From d1622bf0432f0205e0035bcf87f3e22346ccd386 Mon Sep 17 00:00:00 2001
From: Eric Brown <ericwb@users.noreply.github.com>
Date: Mon, 7 Feb 2022 09:34:40 -0800
Subject: [PATCH]  Add new plugin to check use of pyghmi (#803)

* Add new plugin to check use of pyghmi

This patch set adds a new bandit plugin to check the use of pyghmi.

Signed-off-by: Tin Lam <tin@irrational.io>

* Fix example and polish te code.

Signed-off-by: Tin Lam <tin@irrational.io>

* Add new plug-in to check pyghmi

This patch set adds a new bandit plugin to check the use of the
pyghmi library, as the IPMI is known to be an insecured protocol.

Closes: #356
Signed-off-by: Tin Lam <tin@irrational.io>

Co-authored-by: Tin Lam <tin@irrational.io>
Co-authored-by: Eric Brown <browne@vmware.com>
---
 bandit/blacklists/imports.py        | 23 +++++++++++++++++++++++
 examples/pyghmi.py                  |  5 +++++
 tests/functional/test_functional.py |  8 ++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 examples/pyghmi.py

diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py
index a123d2b6e..3363c7fa4 100644
--- a/bandit/blacklists/imports.py
+++ b/bandit/blacklists/imports.py
@@ -212,6 +212,17 @@
 |      |                     | - Cryptodome.Util                  |           |
 +------+---------------------+------------------------------------+-----------+
 
+B415: import_pyghmi
+-------------------
+An IPMI-related module is being imported. IPMI is considered insecure. Use
+an encrypted protocol.
+
++------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
++======+=====================+====================================+===========+
+| B415 | import_pyghmi       | - pyghmi                           | high      |
++------+---------------------+------------------------------------+-----------+
+
 """
 from bandit.blacklists import utils
 from bandit.core import issue
@@ -410,4 +421,16 @@ def gen_blacklist():
         )
     )
 
+    sets.append(
+        utils.build_conf_dict(
+            "import_pyghmi",
+            "B415",
+            issue.Cwe.CLEARTEXT_TRANSMISSION,
+            ["pyghmi"],
+            "An IPMI-related module is being imported. IPMI is considered "
+            "insecure. Use an encrypted protocol.",
+            "HIGH",
+        )
+    )
+
     return {"Import": sets, "ImportFrom": sets, "Call": sets}
diff --git a/examples/pyghmi.py b/examples/pyghmi.py
new file mode 100644
index 000000000..44eb197ac
--- /dev/null
+++ b/examples/pyghmi.py
@@ -0,0 +1,5 @@
+from pyghmi.ipmi import command
+
+cmd = command.Command(bmc="bmc",
+                      userid="userid",
+                      password="ZjE4ZjI0NTE4YmI2NGJjZDliOGY3ZmJiY2UyN2IzODQK")
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index bc7f6cfe7..ecfe8780f 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -831,6 +831,14 @@ def test_no_blacklist_pycryptodome(self):
         }
         self.check_example("pycryptodome.py", expect)
 
+    def test_blacklist_pyghmi(self):
+        """Test calling pyghmi methods"""
+        expect = {
+            "SEVERITY": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 0, "HIGH": 1},
+            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 1},
+        }
+        self.check_example("pyghmi.py", expect)
+
     def test_snmp_security_check(self):
         """Test insecure and weak crypto usage of SNMP."""
         expect = {