Merge branch 'main' into b113-trojansource

.github/workflows/pythonpackage.yml

@@ -9,7 +9,8 @@ jobs:
       matrix:
         python-version: [3.7]
     steps:
-    - uses: actions/checkout@v1
+    - name: Checkout repository
+      uses: actions/checkout@v1
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v1
       with:
@@ -29,7 +30,8 @@ jobs:
       matrix:
         python-version: [3.7]
     steps:
-    - uses: actions/checkout@v1
+    - name: Checkout repository
+      uses: actions/checkout@v1
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v1
       with:
@@ -43,82 +45,27 @@ jobs:
     - name: Run tox
       run: tox -e pep8
 
-  py37:
-    runs-on: ubuntu-latest
+  tests:
     strategy:
       matrix:
-        python-version: [3.7]
+        python-version: [
+          ["3.7", "37"], ["3.8", "38"], ["3.9", "39"], ["3.10", "310"]
+        ]
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    name: ${{ matrix.os }} (${{ matrix.python-version[0] }})
     steps:
-    - uses: actions/checkout@v1
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v1
+    - name: Checkout repository
+      uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version[0] }}
+      uses: actions/setup-python@v2
       with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install -r test-requirements.txt
-        pip install tox
-    - name: Run tox
-      run: tox -e py37
-
-  py38:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: [3.8]
-    steps:
-    - uses: actions/checkout@v1
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v1
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install -r test-requirements.txt
-        pip install tox
-    - name: Run tox
-      run: tox -e py38
-
-  py39:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: [3.9]
-    steps:
-    - uses: actions/checkout@v1
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v1
-      with:
-        python-version: ${{ matrix.python-version }}
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -r requirements.txt
-        pip install -r test-requirements.txt
-        pip install tox
-    - name: Run tox
-      run: tox -e py39
-
-  py310:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        python-version: ['3.10']
-    steps:
-    - uses: actions/checkout@v1
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v1
-      with:
-        python-version: ${{ matrix.python-version }}
+        python-version: ${{ matrix.python-version[0] }}
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip
         pip install -r requirements.txt
         pip install -r test-requirements.txt
         pip install tox
     - name: Run tox
-      run: tox -e py310
+      run: tox -e py${{ matrix.python-version[1] }}

CONTRIBUTING.md

@@ -18,7 +18,7 @@ Here are guidelines and rules that can be helpful if you plan to want to get inv
     * [Extending Bandit](#extending-bandit)
 
 ## Code of Conduct
-Everyone who participates in this project is governed by the PyCQA [Code of Conduct](https://github.com/PyCQA/bandit/blob/master/CODE_OF_CONDUCT.md#contributor-covenant-code-of-conduct).
+Everyone who participates in this project is governed by the PyCQA [Code of Conduct](https://github.com/PyCQA/bandit/blob/main/CODE_OF_CONDUCT.md#contributor-covenant-code-of-conduct).
 
 ## Reporting Bugs
 If you encounter a bug, please let us know about it. See the guide here [GitHub issues](https://guides.github.com/features/issues/).

README.rst

@@ -1,4 +1,4 @@
-.. image:: https://github.com/PyCQA/bandit/blob/master/logo/logotype-sm.png
+.. image:: https://github.com/PyCQA/bandit/blob/main/logo/logotype-sm.png
     :alt: Bandit
 
 ======
@@ -24,7 +24,7 @@
     :alt: Format
 
 .. image:: https://img.shields.io/badge/license-Apache%202-blue.svg
-    :target: https://github.com/PyCQA/bandit/blob/master/LICENSE
+    :target: https://github.com/PyCQA/bandit/blob/main/LICENSE
     :alt: License
 
 A security linter from PyCQA
@@ -33,7 +33,7 @@ A security linter from PyCQA
 * Documentation: https://bandit.readthedocs.io/en/latest/
 * Source: https://github.com/PyCQA/bandit
 * Bugs: https://github.com/PyCQA/bandit/issues
-* Contributing: https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md
+* Contributing: https://github.com/PyCQA/bandit/blob/main/CONTRIBUTING.md
 
 Overview
 --------
@@ -46,32 +46,6 @@ it generates a report.
 Bandit was originally developed within the OpenStack Security Project and
 later rehomed to PyCQA.
 
