From 4a40e04af070a3fb99228fd60e405a6c4ea0c7d8 Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 8 Oct 2018 18:08:05 +0300 Subject: [PATCH 01/13] parse config from toml --- bandit/core/config.py | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/bandit/core/config.py b/bandit/core/config.py index 7369f061b..bf328eb03 100644 --- a/bandit/core/config.py +++ b/bandit/core/config.py @@ -46,12 +46,21 @@ def __init__(self, config_file=None): raise utils.ConfigError("Could not read config file.", config_file) - try: - self._config = yaml.safe_load(f) - self.validate(config_file) - except yaml.YAMLError as err: - LOG.error(err) - raise utils.ConfigError("Error parsing file.", config_file) + if config_file.endswith('.toml'): + import toml + try: + self._config = toml.load(f)['tool']['bandit'] + except toml.TomlDecodeError as err: + LOG.error(err) + raise utils.ConfigError("Error parsing file.", config_file) + else: + try: + self._config = yaml.safe_load(f) + except yaml.YAMLError as err: + LOG.error(err) + raise utils.ConfigError("Error parsing file.", config_file) + + self.validate(config_file) # valid config must be a dict if not isinstance(self._config, dict): From 98ff64b3ce4435cd33c06147f09e2b33dd5694d1 Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 8 Oct 2018 18:08:19 +0300 Subject: [PATCH 02/13] test toml config parsing --- test-requirements.txt | 19 +++++++------- tests/unit/core/test_config.py | 48 +++++++++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 13 deletions(-) diff --git a/test-requirements.txt b/test-requirements.txt index 1812ef18b..753b70f74 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,15 +1,16 @@ # The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -coverage!=4.4,>=4.0 # Apache-2.0 -fixtures>=3.0.0 # Apache-2.0/BSD -hacking>=1.0.0 # Apache-2.0 -mock>=2.0.0 # BSD -stestr>=1.0.0 # Apache-2.0 -testscenarios>=0.4 # Apache-2.0/BSD -testtools>=2.2.0 # MIT -oslotest>=3.2.0 # Apache-2.0 +coverage!=4.4,>=4.0 # Apache-2.0 +fixtures>=3.0.0 # Apache-2.0/BSD +hacking>=1.0.0 # Apache-2.0 +mock>=2.0.0 # BSD +stestr>=1.0.0 # Apache-2.0 +testscenarios>=0.4 # Apache-2.0/BSD +testtools>=2.2.0 # MIT +oslotest>=3.2.0 # Apache-2.0 +toml # MIT beautifulsoup4>=4.6.0 # MIT -pylint==1.4.5 # GPLv2 +pylint==1.4.5 # GPLv2 diff --git a/tests/unit/core/test_config.py b/tests/unit/core/test_config.py index afa4cda5f..f597de509 100644 --- a/tests/unit/core/test_config.py +++ b/tests/unit/core/test_config.py @@ -26,14 +26,15 @@ class TempFile(fixtures.Fixture): - def __init__(self, contents=None): + def __init__(self, contents=None, suffix='.yaml'): super(TempFile, self).__init__() self.contents = contents + self.suffix = suffix def setUp(self): super(TempFile, self).setUp() - with tempfile.NamedTemporaryFile(mode='wt', delete=False) as f: + with tempfile.NamedTemporaryFile(suffix=self.suffix, mode='wt', delete=False) as f: if self.contents: f.write(self.contents) @@ -122,7 +123,7 @@ def test_not_exist(self): class TestConfigCompat(testtools.TestCase): - sample_yaml = textwrap.dedent(""" + sample = textwrap.dedent(""" profiles: test_1: include: @@ -167,10 +168,11 @@ class TestConfigCompat(testtools.TestCase): level: HIGH message: "{module} is considered insecure." """) + suffix = '.yaml' def setUp(self): super(TestConfigCompat, self).setUp() - f = self.useFixture(TempFile(self.sample_yaml)) + f = self.useFixture(TempFile(self.sample, suffix=self.suffix)) self.config = config.BanditConfig(f.name) def test_converted_include(self): @@ -262,3 +264,41 @@ def test_bad_yaml(self): self.config = config.BanditConfig(f.name) except utils.ConfigError as e: self.assertIn("Error parsing file.", e.message) + + +class TestTomlConfig(TestConfigCompat): + sample = textwrap.dedent(""" + [tool.bandit.profiles.test_1] + include = [ + "any_other_function_with_shell_equals_true", + "assert_used", + ] + + [tool.bandit.profiles.test_2] + include = ["blacklist_calls"] + + [tool.bandit.profiles.test_3] + include = ["blacklist_imports"] + + [tool.bandit.profiles.test_4] + exclude = ["assert_used"] + + [tool.bandit.profiles.test_5] + exclude = ["blacklist_calls", "blacklist_imports"] + + [tool.bandit.profiles.test_6] + include = ["blacklist_calls"] + exclude = ["blacklist_imports"] + + [[tool.bandit.blacklist_calls.bad_name_sets]] + [tool.bandit.blacklist_calls.bad_name_sets.pickle] + qualnames = ["pickle.loads"] + message = "{func} library appears to be in use." + + [[tool.bandit.blacklist_imports.bad_import_sets]] + [tool.bandit.blacklist_imports.bad_import_sets.telnet] + imports = ["telnetlib"] + level = "HIGH" + message = "{module} is considered insecure." + """) + suffix = '.toml' From d49c4876451b6d81d88ae0072c60216dc54ac4de Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 8 Oct 2018 18:35:16 +0300 Subject: [PATCH 03/13] update docs --- doc/source/config.rst | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/doc/source/config.rst b/doc/source/config.rst index 1129f2043..79e082aa5 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -37,6 +37,44 @@ several config files and pick from them using `-c`. If you only wish to control the specific tests that are to be run (and not their parameters) then using `-s` or `-t` on the command line may be more appropriate. +Also you can configure bandit via +`pyproject.toml `_ file. In this +case you should explicitly specify path to configvia `-s` too.File example: + +.. code-block:: python + [tool.bandit.profiles.test_1] + include = [ + "any_other_function_with_shell_equals_true", + "assert_used", + ] + + [tool.bandit.profiles.test_2] + include = ["blacklist_calls"] + + [tool.bandit.profiles.test_3] + include = ["blacklist_imports"] + + [tool.bandit.profiles.test_4] + exclude = ["assert_used"] + + [tool.bandit.profiles.test_5] + exclude = ["blacklist_calls", "blacklist_imports"] + + [tool.bandit.profiles.test_6] + include = ["blacklist_calls"] + exclude = ["blacklist_imports"] + + [[tool.bandit.blacklist_calls.bad_name_sets]] + [tool.bandit.blacklist_calls.bad_name_sets.pickle] + qualnames = ["pickle.loads"] + message = "{func} library appears to be in use." + + [[tool.bandit.blacklist_imports.bad_import_sets]] + [tool.bandit.blacklist_imports.bad_import_sets.telnet] + imports = ["telnetlib"] + level = "HIGH" + message = "{module} is considered insecure." + Skipping Tests -------------- The bandit config may contain optional lists of test IDs to either include From 6154e9e5eed194290ecd307eb2cc5681fc3e8d67 Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 8 Oct 2018 18:49:14 +0300 Subject: [PATCH 04/13] FIX pep8 "line too long" in tests --- tests/unit/core/test_config.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/unit/core/test_config.py b/tests/unit/core/test_config.py index f597de509..ecedbfb55 100644 --- a/tests/unit/core/test_config.py +++ b/tests/unit/core/test_config.py @@ -34,7 +34,8 @@ def __init__(self, contents=None, suffix='.yaml'): def setUp(self): super(TempFile, self).setUp() - with tempfile.NamedTemporaryFile(suffix=self.suffix, mode='wt', delete=False) as f: + with tempfile.NamedTemporaryFile(suffix=self.suffix, mode='wt', + delete=False) as f: if self.contents: f.write(self.contents) From bfb4cba237d177b867fe25bab90cafb779a9b820 Mon Sep 17 00:00:00 2001 From: Gram Date: Tue, 9 Oct 2018 09:29:13 +0300 Subject: [PATCH 05/13] review --- doc/source/config.rst | 3 ++- test-requirements.txt | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/doc/source/config.rst b/doc/source/config.rst index 79e082aa5..27da3f48a 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -39,7 +39,8 @@ the specific tests that are to be run (and not