Add new plugin to check use of pyghmi (#803)

* Add new plugin to check use of pyghmi This patch set adds a new bandit plugin to check the use of pyghmi. Signed-off-by: Tin Lam <tin@irrational.io> * Fix example and polish te code. Signed-off-by: Tin Lam <tin@irrational.io> * Add new plug-in to check pyghmi This patch set adds a new bandit plugin to check the use of the pyghmi library, as the IPMI is known to be an insecured protocol. Closes: #356 Signed-off-by: Tin Lam <tin@irrational.io> Co-authored-by: Tin Lam <tin@irrational.io> Co-authored-by: Eric Brown <browne@vmware.com>
PyCQA · Feb 7, 2022 · d1622bf · d1622bf
1 parent 9131162
commit d1622bf
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py
@@ -212,6 +212,17 @@
 |      |                     | - Cryptodome.Util                  |           |
 +------+---------------------+------------------------------------+-----------+
 
+B415: import_pyghmi
+-------------------
+An IPMI-related module is being imported. IPMI is considered insecure. Use
+an encrypted protocol.
+
++------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
++======+=====================+====================================+===========+
+| B415 | import_pyghmi       | - pyghmi                           | high      |
++------+---------------------+------------------------------------+-----------+
+
 """
 from bandit.blacklists import utils
 from bandit.core import issue
@@ -410,4 +421,16 @@ def gen_blacklist():
         )
     )
 
+    sets.append(
+        utils.build_conf_dict(
+            "import_pyghmi",
+            "B415",
+            issue.Cwe.CLEARTEXT_TRANSMISSION,
+            ["pyghmi"],
+            "An IPMI-related module is being imported. IPMI is considered "
+            "insecure. Use an encrypted protocol.",
+            "HIGH",
+        )
+    )
+
     return {"Import": sets, "ImportFrom": sets, "Call": sets}
diff --git a/examples/pyghmi.py b/examples/pyghmi.py
@@ -0,0 +1,5 @@
+from pyghmi.ipmi import command
+
+cmd = command.Command(bmc="bmc",
+                      userid="userid",
+                      password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK")
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
@@ -831,6 +831,14 @@ def test_no_blacklist_pycryptodome(self):
         }
         self.check_example("pycryptodome.py", expect)
 
+    def test_blacklist_pyghmi(self):
+        """Test calling pyghmi methods"""
+        expect = {
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 0, "HIGH": 1},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 1},
+        }
+        self.check_example("pyghmi.py", expect)
+
     def test_snmp_security_check(self):
         """Test insecure and weak crypto usage of SNMP."""
         expect = {