From e812ae3e139a091a70254b6cc076852db80c97ab Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Wed, 13 May 2020 22:23:46 +0200 Subject: [PATCH 01/18] Add CWE mappings to bandit issues and update formatters accordingly. --- bandit/core/blacklisting.py | 2 +- bandit/core/issue.py | 21 ++++++++++++------- bandit/formatters/csv.py | 1 + bandit/formatters/html.py | 2 ++ bandit/formatters/screen.py | 10 +++++---- bandit/formatters/text.py | 7 ++++--- bandit/formatters/xml.py | 8 ++++--- bandit/plugins/app_debug.py | 1 + bandit/plugins/asserts.py | 1 + .../crypto_request_no_cert_validation.py | 1 + bandit/plugins/django_sql_injection.py | 2 ++ bandit/plugins/django_xss.py | 1 + bandit/plugins/exec.py | 1 + .../plugins/general_bad_file_permissions.py | 1 + bandit/plugins/general_bind_all_interfaces.py | 1 + bandit/plugins/general_hardcoded_password.py | 1 + bandit/plugins/general_hardcoded_tmp.py | 1 + .../plugins/hashlib_new_insecure_functions.py | 1 + bandit/plugins/injection_paramiko.py | 1 + bandit/plugins/injection_shell.py | 8 +++++++ bandit/plugins/injection_sql.py | 1 + bandit/plugins/injection_wildcard.py | 1 + bandit/plugins/insecure_ssl_tls.py | 5 +++++ bandit/plugins/jinja2_templates.py | 3 +++ bandit/plugins/mako_templates.py | 1 + .../plugins/ssh_no_host_key_verification.py | 1 + bandit/plugins/try_except_continue.py | 1 + bandit/plugins/try_except_pass.py | 1 + bandit/plugins/weak_cryptographic_key.py | 1 + bandit/plugins/yaml_load.py | 1 + tests/functional/test_functional.py | 1 + tests/unit/core/test_blacklisting.py | 2 ++ tests/unit/core/test_issue.py | 15 ++++++------- tests/unit/core/test_manager.py | 16 ++++++++------ tests/unit/formatters/test_csv.py | 2 +- tests/unit/formatters/test_html.py | 5 +++-- tests/unit/formatters/test_json.py | 10 ++++----- tests/unit/formatters/test_screen.py | 8 ++++--- tests/unit/formatters/test_text.py | 9 +++++--- tests/unit/formatters/test_xml.py | 2 +- tests/unit/formatters/test_yaml.py | 10 ++++----- 41 files changed, 116 insertions(+), 52 deletions(-) diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index aecf1512f..67b7680aa 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -12,7 +12,7 @@ def report_issue(check, name): return issue.Issue( - severity=check.get('level', 'MEDIUM'), confidence='HIGH', + severity=check.get('level', 'MEDIUM'), cwe=0, confidence='HIGH', text=check['message'].replace('{name}', name), ident=name, test_id=check.get("id", 'LEGACY')) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 61394dbbd..2e653cc82 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -15,9 +15,11 @@ class Issue(object): - def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT, + def __init__(self, severity, cwe, + confidence=constants.CONFIDENCE_DEFAULT, text="", ident=None, lineno=None, test_id=""): self.severity = severity + self.cwe = cwe self.confidence = confidence if isinstance(text, bytes): text = text.decode('utf-8') @@ -30,16 +32,17 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT, self.linerange = [] def __str__(self): - return ("Issue: '%s' from %s:%s: Severity: %s Confidence: " + return ("Issue: '%s' from %s:%s: CWE: %i, Severity: %s Confidence: " "%s at %s:%i") % (self.text, self.test_id, - (self.ident or self.test), self.severity, - self.confidence, self.fname, self.lineno) + (self.ident or self.test), self.cwe, + self.severity, self.confidence, self.fname, + self.lineno) def __eq__(self, other): # if the issue text, severity, confidence, and filename match, it's # the same issue from our perspective - match_types = ['text', 'severity', 'confidence', 'fname', 'test', - 'test_id'] + match_types = ['text', 'severity', 'cwe', 'confidence', 'fname', + 'test', 'test_id'] return all(getattr(self, field) == getattr(other, field) for field in match_types) @@ -101,11 +104,12 @@ def as_dict(self, with_code=True): 'test_name': self.test, 'test_id': self.test_id, 'issue_severity': self.severity, + 'issue_cwe': self.cwe, 'issue_confidence': self.confidence, 'issue_text': self.text.encode('utf-8').decode('utf-8'), 'line_number': self.lineno, 'line_range': self.linerange, - } + } if with_code: out['code'] = self.get_code() @@ -115,6 +119,7 @@ def from_dict(self, data, with_code=True): self.code = data["code"] self.fname = data["filename"] self.severity = data["issue_severity"] + self.cwe = int(data["issue_cwe"]) self.confidence = data["issue_confidence"] self.text = data["issue_text"] self.test = data["test_name"] @@ -124,6 +129,6 @@ def from_dict(self, data, with_code=True): def issue_from_dict(data): - i = Issue(severity=data["issue_severity"]) + i = Issue(severity=data["issue_severity"], cwe=int(data["issue_cwe"])) i.from_dict(data) return i diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py index 1fc5878e8..93135d6fd 100644 --- a/bandit/formatters/csv.py +++ b/bandit/formatters/csv.py @@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): 'test_name', 'test_id', 'issue_severity', + 'issue_cwe', 'issue_confidence', 'issue_text', 'line_number', diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py index 29c008b70..ed3bc2ea6 100644 --- a/bandit/formatters/html.py +++ b/bandit/formatters/html.py @@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): {test_name}: {test_text}
Test ID: {test_id}
Severity: {severity}
+ CWE: {cwe}
Confidence: {confidence}
File: {path}
More info: {url}
@@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): test_id=issue.test_id, test_text=issue.text, severity=issue.severity, + cwe=issue.cwe, confidence=issue.confidence, path=issue.fname, code=code, candidates=candidates, diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py index 1641f1afa..8407b9320 100644 --- a/bandit/formatters/screen.py +++ b/bandit/formatters/screen.py @@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, # returns a list of lines that should be added to the existing lines list bits = [] bits.append("%s%s>> Issue: [%s:%s] %s" % ( - indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text)) + indent, COLOR[issue.severity], issue.test_id, issue.test, + issue.text)) - bits.append("%s Severity: %s Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.confidence.capitalize())) + bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( + indent, issue.severity.capitalize(), issue.cwe, + issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( indent, issue.fname, @@ -110,7 +112,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, docs_utils.get_url(issue.test_id), COLOR['DEFAULT'])) if show_code: - bits.extend([indent + l for l in + bits.extend([indent + x for x in issue.get_code(lines, True).split('\n')]) return '\n'.join([bit for bit in bits]) diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 33fcba83f..5f47bbc00 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, bits.append("%s>> Issue: [%s:%s] %s" % ( indent, issue.test_id, issue.test, issue.text)) - bits.append("%s Severity: %s Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.confidence.capitalize())) + bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( + indent, issue.severity.capitalize(), issue.cwe, + issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( indent, issue.fname, issue.lineno if show_lineno else "")) @@ -83,7 +84,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, docs_utils.get_url(issue.test_id))) if show_code: - bits.extend([indent + l for l in + bits.extend([indent + x for x in issue.get_code(lines, True).split('\n')]) return '\n'.join([bit for bit in bits]) diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index a21e80024..720ccbe82 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): testcase = ET.SubElement(root, 'testcase', classname=issue.fname, name=test) - text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s' - text = text % (issue.test_id, issue.severity, issue.confidence, - issue.text, issue.fname, issue.lineno) + text = 'Test ID: %s Severity: %s CWE: %s ' \ + 'Confidence: %s\n%s\nLocation %s:%s' + text = text % (issue.test_id, issue.severity, issue.cwe, + issue.confidence, issue.text, issue.fname, + issue.lineno) ET.SubElement(testcase, 'error', more_info=docs_utils.get_url(issue.test_id), type=issue.severity, diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index 76d2c60cb..0ef80e3b2 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -51,6 +51,7 @@ def flask_debug_true(context): if context.check_call_arg_value('debug', 'True'): return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.MEDIUM, text="A Flask app appears to be run with debug=True, " "which exposes the Werkzeug debugger and allows " diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index b5356252b..60715c014 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -49,6 +49,7 @@ def assert_used(context): return bandit.Issue( severity=bandit.LOW, + cwe=703, confidence=bandit.HIGH, text=("Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code.") diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index f44cc7c9e..195ab8c7f 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -54,6 +54,7 @@ def request_with_no_cert_validation(context): if context.check_call_arg_value('verify', 'False'): issue = bandit.Issue( severity=bandit.HIGH, + cwe=295, confidence=bandit.HIGH, text="Requests call with verify=False disabling SSL " "certificate checks, security issue.", diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py index 524a3ee87..c8469e665 100644 --- a/bandit/plugins/django_sql_injection.py +++ b/bandit/plugins/django_sql_injection.py @@ -77,6 +77,7 @@ def django_extra_used(context): if insecure: return bandit.Issue( severity=bandit.MEDIUM, + cwe=89, confidence=bandit.MEDIUM, text=description ) @@ -102,6 +103,7 @@ def django_rawsql_used(context): if not isinstance(sql, ast.Str): return bandit.Issue( severity=bandit.MEDIUM, + cwe=89, confidence=bandit.MEDIUM, text=description ) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 17e134607..89a3ce433 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -250,6 +250,7 @@ def check_risk(node): if not secure: return bandit.Issue( severity=bandit.MEDIUM, + cwe=80, confidence=bandit.HIGH, text=description ) diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 3d7d8c2d7..e170a2b2e 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -41,6 +41,7 @@ def exec_issue(): return bandit.Issue( severity=bandit.MEDIUM, + cwe=78, confidence=bandit.HIGH, text="Use of exec detected." ) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index f02a85219..c6344333b 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -73,6 +73,7 @@ def set_bad_file_permissions(context): filename = 'NOT PARSED' return bandit.Issue( severity=sev_level, + cwe=78, confidence=bandit.HIGH, text="Chmod setting a permissive mask %s on file (%s)." % (oct(mode), filename) diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index 1971aa540..77f2f24a2 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -43,6 +43,7 @@ def hardcoded_bind_all_interfaces(context): if context.string_val == '0.0.0.0': return bandit.Issue( severity=bandit.MEDIUM, + cwe=605, confidence=bandit.MEDIUM, text="Possible binding to all interfaces." ) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 2a44c4cc1..1d832cf03 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -22,6 +22,7 @@ def _report(value): return bandit.Issue( severity=bandit.LOW, + cwe=259, confidence=bandit.MEDIUM, text=("Possible hardcoded password: '%s'" % value)) diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index 535cf1b3d..b99ad4037 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -71,6 +71,7 @@ def hardcoded_tmp_directory(context, config): if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( severity=bandit.MEDIUM, + cwe=377, confidence=bandit.MEDIUM, text="Probable insecure usage of temp file/directory." ) diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py index f40fc6a41..07a9d0a04 100644 --- a/bandit/plugins/hashlib_new_insecure_functions.py +++ b/bandit/plugins/hashlib_new_insecure_functions.py @@ -48,6 +48,7 @@ def hashlib_new(context): name.lower() in ('md4', 'md5', 'sha', 'sha1')): return bandit.Issue( severity=bandit.MEDIUM, + cwe=327, confidence=bandit.HIGH, text="Use of insecure MD4 or MD5 hash function.", lineno=context.node.lineno, diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index 4d26804b9..9e7e19c90 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -51,5 +51,6 @@ def paramiko_calls(context): if context.is_module_imported_like(module): if context.call_function_name in ['exec_command']: return bandit.Issue(severity=bandit.MEDIUM, + cwe=78, confidence=bandit.MEDIUM, text=issue_text) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 210716643..1e0b5a708 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -199,6 +199,7 @@ def subprocess_popen_with_shell_equals_true(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='subprocess call with shell=True seems safe, but ' 'may be changed in the future, consider ' @@ -208,6 +209,7 @@ def subprocess_popen_with_shell_equals_true(context, config): else: return bandit.Issue( severity=bandit.HIGH, + cwe=78, confidence=bandit.HIGH, text='subprocess call with shell=True identified, ' 'security issue.', @@ -287,6 +289,7 @@ def subprocess_without_shell_equals_true(context, config): if not has_shell(context): return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='subprocess call - check for execution of untrusted ' 'input.', @@ -365,6 +368,7 @@ def any_other_function_with_shell_equals_true(context, config): if has_shell(context): return bandit.Issue( severity=bandit.MEDIUM, + cwe=78, confidence=bandit.LOW, text='Function call with shell=True parameter identified, ' 'possible security issue.', @@ -451,6 +455,7 @@ def start_process_with_a_shell(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='Starting a process with a shell: ' 'Seems safe, but may be changed in the future, ' @@ -459,6 +464,7 @@ def start_process_with_a_shell(context, config): else: return bandit.Issue( severity=bandit.HIGH, + cwe=78, confidence=bandit.HIGH, text='Starting a process with a shell, possible injection' ' detected, security issue.' @@ -547,6 +553,7 @@ def start_process_with_no_shell(context, config): if config and context.call_function_name_qual in config['no_shell']: return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.MEDIUM, text='Starting a process without a shell.' ) @@ -642,6 +649,7 @@ def start_process_with_partial_path(context, config): if isinstance(node, ast.Str) and not full_path_match.match(node.s): return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='Starting a process with a partial executable path' ) diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index 3b5074635..ed17e82f0 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -104,6 +104,7 @@ def hardcoded_sql_expressions(context): if _check_string(val[1]): return bandit.Issue( severity=bandit.MEDIUM, + cwe=89, confidence=bandit.MEDIUM if val[0] else bandit.LOW, text="Possible SQL injection vector through string-based " "query construction." diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index 2c70e22bc..032e060b4 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -132,6 +132,7 @@ def linux_commands_wildcard_injection(context, config): ): return bandit.Issue( severity=bandit.HIGH, + cwe=155, confidence=bandit.MEDIUM, text="Possible wildcard injection in call: %s" % context.call_function_name_qual, diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py index d10dbc3f2..b2f6f0f5b 100644 --- a/bandit/plugins/insecure_ssl_tls.py +++ b/bandit/plugins/insecure_ssl_tls.py @@ -105,6 +105,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('ssl_version', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, + cwe=326, confidence=bandit.HIGH, text="ssl.wrap_socket