Skip to content

Commit

Permalink
Removal of the CWEMAP dict (#789)
Browse files Browse the repository at this point in the history 
There is a lookup dictionary defined that maps bandit check IDs
to a CWE. This is mostly unnecessary as the check can specify
the exact CWE that applies to it. And this would work better for
3rd party plugins that also wish to set a CWE for their check.
Maintaining a map is just another bit of maintenance.

Signed-off-by: Eric Brown <browne@vmware.com>
  • Loading branch information
@ericwb
ericwb committed Feb 2, 2022
1 parent 7d6ab4a commit fafa822
Show file tree
Hide file tree
Showing 30 changed files with 398 additions and 167 deletions.
24 changes: 24 additions & 0 deletions bandit/blacklists/calls.py
View file
Expand Up @@ -314,6 +314,7 @@
"""
from bandit.blacklists import utils
from bandit.core import issue


def gen_blacklist():
Expand All @@ -332,6 +333,7 @@ def gen_blacklist():
utils.build_conf_dict(
"pickle",
"B301",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
[
"pickle.loads",
"pickle.load",
Expand All @@ -354,6 +356,7 @@ def gen_blacklist():
utils.build_conf_dict(
"marshal",
"B302",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["marshal.load", "marshal.loads"],
"Deserialization with the marshal module is possibly dangerous.",
)
Expand All @@ -363,6 +366,7 @@ def gen_blacklist():
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"hashlib.md5",
"hashlib.sha1",
Expand All @@ -385,6 +389,7 @@ def gen_blacklist():
utils.build_conf_dict(
"ciphers",
"B304",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Cipher.ARC2.new",
"Crypto.Cipher.ARC4.new",
Expand All @@ -410,6 +415,7 @@ def gen_blacklist():
utils.build_conf_dict(
"cipher_modes",
"B305",
issue.Cwe.BROKEN_CRYPTO,
["cryptography.hazmat.primitives.ciphers.modes.ECB"],
"Use of insecure cipher mode {name}.",
)
Expand All @@ -419,6 +425,7 @@ def gen_blacklist():
utils.build_conf_dict(
"mktemp_q",
"B306",
issue.Cwe.INSECURE_TEMP_FILE,
["tempfile.mktemp"],
"Use of insecure and deprecated function (mktemp).",
)
Expand All @@ -428,6 +435,7 @@ def gen_blacklist():
utils.build_conf_dict(
"eval",
"B307",
issue.Cwe.OS_COMMAND_INJECTION,
["eval"],
"Use of possibly insecure function - consider using safer "
"ast.literal_eval.",
Expand All @@ -438,6 +446,7 @@ def gen_blacklist():
utils.build_conf_dict(
"mark_safe",
"B308",
issue.Cwe.XSS,
["django.utils.safestring.mark_safe"],
"Use of mark_safe() may expose cross-site scripting "
"vulnerabilities and should be reviewed.",
Expand All @@ -448,6 +457,7 @@ def gen_blacklist():
utils.build_conf_dict(
"httpsconnection",
"B309",
issue.Cwe.CLEARTEXT_TRANSMISSION,
[
"httplib.HTTPSConnection",
"http.client.HTTPSConnection",
Expand All @@ -463,6 +473,7 @@ def gen_blacklist():
utils.build_conf_dict(
"urllib_urlopen",
"B310",
issue.Cwe.PATH_TRAVERSAL,
[
"urllib.urlopen",
"urllib.request.urlopen",
Expand All @@ -488,6 +499,7 @@ def gen_blacklist():
utils.build_conf_dict(
"random",
"B311",
issue.Cwe.INSUFFICIENT_RANDOM_VALUES,
[
"random.random",
"random.randrange",
Expand All @@ -507,6 +519,7 @@ def gen_blacklist():
utils.build_conf_dict(
"telnetlib",
"B312",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib.*"],
"Telnet-related functions are being called. Telnet is considered "
"insecure. Use SSH or some other encrypted protocol.",
Expand All @@ -528,6 +541,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_cElementTree",
"B313",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"xml.etree.cElementTree.parse",
"xml.etree.cElementTree.iterparse",
Expand All @@ -542,6 +556,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_ElementTree",
"B314",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"xml.etree.ElementTree.parse",
"xml.etree.ElementTree.iterparse",
Expand All @@ -556,6 +571,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_expatreader",
"B315",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax.expatreader.create_parser"],
xml_msg,
)
Expand All @@ -565,6 +581,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_expatbuilder",
"B316",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"],
xml_msg,
)
Expand All @@ -574,6 +591,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_sax",
"B317",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"],
xml_msg,
)
Expand All @@ -583,6 +601,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_minidom",
"B318",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.minidom.parse", "xml.dom.minidom.parseString"],
xml_msg,
)
Expand All @@ -592,6 +611,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_pulldom",
"B319",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"],
xml_msg,
)
Expand All @@ -601,6 +621,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_etree",
"B320",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"lxml.etree.parse",
"lxml.etree.fromstring",
Expand All @@ -623,6 +644,7 @@ def gen_blacklist():
utils.build_conf_dict(
"ftplib",
"B321",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib.*"],
"FTP-related functions are being called. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
Expand All @@ -636,6 +658,7 @@ def gen_blacklist():
utils.build_conf_dict(
"unverified_context",
"B323",
issue.Cwe.IMPROPER_CERT_VALIDATION,
["ssl._create_unverified_context"],
"By default, Python will create a secure, verified ssl context for"
" use in such classes as HTTPSConnection. However, it still allows"
Expand All @@ -651,6 +674,7 @@ def gen_blacklist():
utils.build_conf_dict(
"tempnam",
"B325",
issue.Cwe.INSECURE_TEMP_FILE,
["os.tempnam", "os.tmpnam"],
"Use of os.tempnam() and os.tmpnam() is vulnerable to symlink "
"attacks. Consider using tmpfile() instead.",
Expand Down
40 changes: 36 additions & 4 deletions bandit/blacklists/imports.py
View file
Expand Up @@ -214,6 +214,7 @@
"""
from bandit.blacklists import utils
from bandit.core import issue