-References
-----------
-
-Bandit docs: https://bandit.readthedocs.io/en/latest/
-
-Python AST module documentation: https://docs.python.org/3/library/ast.html
-
-Green Tree Snakes - the missing Python AST docs:
-https://greentreesnakes.readthedocs.org/en/latest/
-
-Documentation of the various types of AST nodes that Bandit currently covers
-or could be extended to cover:
-https://greentreesnakes.readthedocs.org/en/latest/nodes.html
-
-Contributing
-------------
-
-Follow our Contributing file:
-https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md
-
-Reporting Bugs
---------------
-
-Bugs should be reported on github. To file a bug against Bandit, visit:
-https://github.com/PyCQA/bandit/issues
-
 Show Your Style
 ---------------
 
@@ -90,3 +64,15 @@ using RST::
     .. image:: https://img.shields.io/badge/security-bandit-yellow.svg
         :target: https://github.com/PyCQA/bandit
         :alt: Security Status
+
+References
+----------
+
+Python AST module documentation: https://docs.python.org/3/library/ast.html
+
+Green Tree Snakes - the missing Python AST docs:
+https://greentreesnakes.readthedocs.org/en/latest/
+
+Documentation of the various types of AST nodes that Bandit currently covers
+or could be extended to cover:
+https://greentreesnakes.readthedocs.org/en/latest/nodes.html

bandit/blacklists/calls.py

@@ -313,6 +313,8 @@
 +------+---------------------+------------------------------------+-----------+
 
 """
+import sys
+
 from bandit.blacklists import utils
 from bandit.core import issue
 
@@ -362,28 +364,52 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "md5",
-            "B303",
-            issue.Cwe.BROKEN_CRYPTO,
-            [
-                "hashlib.md5",
-                "hashlib.sha1",
-                "Crypto.Hash.MD2.new",
-                "Crypto.Hash.MD4.new",
-                "Crypto.Hash.MD5.new",
-                "Crypto.Hash.SHA.new",
-                "Cryptodome.Hash.MD2.new",
-                "Cryptodome.Hash.MD4.new",
-                "Cryptodome.Hash.MD5.new",
-                "Cryptodome.Hash.SHA.new",
-                "cryptography.hazmat.primitives.hashes.MD5",
-                "cryptography.hazmat.primitives.hashes.SHA1",
-            ],
-            "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
+    if sys.version_info >= (3, 9):
+        sets.append(
+            utils.build_conf_dict(
+                "md5",
+                "B303",
+                issue.Cwe.BROKEN_CRYPTO,
+                [
+                    "Crypto.Hash.MD2.new",
+                    "Crypto.Hash.MD4.new",
+                    "Crypto.Hash.MD5.new",
+                    "Crypto.Hash.SHA.new",
+                    "Cryptodome.Hash.MD2.new",
+                    "Cryptodome.Hash.MD4.new",
+                    "Cryptodome.Hash.MD5.new",
+                    "Cryptodome.Hash.SHA.new",
+                    "cryptography.hazmat.primitives.hashes.MD5",
+                    "cryptography.hazmat.primitives.hashes.SHA1",
+                ],
+                "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
+            )
+        )
+    else:
+        sets.append(
+            utils.build_conf_dict(
+                "md5",
+                "B303",
+                issue.Cwe.BROKEN_CRYPTO,
+                [
+                    "hashlib.md4",
+                    "hashlib.md5",
+                    "hashlib.sha",
+                    "hashlib.sha1",
+                    "Crypto.Hash.MD2.new",
+                    "Crypto.Hash.MD4.new",
+                    "Crypto.Hash.MD5.new",
+                    "Crypto.Hash.SHA.new",
+                    "Cryptodome.Hash.MD2.new",
+                    "Cryptodome.Hash.MD4.new",
+                    "Cryptodome.Hash.MD5.new",
+                    "Cryptodome.Hash.SHA.new",
+                    "cryptography.hazmat.primitives.hashes.MD5",
+                    "cryptography.hazmat.primitives.hashes.SHA1",
+                ],
+                "Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
+            )
         )
-    )
 