call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -114,6 +115,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('method', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, + cwe=326, confidence=bandit.HIGH, text="SSL.Context call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -128,6 +130,7 @@ def ssl_with_bad_version(context, config): context.get_lineno_for_call_arg('ssl_version')) return bandit.Issue( severity=bandit.MEDIUM, + cwe=326, confidence=bandit.MEDIUM, text="Function call with insecure SSL/TLS protocol " "identified, possible security issue.", @@ -186,6 +189,7 @@ def ssl_with_bad_defaults(context, config): if val in bad_ssl_versions: return bandit.Issue( severity=bandit.MEDIUM, + cwe=326, confidence=bandit.MEDIUM, text="Function definition identified with insecure SSL/TLS " "protocol version by default, possible security " @@ -245,6 +249,7 @@ def ssl_with_no_version(context): # tests for that (ssl_version is not specified). return bandit.Issue( severity=bandit.LOW, + cwe=326, confidence=bandit.MEDIUM, text="ssl.wrap_socket call with no SSL/TLS protocol version " "specified, the default SSLv23 could be insecure, " diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py index 5f0cce492..a6dd254cf 100644 --- a/bandit/plugins/jinja2_templates.py +++ b/bandit/plugins/jinja2_templates.py @@ -83,6 +83,7 @@ def jinja2_autoescape_false(context): getattr(node.value, 'value', None) is False)): return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.HIGH, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -103,6 +104,7 @@ def jinja2_autoescape_false(context): else: return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.MEDIUM, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -114,6 +116,7 @@ def jinja2_autoescape_false(context): # behavior return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.HIGH, text="By default, jinja2 sets autoescape to False. Consider " "using autoescape=True or use the select_autoescape " diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py index 52bade79f..922d9bbc8 100644 --- a/bandit/plugins/mako_templates.py +++ b/bandit/plugins/mako_templates.py @@ -57,6 +57,7 @@ def use_of_mako_templates(context): # feature and thus each variable must be carefully sanitized. return bandit.Issue( severity=bandit.MEDIUM, + cwe=94, confidence=bandit.HIGH, text="Mako templates allow HTML/JS rendering by default and " "are inherently open to XSS attacks. Ensure variables " diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index c491c538b..3aed26276 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -46,6 +46,7 @@ def ssh_no_host_key_verification(context): context.call_args[0] in ['AutoAddPolicy', 'WarningPolicy']): issue = bandit.Issue( severity=bandit.HIGH, + cwe=295, confidence=bandit.MEDIUM, text='Paramiko call with policy set to automatically trust ' 'the unknown host key.', diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index 264a23338..19694762a 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -96,5 +96,6 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, + cwe=703, confidence=bandit.HIGH, text=("Try, Except, Continue detected.")) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index ae107ca2d..c253f5b51 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -95,6 +95,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, + cwe=703, confidence=bandit.HIGH, text=("Try, Except, Pass detected.") ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index 22920626b..95bccce64 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -70,6 +70,7 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, + cwe=326, confidence=bandit.HIGH, text='%s key sizes below %d bits are considered breakable. ' % (key_type, size)) diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py index dd81a227d..c161d1af4 100644 --- a/bandit/plugins/yaml_load.py +++ b/bandit/plugins/yaml_load.py @@ -60,6 +60,7 @@ def yaml_load(context): ]): return bandit.Issue( severity=bandit.MEDIUM, + cwe=20, confidence=bandit.HIGH, text="Use of unsafe yaml load. Allows instantiation of" " arbitrary objects. Consider yaml.safe_load().", diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index e3b73702d..e6a57ec03 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -737,6 +737,7 @@ def test_baseline_filter(self): "filename": "%s/examples/flask_debug.py", "issue_confidence": "MEDIUM", "issue_severity": "HIGH", + "issue_cwe": "94", "issue_text": "%s", "line_number": 10, "line_range": [ diff --git a/tests/unit/core/test_blacklisting.py b/tests/unit/core/test_blacklisting.py index 2889fd3ed..760b1a286 100644 --- a/tests/unit/core/test_blacklisting.py +++ b/tests/unit/core/test_blacklisting.py @@ -18,6 +18,7 @@ def test_report_issue(self): self.assertIsInstance(issue_dict, dict) self.assertEqual('B000', issue_dict['test_id']) self.assertEqual('HIGH', issue_dict['issue_severity']) + self.assertEqual(0, issue_dict['issue_cwe']) self.assertEqual('HIGH', issue_dict['issue_confidence']) self.assertEqual('test name', issue_dict['issue_text']) @@ -29,5 +30,6 @@ def test_report_issue_defaults(self): self.assertIsInstance(issue_dict, dict) self.assertEqual('LEGACY', issue_dict['test_id']) self.assertEqual('MEDIUM', issue_dict['issue_severity']) + self.assertEqual(0, issue_dict['issue_cwe']) self.assertEqual('HIGH', issue_dict['issue_confidence']) self.assertEqual('test name', issue_dict['issue_text']) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index 4d4fab6b2..d3057001b 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -21,8 +21,8 @@ def test_issue_create(self): def test_issue_str(self): test_issue = _get_issue_instance() self.assertEqual( - ("Issue: 'Test issue' from B999:bandit_plugin: Severity: MEDIUM " - "Confidence: MEDIUM at code.py:1"), + ("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123," + " Severity: MEDIUM Confidence: MEDIUM at code.py:1"), str(test_issue) ) @@ -41,7 +41,7 @@ def test_issue_as_dict(self): def test_issue_filter_severity(self): levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH] - issues = [_get_issue_instance(l, bandit.HIGH) for l in levels] + issues = [_get_issue_instance(x, bandit.HIGH) for x in levels] for level in levels: rank = constants.RANKING.index(level) @@ -52,7 +52,7 @@ def test_issue_filter_severity(self): def test_issue_filter_confidence(self): levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH] - issues = [_get_issue_instance(bandit.HIGH, l) for l in levels] + issues = [_get_issue_instance(bandit.HIGH, x) for x in levels] for level in levels: rank = constants.RANKING.index(level) @@ -108,7 +108,7 @@ def test_matches_issue(self): @mock.patch('linecache.getline') def test_get_code(self, getline): getline.return_value = b'\x08\x30' - new_issue = issue.Issue(bandit.MEDIUM, lineno=1) + new_issue = issue.Issue(bandit.MEDIUM, cwe=123, lineno=1) try: new_issue.get_code() @@ -116,8 +116,9 @@ def test_get_code(self, getline): self.fail('Bytes not properly decoded in issue.get_code()') -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.test_id = 'B999' diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index a9cfd21cc..a098a316f 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -18,8 +18,9 @@ class ManagerTests(testtools.TestCase): - def _get_issue_instance(self, sev=constants.MEDIUM, conf=constants.MEDIUM): - new_issue = issue.Issue(sev, conf, 'Test issue') + def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123, + conf=constants.MEDIUM): + new_issue = issue.Issue(sev, cwe, conf, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 @@ -111,6 +112,7 @@ def test_populate_baseline_success(self): "code": "test code", "filename": "example_file.py", "issue_severity": "low", + "issue_cwe": "123", "issue_confidence": "low", "issue_text": "test issue", "test_name": "some_test", @@ -122,7 +124,9 @@ def test_populate_baseline_success(self): } """ issue_dictionary = {"code": "test code", "filename": "example_file.py", - "issue_severity": "low", "issue_confidence": "low", + "issue_severity": "low", + "issue_cwe": "123", + "issue_confidence": "low", "issue_text": "test issue", "test_name": "some_test", "test_id": "x", "line_number": "n", "line_range": "n-m"} @@ -142,10 +146,10 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning): def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = ( - [issue.Issue(severity=l, confidence=l) for l in levels]) + [issue.Issue(severity=x, cwe=123, confidence=x) for x in levels]) - r = [self.manager.results_count(sev_filter=l, conf_filter=l) - for l in levels] + r = [self.manager.results_count(sev_filter=x, conf_filter=x) + for x in levels] self.assertEqual([3, 2, 1], r) diff --git a/tests/unit/formatters/test_csv.py b/tests/unit/formatters/test_csv.py index 1d459711e..6e24f4619 100644 --- a/tests/unit/formatters/test_csv.py +++ b/tests/unit/formatters/test_csv.py @@ -26,7 +26,7 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_html.py b/tests/unit/formatters/test_html.py index 30dd35484..c04793ae8 100644 --- a/tests/unit/formatters/test_html.py +++ b/tests/unit/formatters/test_html.py @@ -142,8 +142,9 @@ def test_escaping(self, get_issue_list, get_code): self.assertNotIn(marker, contents) -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index 37077e289..0f51d9e30 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -29,13 +29,13 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A', - lineno=1), - issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B', - lineno=2)] + self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW, + 'Candidate A', lineno=1), + issue.Issue(bandit.HIGH, 123, bandit.HIGH, + 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py index 12dca6881..37913b05a 100644 --- a/tests/unit/formatters/test_screen.py +++ b/tests/unit/formatters/test_screen.py @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code, _color): return_val = ["{}{}>> Issue: [{}:{}] {}". format(_indent_val, _color, _issue.test_id, _issue.test, _issue.text), - "{} Severity: {} Confidence: {}". + "{} Severity: {} CWE: {} Confidence: {}". format(_indent_val, _issue.severity.capitalize(), + _issue.cwe, _issue.confidence.capitalize()), "{} Location: {}:{}". format(_indent_val, _issue.fname, _issue.lineno), @@ -198,8 +199,9 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index 355ace979..585df1e1b 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code): return_val = ["{}>> Issue: [{}:{}] {}". format(_indent_val, _issue.test_id, _issue.test, _issue.text), - "{} Severity: {} Confidence: {}". + "{} Severity: {} CWE: {} Confidence: {}". format(_indent_val, _issue.severity.capitalize(), + _issue.cwe, _issue.confidence.capitalize()), "{} Location: {}:{}". format(_indent_val, _issue.fname, _issue.lineno), @@ -130,6 +131,7 @@ def test_report_nobaseline(self, get_issue_list): 'binding.py (score: ', "CONFIDENCE: 1", "SEVERITY: 1", + "CWE: 123", 'Files excluded (1):', 'def.py', 'Undefined: 1', @@ -186,8 +188,9 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py index dd5e16d4a..aba23581e 100644 --- a/tests/unit/formatters/test_xml.py +++ b/tests/unit/formatters/test_xml.py @@ -26,7 +26,7 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_yaml.py b/tests/unit/formatters/test_yaml.py index de204ec1f..aeaceee85 100644 --- a/tests/unit/formatters/test_yaml.py +++ b/tests/unit/formatters/test_yaml.py @@ -29,13 +29,13 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A', - lineno=1), - issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B', - lineno=2)] + self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW, + 'Candidate A', lineno=1), + issue.Issue(bandit.HIGH, 123, bandit.HIGH, + 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname From 555b912550121627a4fc80545536c2a38d3a2e58 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 19 May 2020 13:40:33 +0200 Subject: [PATCH 02/18] Integrated Cwe class and url information. --- bandit/core/blacklisting.py | 2 +- bandit/core/issue.py | 79 +++++++++++++++++-- bandit/formatters/csv.py | 1 + bandit/formatters/screen.py | 4 +- bandit/formatters/text.py | 4 +- bandit/plugins/app_debug.py | 3 +- bandit/plugins/asserts.py | 3 +- .../crypto_request_no_cert_validation.py | 3 +- bandit/plugins/django_sql_injection.py | 5 +- bandit/plugins/django_xss.py | 3 +- bandit/plugins/exec.py | 3 +- .../plugins/general_bad_file_permissions.py | 3 +- bandit/plugins/general_bind_all_interfaces.py | 3 +- bandit/plugins/general_hardcoded_password.py | 3 +- bandit/plugins/general_hardcoded_tmp.py | 3 +- .../plugins/hashlib_new_insecure_functions.py | 3 +- bandit/plugins/injection_paramiko.py | 3 +- bandit/plugins/injection_shell.py | 16 ++-- bandit/plugins/injection_sql.py | 3 +- bandit/plugins/injection_wildcard.py | 4 +- bandit/plugins/insecure_ssl_tls.py | 11 +-- bandit/plugins/jinja2_templates.py | 7 +- bandit/plugins/mako_templates.py | 3 +- .../plugins/ssh_no_host_key_verification.py | 3 +- bandit/plugins/try_except_continue.py | 3 +- bandit/plugins/try_except_pass.py | 3 +- bandit/plugins/weak_cryptographic_key.py | 3 +- bandit/plugins/yaml_load.py | 3 +- tests/functional/test_functional.py | 5 +- tests/unit/core/test_blacklisting.py | 5 +- tests/unit/core/test_issue.py | 15 +++- tests/unit/core/test_manager.py | 20 +++-- tests/unit/formatters/test_json.py | 13 ++- tests/unit/formatters/test_text.py | 5 +- tests/unit/formatters/test_xml.py | 4 +- 35 files changed, 185 insertions(+), 69 deletions(-) diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index 67b7680aa..aecf1512f 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -12,7 +12,7 @@ def report_issue(check, name): return issue.Issue( - severity=check.get('level', 'MEDIUM'), cwe=0, confidence='HIGH', + severity=check.get('level', 'MEDIUM'), confidence='HIGH', text=check['message'].replace('{name}', name), ident=name, test_id=check.get("id", 'LEGACY')) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 2e653cc82..3c5f7b66c 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -14,12 +14,71 @@ from bandit.core import constants +class Cwe(object): + UNDEF = 0 + IMPROPER_INPUT_VALIDATION = 20 + OS_COMMAND_INJECTION = 78 + BASIC_XSS = 80 + SQL_INJECTION = 89 + CODE_INJECTION = 94 + IMPROPER_WILDCARD_NEUTRALIZATION = 155 + HARD_CODED_PASSWORD = 259 + IMPROPER_CERT_VALIDATION = 295 + INADEQUATE_ENCRYPTION_STRENGH = 326 + BROKEN_CRYPTO = 327 + INSECURE_TEMP_FILE = 377 + MULTIPLE_BINDS = 605 + IMPROPER_CHECK_OF_EXEPT_COND = 703 + INCORRECT_PERMISSION_ASSIGNMENT = 732 + + MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html" + + def __init__(self, id=UNDEF): + self.id = id + + def link(self): + if self.id == Cwe.UNDEF: + return "" + + return Cwe.MITRE_URL_PATTERN % str(self.id) + + def __str__(self): + if self.id == Cwe.UNDEF: + return "" + + return "CWE-%i (%s)" % (self.id, self.link()) + + def as_dict(self): + return { + "id": self.id, + "link": self.link() + } if self.id != Cwe.UNDEF else {} + + def as_jsons(self): + return str(self.as_dict()) + + def from_dict(self, data): + if 'id' in data: + self.id = int(data['id']) + else: + self.id = Cwe.UNDEF + + def __eq__(self, other): + return self.id == other.id + + def __ne__(self, other): + return self.id != other.id + + def __hash__(self): + return id(self) + + class Issue(object): - def __init__(self, severity, cwe, + def __init__(self, severity, cwe=0, confidence=constants.CONFIDENCE_DEFAULT, text="", ident=None, lineno=None, test_id=""): self.severity = severity - self.cwe = cwe + self.cwe = Cwe(cwe) self.confidence = confidence if isinstance(text, bytes): text = text.decode('utf-8') @@ -32,9 +91,9 @@ def __init__(self, severity, cwe, self.linerange = [] def __str__(self): - return ("Issue: '%s' from %s:%s: CWE: %i, Severity: %s Confidence: " + return ("Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: " "%s at %s:%i") % (self.text, self.test_id, - (self.ident or self.test), self.cwe, + (self.ident or self.test), str(self.cwe), self.severity, self.confidence, self.fname, self.lineno) @@ -104,7 +163,7 @@ def as_dict(self, with_code=True): 'test_name': self.test, 'test_id': self.test_id, 'issue_severity': self.severity, - 'issue_cwe': self.cwe, + 'issue_cwe': self.cwe.as_dict(), 'issue_confidence': self.confidence, 'issue_text': self.text.encode('utf-8').decode('utf-8'), 'line_number': self.lineno, @@ -119,7 +178,7 @@ def from_dict(self, data, with_code=True): self.code = data["code"] self.fname = data["filename"] self.severity = data["issue_severity"] - self.cwe = int(data["issue_cwe"]) + self.cwe = cwe_from_dict(data["issue_cwe"]) self.confidence = data["issue_confidence"] self.text = data["issue_text"] self.test = data["test_name"] @@ -128,7 +187,13 @@ def from_dict(self, data, with_code=True): self.linerange = data["line_range"] +def cwe_from_dict(data): + cwe = Cwe() + cwe.from_dict(data) + return cwe + + def issue_from_dict(data): - i = Issue(severity=data["issue_severity"], cwe=int(data["issue_cwe"])) + i = Issue(severity=data["issue_severity"]) i.from_dict(data) return i diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py index 93135d6fd..c6538275c 100644 --- a/bandit/formatters/csv.py +++ b/bandit/formatters/csv.py @@ -68,6 +68,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): writer.writeheader() for result in results: r = result.as_dict(with_code=False) + r['issue_cwe'] = r['issue_cwe']['link'] r['more_info'] = docs_utils.get_url(r['test_id']) writer.writerow(r) diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py index e19429a67..651d165bc 100644 --- a/bandit/formatters/screen.py +++ b/bandit/formatters/screen.py @@ -100,8 +100,8 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text)) - bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.cwe, + bits.append("%s Severity: %s CWE: %s Confidence: %s" % ( + indent, issue.severity.capitalize(), str(issue.cwe), issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 25034f044..3e8087fb9 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -73,8 +73,8 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, bits.append("%s>> Issue: [%s:%s] %s" % ( indent, issue.test_id, issue.test, issue.text)) - bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.cwe, + bits.append("%s Severity: %s CWE: %s Confidence: %s" % ( + indent, issue.severity.capitalize(), str(issue.cwe), issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index 0ef80e3b2..d9547eed2 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -40,6 +40,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -51,7 +52,7 @@ def flask_debug_true(context): if context.check_call_arg_value('debug', 'True'): return bandit.Issue( severity=bandit.HIGH, - cwe=94, + cwe=Cwe.CODE_INJECTION, confidence=bandit.MEDIUM, text="A Flask app appears to be run with debug=True, " "which exposes the Werkzeug debugger and allows " diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index 60715c014..3deec5529 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -41,6 +41,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -49,7 +50,7 @@ def assert_used(context): return bandit.Issue( severity=bandit.LOW, - cwe=703, + cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND, confidence=bandit.HIGH, text=("Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code.") diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index 195ab8c7f..6e1378064 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -42,6 +42,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -54,7 +55,7 @@ def request_with_no_cert_validation(context): if context.check_call_arg_value('verify', 'False'): issue = bandit.Issue( severity=bandit.HIGH, - cwe=295, + cwe=Cwe.IMPROPER_CERT_VALIDATION, confidence=bandit.HIGH, text="Requests call with verify=False disabling SSL " "certificate checks, security issue.", diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py index c8469e665..5f4dabbf1 100644 --- a/bandit/plugins/django_sql_injection.py +++ b/bandit/plugins/django_sql_injection.py @@ -8,6 +8,7 @@ import ast import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -77,7 +78,7 @@ def django_extra_used(context): if insecure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=89, + cwe=Cwe.SQL_INJECTION, confidence=bandit.MEDIUM, text=description ) @@ -103,7 +104,7 @@ def django_rawsql_used(context): if not isinstance(sql, ast.Str): return bandit.Issue( severity=bandit.MEDIUM, - cwe=89, + cwe=Cwe.SQL_INJECTION, confidence=bandit.MEDIUM, text=description ) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 89a3ce433..e836cb38c 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -9,6 +9,7 @@ import six import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -250,7 +251,7 @@ def check_risk(node): if not secure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=80, + cwe=Cwe.BASIC_XSS, confidence=bandit.HIGH, text=description ) diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index e170a2b2e..88b71937b 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -35,13 +35,14 @@ import six import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test def exec_issue(): return bandit.Issue( severity=bandit.MEDIUM, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.HIGH, text="Use of exec detected." ) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index c6344333b..29705a88f 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -50,6 +50,7 @@ import stat import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -73,7 +74,7 @@ def set_bad_file_permissions(context): filename = 'NOT PARSED' return bandit.Issue( severity=sev_level, - cwe=78, + cwe=Cwe.INCORRECT_PERMISSION_ASSIGNMENT, confidence=bandit.HIGH, text="Chmod setting a permissive mask %s on file (%s)." % (oct(mode), filename) diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index 77f2f24a2..67ffabe9d 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -34,6 +34,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -43,7 +44,7 @@ def hardcoded_bind_all_interfaces(context): if context.string_val == '0.0.0.0': return bandit.Issue( severity=bandit.MEDIUM, - cwe=605, + cwe=Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM, text="Possible binding to all interfaces." ) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 1d832cf03..86abb60bf 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -9,6 +9,7 @@ import sys import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -22,7 +23,7 @@ def _report(value): return bandit.Issue( severity=bandit.LOW, - cwe=259, + cwe=Cwe.HARD_CODED_PASSWORD, confidence=bandit.MEDIUM, text=("Possible hardcoded password: '%s'" % value)) diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index b99ad4037..6ac5b3645 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -51,6 +51,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -71,7 +72,7 @@ def hardcoded_tmp_directory(context, config): if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( severity=bandit.MEDIUM, - cwe=377, + cwe=Cwe.INSECURE_TEMP_FILE, confidence=bandit.MEDIUM, text="Probable insecure usage of temp file/directory." ) diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py index 07a9d0a04..4e9b4198d 100644 --- a/bandit/plugins/hashlib_new_insecure_functions.py +++ b/bandit/plugins/hashlib_new_insecure_functions.py @@ -31,6 +31,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -48,7 +49,7 @@ def hashlib_new(context): name.lower() in ('md4', 'md5', 'sha', 'sha1')): return bandit.Issue( severity=bandit.MEDIUM, - cwe=327, + cwe=Cwe.BROKEN_CRYPTO, confidence=bandit.HIGH, text="Use of insecure MD4 or MD5 hash function.", lineno=context.node.lineno, diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index 9e7e19c90..67a28c240 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -39,6 +39,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -51,6 +52,6 @@ def paramiko_calls(context): if context.is_module_imported_like(module): if context.call_function_name in ['exec_command']: return bandit.Issue(severity=bandit.MEDIUM, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.MEDIUM, text=issue_text) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 1e0b5a708..61c34ae92 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -10,8 +10,10 @@ import six import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test + # yuck, regex: starts with a windows drive letter (eg C:) # or one of our path delimeter characters (/, \, .) full_path_match = re.compile(r'^(?:[A-Za-z](?