def gen_blacklist():
Expand All @@ -232,6 +233,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_telnetlib",
"B401",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib"],
"A telnet-related module is being imported. Telnet is "
"considered insecure. Use SSH or some other encrypted protocol.",
Expand All @@ -243,6 +245,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_ftplib",
"B402",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib"],
"A FTP-related module is being imported. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
Expand All @@ -254,6 +257,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_pickle",
"B403",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["pickle", "cPickle", "dill", "shelve"],
"Consider possible security implications associated with "
"{name} module.",
Expand All @@ -265,6 +269,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_subprocess",
"B404",
issue.Cwe.OS_COMMAND_INJECTION,
["subprocess"],
"Consider possible security implications associated with the "
"subprocess module.",
Expand All @@ -291,6 +296,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_xml_etree",
"B405",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.etree.cElementTree", "xml.etree.ElementTree"],
xml_msg,
"LOW",
Expand All @@ -299,14 +305,20 @@ def gen_blacklist():

sets.append(
utils.build_conf_dict(
"import_xml_sax", "B406", ["xml.sax"], xml_msg, "LOW"
"import_xml_sax",
"B406",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax"],
xml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict(
"import_xml_expat",
"B407",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.expatbuilder"],
xml_msg,
"LOW",
Expand All @@ -315,24 +327,42 @@ def gen_blacklist():

sets.append(
utils.build_conf_dict(
"import_xml_minidom", "B408", ["xml.dom.minidom"], xml_msg, "LOW"
"import_xml_minidom",
"B408",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.minidom"],
xml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict(
"import_xml_pulldom", "B409", ["xml.dom.pulldom"], xml_msg, "LOW"
"import_xml_pulldom",
"B409",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.pulldom"],
xml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict("import_lxml", "B410", ["lxml"], lxml_msg, "LOW")
utils.build_conf_dict(
"import_lxml",
"B410",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["lxml"],
lxml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict(
"import_xmlrpclib",
"B411",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xmlrpclib"],
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() "
Expand All @@ -346,6 +376,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_httpoxy",
"B412",
issue.Cwe.IMPROPER_ACCESS_CONTROL,
[
"wsgiref.handlers.CGIHandler",
"twisted.web.twcgi.CGIScript",
Expand All @@ -361,6 +392,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_pycrypto",
"B413",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Cipher",
"Crypto.Hash",
Expand Down
3 changes: 2 additions & 1 deletion bandit/blacklists/utils.py
View file
Expand Up @@ -5,11 +5,12 @@
r"""Utils module."""


def build_conf_dict(name, bid, qualnames, message, level="MEDIUM"):
def build_conf_dict(name, bid, cwe, qualnames, message, level="MEDIUM"):
"""Build and return a blacklist configuration dict."""
return {
"name": name,
"id": bid,
"cwe": cwe,
"message": message,
"qualnames": qualnames,
"level": level,
Expand Down
3 changes: 1 addition & 2 deletions bandit/core/blacklisting.py
View file
Expand Up @@ -5,16 +5,15 @@
import ast
import fnmatch

from bandit.core import cwemap
from bandit.core import issue


def report_issue(check, name):
return issue.Issue(
severity=check.get("level", "MEDIUM"),
confidence="HIGH",
cwe=check.get("cwe", issue.Cwe.NOTSET),
text=check["message"].replace("{name}", name),
cwe=cwemap.CWEMAP[check.get("id", "LEGACY")],
ident=name,
test_id=check.get("id", "LEGACY"),
)
Expand Down

0 comments on commit fafa822

Please sign in to comment.