     sets.append(
         utils.build_conf_dict(

bandit/blacklists/imports.py

@@ -212,6 +212,17 @@
 |      |                     | - Cryptodome.Util                  |           |
 +------+---------------------+------------------------------------+-----------+
 
+B415: import_pyghmi
+-------------------
+An IPMI-related module is being imported. IPMI is considered insecure. Use
+an encrypted protocol.
+
++------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Imports                           |  Severity |
++======+=====================+====================================+===========+
+| B415 | import_pyghmi       | - pyghmi                           | high      |
++------+---------------------+------------------------------------+-----------+
+
 """
 from bandit.blacklists import utils
 from bandit.core import issue
@@ -410,4 +421,16 @@ def gen_blacklist():
         )
     )
 
+    sets.append(
+        utils.build_conf_dict(
+            "import_pyghmi",
+            "B415",
+            issue.Cwe.CLEARTEXT_TRANSMISSION,
+            ["pyghmi"],
+            "An IPMI-related module is being imported. IPMI is considered "
+            "insecure. Use an encrypted protocol.",
+            "HIGH",
+        )
+    )
+
     return {"Import": sets, "ImportFrom": sets, "Call": sets}

bandit/cli/main.py

@@ -265,7 +265,15 @@ def main():
         ' not be listed in "low".',
         choices=["all", "low", "medium", "high"],
     )
-    output_format = "screen" if sys.stdout.isatty() else "txt"
+    output_format = (
+        "screen"
+        if (
+            sys.stdout.isatty()
+            and os.getenv("NO_COLOR") is None
+            and os.getenv("TERM") != "dumb"
+        )
+        else "txt"
+    )
     parser.add_argument(
         "-f",
         "--format",
@@ -586,8 +594,9 @@ def main():
         )
 
     if not args.targets:
-        LOG.error("No targets found in CLI or ini files, exiting.")
+        parser.print_usage()
         sys.exit(2)
+
     # if the log format string was set in the options, reinitialize
     if b_conf.get_option("log_format"):
         log_format = b_conf.get_option("log_format")

bandit/core/context.py

@@ -315,3 +315,7 @@ def is_module_imported_like(self, module):
     @property
     def filename(self):
         return self._context.get("filename")
+
+    @property
+    def file_data(self):
+        return self._context.get("file_data")

bandit/core/docs_utils.py

@@ -2,11 +2,13 @@
 # Copyright 2016 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
-# where our docs are hosted
-BASE_URL = "https://bandit.readthedocs.io/en/latest/"
+import bandit
 
 
 def get_url(bid):
+    # where our docs are hosted
+    base_url = f"https://bandit.readthedocs.io/en/{bandit.__version__}/"
+
     # NOTE(tkelsey): for some reason this import can't be found when stevedore
     # loads up the formatter plugin that imports this file. It is available
     # later though.
@@ -15,7 +17,7 @@ def get_url(bid):
     info = extension_loader.MANAGER.plugins_by_id.get(bid)
     if info is not None:
         return "{}plugins/{}_{}.html".format(
-            BASE_URL,
+            base_url,
             bid.lower(),
             info.plugin.__name__,
         )
@@ -51,6 +53,6 @@ def get_url(bid):
                 kind="imports", id=info["id"], name=info["name"]
             )
 
-        return BASE_URL + ext.lower()
+        return base_url + ext.lower()
 
-    return BASE_URL  # no idea, give the docs main page
+    return base_url  # no idea, give the docs main page