their parameters) then using Also you can configure bandit via `pyproject.toml `_ file. In this -case you should explicitly specify path to configvia `-s` too.File example: +case you would explicitly specify the path to configuration via `-s` too. +For example: .. code-block:: python [tool.bandit.profiles.test_1] diff --git a/test-requirements.txt b/test-requirements.txt index 753b70f74..e24c1c778 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -1,16 +1,16 @@ # The order of packages is significant, because pip processes them in the order # of appearance. Changing the order has an impact on the overall integration # process, which may cause wedges in the gate later. -coverage!=4.4,>=4.0 # Apache-2.0 -fixtures>=3.0.0 # Apache-2.0/BSD -hacking>=1.0.0 # Apache-2.0 -mock>=2.0.0 # BSD -stestr>=1.0.0 # Apache-2.0 -testscenarios>=0.4 # Apache-2.0/BSD -testtools>=2.2.0 # MIT -oslotest>=3.2.0 # Apache-2.0 -toml # MIT +coverage!=4.4,>=4.0 # Apache-2.0 +fixtures>=3.0.0 # Apache-2.0/BSD +hacking>=1.0.0 # Apache-2.0 +mock>=2.0.0 # BSD +stestr>=1.0.0 # Apache-2.0 +testscenarios>=0.4 # Apache-2.0/BSD +testtools>=2.2.0 # MIT +toml # MIT +oslotest>=3.2.0 # Apache-2.0 beautifulsoup4>=4.6.0 # MIT -pylint==1.4.5 # GPLv2 +pylint==1.4.5 # GPLv2 From bdf6c1895fcd6d4bd0686bd5dc62209f31bf19bb Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 4 Mar 2019 21:21:25 +0300 Subject: [PATCH 06/13] +extras --- setup.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup.py b/setup.py index 566d84432..f30781e2d 100644 --- a/setup.py +++ b/setup.py @@ -26,4 +26,8 @@ setuptools.setup( setup_requires=['pbr>=2.0.0'], + extras_require={ + 'yaml': ['PyYAML'], + 'toml': ['toml'], + }, pbr=True) From fac79baffa480063dfef65ac6373af2961c3363b Mon Sep 17 00:00:00 2001 From: Gram Date: Tue, 5 Mar 2019 21:19:37 +0300 Subject: [PATCH 07/13] use setup.cfg for extras --- setup.cfg | 6 ++++++ setup.py | 4 ---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/setup.cfg b/setup.cfg index 4dbd036f0..ec930b7a8 100644 --- a/setup.cfg +++ b/setup.cfg @@ -24,6 +24,12 @@ classifier = Programming Language :: Python :: 3.7 Topic :: Security +[extras] +yaml = + PyYAML +toml = + toml + [entry_points] console_scripts = bandit = bandit.cli.main:main diff --git a/setup.py b/setup.py index f30781e2d..566d84432 100644 --- a/setup.py +++ b/setup.py @@ -26,8 +26,4 @@ setuptools.setup( setup_requires=['pbr>=2.0.0'], - extras_require={ - 'yaml': ['PyYAML'], - 'toml': ['toml'], - }, pbr=True) From c6d7e381d6d534a0324d55582c012c9caafdb4ab Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 9 Mar 2020 12:52:21 +0100 Subject: [PATCH 08/13] fix setup.cfg --- setup.cfg | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index c11a57d86..d9c4111b4 100644 --- a/setup.cfg +++ b/setup.cfg @@ -25,13 +25,14 @@ classifier = Programming Language :: Python :: 3.8 Topic :: Security +[options.extras_require] [extras] yaml = PyYAML toml = toml -[entry_points] +[options.entry_points] console_scripts = bandit = bandit.cli.main:main bandit-config-generator = bandit.cli.config_generator:main From 0b6e6369a458ea68dc98d0f649b1f7ae683c6dd5 Mon Sep 17 00:00:00 2001 From: Gram Date: Mon, 9 Mar 2020 12:53:32 +0100 Subject: [PATCH 09/13] fix --- setup.cfg | 1 - 1 file changed, 1 deletion(-) diff --git a/setup.cfg b/setup.cfg index d9c4111b4..19f2be624 100644 --- a/setup.cfg +++ b/setup.cfg @@ -26,7 +26,6 @@ classifier = Topic :: Security [options.extras_require] -[extras] yaml = PyYAML toml = From 41c8ba63edc8c6d7b06ee809e65f353b988f9ea7 Mon Sep 17 00:00:00 2001 From: Gram Date: Tue, 16 Feb 2021 11:33:32 +0100 Subject: [PATCH 10/13] Apply suggestions from code review Co-authored-by: Lionel Bersee --- doc/source/config.