=\:)|[\\\/\.])') @@ -199,7 +201,7 @@ def subprocess_popen_with_shell_equals_true(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.HIGH, text='subprocess call with shell=True seems safe, but ' 'may be changed in the future, consider ' @@ -209,7 +211,7 @@ def subprocess_popen_with_shell_equals_true(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.HIGH, text='subprocess call with shell=True identified, ' 'security issue.', @@ -289,7 +291,7 @@ def subprocess_without_shell_equals_true(context, config): if not has_shell(context): return bandit.Issue( severity=bandit.LOW, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.HIGH, text='subprocess call - check for execution of untrusted ' 'input.', @@ -368,7 +370,7 @@ def any_other_function_with_shell_equals_true(context, config): if has_shell(context): return bandit.Issue( severity=bandit.MEDIUM, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.LOW, text='Function call with shell=True parameter identified, ' 'possible security issue.', @@ -455,7 +457,7 @@ def start_process_with_a_shell(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.HIGH, text='Starting a process with a shell: ' 'Seems safe, but may be changed in the future, ' @@ -553,7 +555,7 @@ def start_process_with_no_shell(context, config): if config and context.call_function_name_qual in config['no_shell']: return bandit.Issue( severity=bandit.LOW, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.MEDIUM, text='Starting a process without a shell.' ) @@ -649,7 +651,7 @@ def start_process_with_partial_path(context, config): if isinstance(node, ast.Str) and not full_path_match.match(node.s): return bandit.Issue( severity=bandit.LOW, - cwe=78, + cwe=Cwe.OS_COMMAND_INJECTION, confidence=bandit.HIGH, text='Starting a process with a partial executable path' ) diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index ed17e82f0..b03d65bb1 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -55,6 +55,7 @@ import re import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test from bandit.core import utils @@ -104,7 +105,7 @@ def hardcoded_sql_expressions(context): if _check_string(val[1]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=89, + cwe=Cwe.SQL_INJECTION, confidence=bandit.MEDIUM if val[0] else bandit.LOW, text="Possible SQL injection vector through string-based " "query construction." diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index 032e060b4..14bfb9373 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -97,10 +97,10 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test from bandit.plugins import injection_shell # NOTE(tkelsey): shared config - gen_config = injection_shell.gen_config @@ -132,7 +132,7 @@ def linux_commands_wildcard_injection(context, config): ): return bandit.Issue( severity=bandit.HIGH, - cwe=155, + cwe=Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, confidence=bandit.MEDIUM, text="Possible wildcard injection in call: %s" % context.call_function_name_qual, diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py index b2f6f0f5b..bb1555099 100644 --- a/bandit/plugins/insecure_ssl_tls.py +++ b/bandit/plugins/insecure_ssl_tls.py @@ -5,6 +5,7 @@ # SPDX-License-Identifier: Apache-2.0 import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -105,7 +106,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('ssl_version', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=326, + cwe=Cwe.BROKEN_CRYPTO, confidence=bandit.HIGH, text="ssl.wrap_socket call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -115,7 +116,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('method', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=326, + cwe=Cwe.BROKEN_CRYPTO, confidence=bandit.HIGH, text="SSL.Context call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -130,7 +131,7 @@ def ssl_with_bad_version(context, config): context.get_lineno_for_call_arg('ssl_version')) return bandit.Issue( severity=bandit.MEDIUM, - cwe=326, + cwe=Cwe.BROKEN_CRYPTO, confidence=bandit.MEDIUM, text="Function call with insecure SSL/TLS protocol " "identified, possible security issue.", @@ -189,7 +190,7 @@ def ssl_with_bad_defaults(context, config): if val in bad_ssl_versions: return bandit.Issue( severity=bandit.MEDIUM, - cwe=326, + cwe=Cwe.BROKEN_CRYPTO, confidence=bandit.MEDIUM, text="Function definition identified with insecure SSL/TLS " "protocol version by default, possible security " @@ -249,7 +250,7 @@ def ssl_with_no_version(context): # tests for that (ssl_version is not specified). return bandit.Issue( severity=bandit.LOW, - cwe=326, + cwe=Cwe.BROKEN_CRYPTO, confidence=bandit.MEDIUM, text="ssl.wrap_socket call with no SSL/TLS protocol version " "specified, the default SSLv23 could be insecure, " diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py index a6dd254cf..eba26ff59 100644 --- a/bandit/plugins/jinja2_templates.py +++ b/bandit/plugins/jinja2_templates.py @@ -64,6 +64,7 @@ import ast import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -83,7 +84,7 @@ def jinja2_autoescape_false(context): getattr(node.value, 'value', None) is False)): return bandit.Issue( severity=bandit.HIGH, - cwe=94, + cwe=Cwe.CODE_INJECTION, confidence=bandit.HIGH, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -104,7 +105,7 @@ def jinja2_autoescape_false(context): else: return bandit.Issue( severity=bandit.HIGH, - cwe=94, + cwe=Cwe.CODE_INJECTION, confidence=bandit.MEDIUM, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -116,7 +117,7 @@ def jinja2_autoescape_false(context): # behavior return bandit.Issue( severity=bandit.HIGH, - cwe=94, + cwe=Cwe.CODE_INJECTION, confidence=bandit.HIGH, text="By default, jinja2 sets autoescape to False. Consider " "using autoescape=True or use the select_autoescape " diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py index 922d9bbc8..19fb641c9 100644 --- a/bandit/plugins/mako_templates.py +++ b/bandit/plugins/mako_templates.py @@ -42,6 +42,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -57,7 +58,7 @@ def use_of_mako_templates(context): # feature and thus each variable must be carefully sanitized. return bandit.Issue( severity=bandit.MEDIUM, - cwe=94, + cwe=Cwe.BASIC_XSS, confidence=bandit.HIGH, text="Mako templates allow HTML/JS rendering by default and " "are inherently open to XSS attacks. Ensure variables " diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index 3aed26276..c7c6ca744 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -34,6 +34,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -46,7 +47,7 @@ def ssh_no_host_key_verification(context): context.call_args[0] in ['AutoAddPolicy', 'WarningPolicy']): issue = bandit.Issue( severity=bandit.HIGH, - cwe=295, + cwe=Cwe.IMPROPER_CERT_VALIDATION, confidence=bandit.MEDIUM, text='Paramiko call with policy set to automatically trust ' 'the unknown host key.', diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index 19694762a..e4220e399 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -74,6 +74,7 @@ class (or no type). To accommodate this, the test may be configured to ignore import ast import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -96,6 +97,6 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, - cwe=703, + cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND, confidence=bandit.HIGH, text=("Try, Except, Continue detected.")) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index c253f5b51..49b7c57de 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -73,6 +73,7 @@ class (or no type). To accommodate this, the test may be configured to ignore import ast import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -95,7 +96,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, - cwe=703, + cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND, confidence=bandit.HIGH, text=("Try, Except, Pass detected.") ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index 95bccce64..b62a1f844 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -37,6 +37,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -70,7 +71,7 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, - cwe=326, + cwe=Cwe.INADEQUATE_ENCRYPTION_STRENGH, confidence=bandit.HIGH, text='%s key sizes below %d bits are considered breakable. ' % (key_type, size)) diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py index c161d1af4..4bc4dee42 100644 --- a/bandit/plugins/yaml_load.py +++ b/bandit/plugins/yaml_load.py @@ -39,6 +39,7 @@ """ import bandit +from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -60,7 +61,7 @@ def yaml_load(context): ]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=20, + cwe=Cwe.IMPROPER_INPUT_VALIDATION, confidence=bandit.HIGH, text="Use of unsafe yaml load. Allows instantiation of" " arbitrary objects. Consider yaml.safe_load().", diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index e6a57ec03..baec64792 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -737,7 +737,10 @@ def test_baseline_filter(self): "filename": "%s/examples/flask_debug.py", "issue_confidence": "MEDIUM", "issue_severity": "HIGH", - "issue_cwe": "94", + "issue_cwe": { + "id": 94, + "link": "https://cwe.mitre.org/data/definitions/94.html" + }, "issue_text": "%s", "line_number": 10, "line_range": [ diff --git a/tests/unit/core/test_blacklisting.py b/tests/unit/core/test_blacklisting.py index 760b1a286..03cd8a096 100644 --- a/tests/unit/core/test_blacklisting.py +++ b/tests/unit/core/test_blacklisting.py @@ -5,7 +5,6 @@ # SPDX-License-Identifier: Apache-2.0 from bandit.core import blacklisting - import testtools @@ -18,7 +17,7 @@ def test_report_issue(self): self.assertIsInstance(issue_dict, dict) self.assertEqual('B000', issue_dict['test_id']) self.assertEqual('HIGH', issue_dict['issue_severity']) - self.assertEqual(0, issue_dict['issue_cwe']) + self.assertEqual({}, issue_dict['issue_cwe']) self.assertEqual('HIGH', issue_dict['issue_confidence']) self.assertEqual('test name', issue_dict['issue_text']) @@ -30,6 +29,6 @@ def test_report_issue_defaults(self): self.assertIsInstance(issue_dict, dict) self.assertEqual('LEGACY', issue_dict['test_id']) self.assertEqual('MEDIUM', issue_dict['issue_severity']) - self.assertEqual(0, issue_dict['issue_cwe']) + self.assertEqual({}, issue_dict['issue_cwe']) self.assertEqual('HIGH', issue_dict['issue_confidence']) self.assertEqual('test name', issue_dict['issue_text']) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index ef5fa03cb..b05d89927 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -10,6 +10,7 @@ import bandit from bandit.core import constants from bandit.core import issue +from bandit.core.issue import Cwe as Cwe class IssueTests(testtools.TestCase): @@ -20,9 +21,13 @@ def test_issue_create(self): def test_issue_str(self): test_issue = _get_issue_instance() + expect = ("Issue: 'Test issue' from B999:bandit_plugin:" + ' CWE: %s,' + " Severity: MEDIUM " + "Confidence: MEDIUM at code.py:1") + self.assertEqual( - ("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123," - " Severity: MEDIUM Confidence: MEDIUM at code.py:1"), + expect % str(Cwe(Cwe.MULTIPLE_BINDS)), str(test_issue) ) @@ -108,7 +113,9 @@ def test_matches_issue(self): @mock.patch('linecache.getline') def test_get_code(self, getline): getline.return_value = b'\x08\x30' - new_issue = issue.Issue(bandit.MEDIUM, cwe=123, lineno=1) + new_issue = issue.Issue(bandit.MEDIUM, + cwe=Cwe.MULTIPLE_BINDS, + lineno=1) try: new_issue.get_code() @@ -116,7 +123,7 @@ def test_get_code(self, getline): self.fail('Bytes not properly decoded in issue.get_code()') -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, +def _get_issue_instance(severity=bandit.MEDIUM, cwe=Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index c06211b30..85cea7874 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -13,12 +13,13 @@ from bandit.core import config from bandit.core import constants from bandit.core import issue +from bandit.core.issue import Cwe as Cwe from bandit.core import manager class ManagerTests(testtools.TestCase): - def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123, + def _get_issue_instance(self, sev=constants.MEDIUM, cwe=Cwe.MULTIPLE_BINDS, conf=constants.MEDIUM): new_issue = issue.Issue(sev, cwe, conf, 'Test issue') new_issue.fname = 'code.py' @@ -112,7 +113,10 @@ def test_populate_baseline_success(self): "code": "test code", "filename": "example_file.py", "issue_severity": "low", - "issue_cwe": "123", + "issue_cwe": { + "id": 605, + "link": "%s" + }, "issue_confidence": "low", "issue_text": "test issue", "test_name": "some_test", @@ -122,14 +126,16 @@ def test_populate_baseline_success(self): } ] } - """ + """ % ('https://cwe.mitre.org/data/definitions/605.html') issue_dictionary = {"code": "test code", "filename": "example_file.py", "issue_severity": "low", - "issue_cwe": "123", + "issue_cwe": + Cwe(Cwe.MULTIPLE_BINDS).as_dict(), "issue_confidence": "low", "issue_text": "test issue", "test_name": "some_test", "test_id": "x", "line_number": "n", "line_range": "n-m"} + baseline_items = [issue.issue_from_dict(issue_dictionary)] self.manager.populate_baseline(baseline_data) self.assertEqual(baseline_items, self.manager.baseline) @@ -146,12 +152,14 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning): def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = ( - [issue.Issue(severity=level, confidence=level) + [issue.Issue(severity=level, + cwe=Cwe.MULTIPLE_BINDS, + confidence=level) for level in levels]) r = [self.manager.results_count(sev_filter=level, conf_filter=level) for level in levels] - + self.assertEqual([3, 2, 1], r) def test_output_results_invalid_format(self): diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index 0f51d9e30..b4338758a 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -13,6 +13,7 @@ from bandit.core import config from bandit.core import constants from bandit.core import issue +from bandit.core.issue import Cwe as Cwe from bandit.core import manager from bandit.core import metrics from bandit.formatters import json as b_json @@ -29,12 +30,18 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, + Cwe.MULTIPLE_BINDS, + bandit.MEDIUM, 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW, + self.candidates = [issue.Issue(Cwe.MULTIPLE_BINDS, + bandit.LOW, + bandit.LOW, 'Candidate A', lineno=1), - issue.Issue(bandit.HIGH, 123, bandit.HIGH, + issue.Issue(bandit.HIGH, + Cwe.MULTIPLE_BINDS, + bandit.HIGH, 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index 585df1e1b..99039a5f8 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -13,6 +13,7 @@ from bandit.core import config from bandit.core import docs_utils from bandit.core import issue +from bandit.core.issue import Cwe as Cwe from bandit.core import manager from bandit.formatters import text as b_text @@ -131,7 +132,7 @@ def test_report_nobaseline(self, get_issue_list): 'binding.py (score: ', "CONFIDENCE: 1", "SEVERITY: 1", - "CWE: 123", + "CWE: %s" % str(Cwe(Cwe.MULTIPLE_BINDS)), 