQL(raw, [0]))
+
     .. seealso::
 
      - https://docs.djangoproject.com/en/dev/topics/security/\
 #sql-injection-protection
+     - https://cwe.mitre.org/data/definitions/89.html
 
     .. versionadded:: 1.5.0
 
-    """
+    .. versionchanged:: 1.7.3
+        CWE information added
+
+    """  # noqa: E501
     description = "Use of RawSQL potential SQL attack vector."
     if context.is_module_imported_like("django.db.models"):
         if context.call_function_name == "RawSQL":
             sql = context.node.args[0]
             if not isinstance(sql, ast.Str):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
-                    cwe=cwemap.CWEMAP["B611"],
                     confidence=bandit.MEDIUM,
+                    cwe=issue.Cwe.SQL_INJECTION,
                     text=description,
                 )
diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py
@@ -5,7 +5,7 @@
 import ast
 
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
@@ -221,8 +221,8 @@ def check_risk(node):
     if not secure:
         return bandit.Issue(
             severity=bandit.MEDIUM,
-            cwe=cwemap.CWEMAP["B703"],
             confidence=bandit.HIGH,
+            cwe=issue.Cwe.BASIC_XSS,
             text=description,
         )
 
@@ -232,6 +232,18 @@ def check_risk(node):
 def django_mark_safe(context):
     """**B703: Potential XSS on mark_safe function**
 
+    :Example:
+
+    .. code-block:: none
+
+        >> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function.
+           Severity: Medium Confidence: High
+           CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html)
+           Location: examples/mark_safe_insecure.py:159:4
+           More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html
+        158         str_arg = 'could be insecure'
+        159     safestring.mark_safe(str_arg)
+
     .. seealso::
 
      - https://docs.djangoproject.com/en/dev/topics/security/\
@@ -240,10 +252,14 @@ def django_mark_safe(context):
 #module-django.utils.safestring
      - https://docs.djangoproject.com/en/dev/ref/utils/\
 #django.utils.html.format_html
+     - https://cwe.mitre.org/data/definitions/80.html
 
     .. versionadded:: 1.5.0
 
-    """
+    .. versionchanged:: 1.7.3
+        CWE information added
+
+    """  # noqa: E501
     if context.is_module_imported_like("django.utils.safestring"):
         affected_functions = [
             "mark_safe",

diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py
@@ -16,6 +16,7 @@
 
     >> Issue: Use of exec detected.
        Severity: Medium   Confidence: High
+       CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
        Location: ./examples/exec.py:2
     1 exec("do evil")
     2 exec "do evil"
@@ -26,19 +27,24 @@
  - https://docs.python.org/3/library/functions.html#exec
  - https://www.python.org/dev/peps/pep-0551/#background
  - https://www.python.org/dev/peps/pep-0578/#suggested-audit-hook-locations
+ - https://cwe.mitre.org/data/definitions/78.html
 
 .. versionadded:: 0.9.0
+
+.. versionchanged:: 1.7.3
+    CWE information added
+
 """
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
 def exec_issue():
     return bandit.Issue(
         severity=bandit.MEDIUM,
-        cwe=cwemap.CWEMAP["B102"],
         confidence=bandit.HIGH,
+        cwe=issue.Cwe.OS_COMMAND_INJECTION,
         text="Use of exec detected.",
     )
 

diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py
@@ -23,13 +23,15 @@
 
     >> Issue: Probable insecure usage of temp file/directory.
        Severity: Medium   Confidence: Medium
+       CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html)
        Location: ./examples/os-chmod.py:15
     14  os.chmod('/etc/hosts', 0o777)
     15  os.chmod('/tmp/oh_hai', 0x1ff)
     16  os.chmod('/etc/passwd', stat.S_IRWXU)
 
     >> Issue: Chmod setting a permissive mask 0777 on file (key_file).
        Severity: High   Confidence: High
+       CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html)
        Location: ./examples/os-chmod.py:17
     16  os.chmod('/etc/passwd', stat.S_IRWXU)
     17  os.chmod(key_file, 0o777)
@@ -40,14 +42,18 @@
  - https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html
  - https://en.wikipedia.org/wiki/File_system_permissions
  - https://security.openstack.org
+ - https://cwe.mitre.org/data/definitions/732.html
 
 .. versionadded:: 0.9.0
 
+.. versionchanged:: 1.7.3
+    CWE information added
+
 """  # noqa: E501
 import stat
 
 import bandit
-from bandit.core import cwemap
+from bandit.core import issue
 from bandit.core import test_properties as test
 
 
@@ -74,8 +80,8 @@ def set_bad_file_permissions(context):
                     filename = "NOT PARSED"
                 return bandit.Issue(
                     severity=sev_level,
-                    cwe=cwemap.CWEMAP["B103"],
                     confidence=bandit.HIGH,
+                    cwe=issue.Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
                     text="Chmod setting a permissive mask %s on file (%s)."
                     % (oct(mode), filename),
                 )