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/source/config.rst b/doc/source/config.rst index d8785a013..5c2078fe9 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -43,6 +43,7 @@ case you would explicitly specify the path to configuration via `-s` too. For example: .. code-block:: python + [tool.bandit.profiles.test_1] include = [ "any_other_function_with_shell_equals_true", From edef1b0d9af3d39a2b51ee52eaee4c214b47a9b8 Mon Sep 17 00:00:00 2001 From: Gram Date: Tue, 16 Feb 2021 11:33:49 +0100 Subject: [PATCH 11/13] Update doc/source/config.rst Co-authored-by: Lionel Bersee --- doc/source/config.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/config.rst b/doc/source/config.rst index 5c2078fe9..0229332f5 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -42,7 +42,7 @@ Also you can configure bandit via case you would explicitly specify the path to configuration via `-s` too. For example: -.. code-block:: python +.. code-block:: TOML [tool.bandit.profiles.test_1] include = [ From 3e04a66f9d8a3a677451eec493618d2c07f337cf Mon Sep 17 00:00:00 2001 From: Gram Date: Sat, 14 Aug 2021 14:15:49 +0200 Subject: [PATCH 12/13] Update doc/source/config.rst Co-authored-by: Eric Brown --- doc/source/config.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/config.rst b/doc/source/config.rst index 0229332f5..78c829406 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -39,7 +39,7 @@ the specific tests that are to be run (and not their parameters) then using Also you can configure bandit via `pyproject.toml `_ file. In this -case you would explicitly specify the path to configuration via `-s` too. +case you would explicitly specify the path to configuration via `-c` too. For example: .. code-block:: TOML From 6600e527f07100027a452b51bfd9557060b58bab Mon Sep 17 00:00:00 2001 From: gram Date: Wed, 18 Aug 2021 09:05:01 +0200 Subject: [PATCH 13/13] actualize TOML config example in docs --- doc/source/config.rst | 77 +++++++++++++++++++++++++------------------ 1 file changed, 45 insertions(+), 32 deletions(-) diff --git a/doc/source/config.rst b/doc/source/config.rst index 78c829406..62177dfd9 100644 --- a/doc/source/config.rst +++ b/doc/source/config.rst @@ -44,38 +44,51 @@ For example: .. code-block:: TOML - [tool.bandit.profiles.test_1] - include = [ - "any_other_function_with_shell_equals_true", - "assert_used", - ] - - [tool.bandit.profiles.test_2] - include = ["blacklist_calls"] - - [tool.bandit.profiles.test_3] - include = ["blacklist_imports"] - - [tool.bandit.profiles.test_4] - exclude = ["assert_used"] - - [tool.bandit.profiles.test_5] - exclude = ["blacklist_calls", "blacklist_imports"] - - [tool.bandit.profiles.test_6] - include = ["blacklist_calls"] - exclude = ["blacklist_imports"] - - [[tool.bandit.blacklist_calls.bad_name_sets]] - [tool.bandit.blacklist_calls.bad_name_sets.pickle] - qualnames = ["pickle.loads"] - message = "{func} library appears to be in use." - - [[tool.bandit.blacklist_imports.bad_import_sets]] - [tool.bandit.blacklist_imports.bad_import_sets.telnet] - imports = ["telnetlib"] - level = "HIGH" - message = "{module} is considered insecure." + [tool.bandit] + tests = ["B201", "B301"] + skips = ["B101", "B601"] + + [tool.bandit.any_other_function_with_shell_equals_true] + no_shell = [ + "os.execl", + "os.execle", + "os.execlp", + "os.execlpe", + "os.execv", + "os.execve", + "os.execvp", + "os.execvpe", + "os.spawnl", + "os.spawnle", + "os.spawnlp", + "os.spawnlpe", + "os.spawnv", + "os.spawnve", + "os.spawnvp", + "os.spawnvpe", + "os.startfile" + ] + shell = [ + "os.system", + "os.popen", + "os.popen2", + "os.popen3", + "os.popen4", + "popen2.popen2", + "popen2.popen3", + "popen2.popen4", + "popen2.Popen3", + "popen2.Popen4", + "commands.getoutput", + "commands.getstatusoutput" + ] + subprocess = [ + "subprocess.Popen", + "subprocess.call", + "subprocess.check_call", + "subprocess.check_output" + ] + Skipping Tests --------------