'Files excluded (1):', 'def.py', 'Undefined: 1', @@ -188,7 +189,7 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, +def _get_issue_instance(severity=bandit.MEDIUM, cwe=Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py index aba23581e..bf5b161fe 100644 --- a/tests/unit/formatters/test_xml.py +++ b/tests/unit/formatters/test_xml.py @@ -11,6 +11,7 @@ import bandit from bandit.core import config from bandit.core import issue +from bandit.core.issue import Cwe as Cwe from bandit.core import manager from bandit.formatters import xml as b_xml @@ -26,7 +27,8 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, Cwe.MULTIPLE_BINDS, + bandit.MEDIUM, 'Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname From 463a5aeae85222aa13e5b5e4efa5691f3624bfdc Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 7 Jul 2020 09:48:06 +0200 Subject: [PATCH 03/18] typos --- bandit/core/issue.py | 5 +++-- bandit/plugins/asserts.py | 2 +- bandit/plugins/try_except_continue.py | 2 +- bandit/plugins/try_except_pass.py | 2 +- bandit/plugins/weak_cryptographic_key.py | 2 +- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 3c5f7b66c..292c400a8 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -24,11 +24,12 @@ class Cwe(object): IMPROPER_WILDCARD_NEUTRALIZATION = 155 HARD_CODED_PASSWORD = 259 IMPROPER_CERT_VALIDATION = 295 - INADEQUATE_ENCRYPTION_STRENGH = 326 + DESERIALIZATION_OF_UNTRUSTED_DATA = 502 + INADEQUATE_ENCRYPTION_STRENGTH = 326 BROKEN_CRYPTO = 327 INSECURE_TEMP_FILE = 377 MULTIPLE_BINDS = 605 - IMPROPER_CHECK_OF_EXEPT_COND = 703 + IMPROPER_CHECK_OF_EXCEPT_COND = 703 INCORRECT_PERMISSION_ASSIGNMENT = 732 MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html" diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index 3deec5529..fd6e5f4de 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -50,7 +50,7 @@ def assert_used(context): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND, + cwe=Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, confidence=bandit.HIGH, text=("Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code.") diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index e4220e399..67b968c4f 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -97,6 +97,6 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND, + cwe=Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, confidence=bandit.HIGH, text=("Try, Except, Continue detected.")) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index 49b7c57de..1d73b5403 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -96,7 +96,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND, + cwe=Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, confidence=bandit.HIGH, text=("Try, Except, Pass detected.") ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index b62a1f844..0b5835e35 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -71,7 +71,7 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, - cwe=Cwe.INADEQUATE_ENCRYPTION_STRENGH, + cwe=Cwe.INADEQUATE_ENCRYPTION_STRENGTH, confidence=bandit.HIGH, text='%s key sizes below %d bits are considered breakable. ' % (key_type, size)) From 68a1d14d0f9b910837964bbfb6abd4897f4d1a0d Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 7 Jul 2020 11:47:32 +0200 Subject: [PATCH 04/18] cwemap --- bandit/core/cwemap.py | 87 +++++++++++++++++++ bandit/core/issue.py | 7 +- bandit/plugins/app_debug.py | 4 +- bandit/plugins/asserts.py | 3 +- .../crypto_request_no_cert_validation.py | 3 +- bandit/plugins/django_sql_injection.py | 6 +- bandit/plugins/django_xss.py | 4 +- bandit/plugins/exec.py | 4 +- .../plugins/general_bad_file_permissions.py | 4 +- bandit/plugins/general_bind_all_interfaces.py | 4 +- bandit/plugins/general_hardcoded_password.py | 4 +- bandit/plugins/general_hardcoded_tmp.py | 4 +- .../plugins/hashlib_new_insecure_functions.py | 4 +- bandit/plugins/injection_paramiko.py | 4 +- bandit/plugins/injection_shell.py | 18 ++-- bandit/plugins/injection_sql.py | 4 +- bandit/plugins/injection_wildcard.py | 4 +- bandit/plugins/insecure_ssl_tls.py | 12 +-- bandit/plugins/jinja2_templates.py | 8 +- bandit/plugins/mako_templates.py | 4 +- .../plugins/ssh_no_host_key_verification.py | 4 +- bandit/plugins/try_except_continue.py | 4 +- bandit/plugins/try_except_pass.py | 4 +- bandit/plugins/weak_cryptographic_key.py | 4 +- bandit/plugins/yaml_load.py | 4 +- 25 files changed, 153 insertions(+), 59 deletions(-) create mode 100644 bandit/core/cwemap.py diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py new file mode 100644 index 000000000..b186b5170 --- /dev/null +++ b/bandit/core/cwemap.py @@ -0,0 +1,87 @@ +from bandit.core.issue import Cwe as Cwe + +# We can broadly classify all calls and imports from the denylist as +# being covered by CWE-829 https://cwe.mitre.org/data/definitions/829.html. +# However, as we have more contextual information, we use the most detailed and suitable +# CWE for every call/import. + +CWEMAP = { + # Plugins + "B101": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + "B102": Cwe.OS_COMMAND_INJECTION, + "B103": Cwe.INCORRECT_PERMISSION_ASSIGNMENT, + "B104": Cwe.MULTIPLE_BINDS, + "B105": Cwe.HARD_CODED_PASSWORD, + "B108": Cwe.INSECURE_TEMP_FILE, + "B110": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + "B112": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + + "B201": Cwe.CODE_INJECTION, + + "B324": Cwe.BROKEN_CRYPTO, + + "B501": Cwe.IMPROPER_CERT_VALIDATION, + "B502": Cwe.BROKEN_CRYPTO, + "B503": Cwe.BROKEN_CRYPTO, + "B504": Cwe.BROKEN_CRYPTO, + "B505": Cwe.INADEQUATE_ENCRYPTION_STRENGTH, + "B506": Cwe.IMPROPER_INPUT_VALIDATION, + "B507": Cwe.IMPROPER_CERT_VALIDATION, + + "B601": Cwe.OS_COMMAND_INJECTION, + "B602": Cwe.OS_COMMAND_INJECTION, + "B603": Cwe.OS_COMMAND_INJECTION, + "B604": Cwe.OS_COMMAND_INJECTION, + "B605": Cwe.OS_COMMAND_INJECTION, + "B606": Cwe.OS_COMMAND_INJECTION, + "B607": Cwe.OS_COMMAND_INJECTION, + "B608": Cwe.SQL_INJECTION, + "B609": Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, + "B611": Cwe.SQL_INJECTION, + + "B701": Cwe.CODE_INJECTION, + "B702": Cwe.BASIC_XSS, + "B703": Cwe.BASIC_XSS, + + # Calls + "B301": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, + "B302": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, + "B303": Cwe.BROKEN_CRYPTO, + "B304": Cwe.BROKEN_CRYPTO, + "B305": Cwe.BROKEN_CRYPTO, + "B306": Cwe.INSECURE_TEMP_FILE, + "B307": Cwe.OS_COMMAND_INJECTION, + "B308": Cwe.XSS, + "B309": Cwe.CLEARTEXT_TRANSMISSION, + "B310": Cwe.PATH_TRAVERSAL, + "B311": Cwe.INSUFFICIENT_RANDOM_VALUES, + "B312": Cwe.CLEARTEXT_TRANSMISSION, + "B313": Cwe.IMPROPER_INPUT_VALIDATION, + "B314": Cwe.IMPROPER_INPUT_VALIDATION, + "B315": Cwe.IMPROPER_INPUT_VALIDATION, + "B316": Cwe.IMPROPER_INPUT_VALIDATION, + "B317": Cwe.IMPROPER_INPUT_VALIDATION, + "B318": Cwe.IMPROPER_INPUT_VALIDATION, + "B319": Cwe.IMPROPER_INPUT_VALIDATION, + "B320": Cwe.IMPROPER_INPUT_VALIDATION, + "B321": Cwe.CLEARTEXT_TRANSMISSION, + "B322": Cwe.OS_COMMAND_INJECTION, + "B323": Cwe.IMPROPER_CERT_VALIDATION, + "B325": Cwe.INSECURE_TEMP_FILE, + + # Imports + "B401": Cwe.CLEARTEXT_TRANSMISSION, + "B402": Cwe.CLEARTEXT_TRANSMISSION, + "B403": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, + "B404": Cwe.OS_COMMAND_INJECTION, + "B405": Cwe.IMPROPER_INPUT_VALIDATION, + "B406": Cwe.IMPROPER_INPUT_VALIDATION, + "B407": Cwe.IMPROPER_INPUT_VALIDATION, + "B408": Cwe.IMPROPER_INPUT_VALIDATION, + "B409": Cwe.IMPROPER_INPUT_VALIDATION, + "B410": Cwe.IMPROPER_INPUT_VALIDATION, + "B411": Cwe.IMPROPER_INPUT_VALIDATION, + "B412": Cwe.IMPROPER_ACCESS_CONTROL, + "B413": Cwe.BROKEN_CRYPTO, + "B414": Cwe.BROKEN_CRYPTO, +} \ No newline at end of file diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 292c400a8..114f30852 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -17,17 +17,22 @@ class Cwe(object): UNDEF = 0 IMPROPER_INPUT_VALIDATION = 20 + PATH_TRAVERSAL = 22 OS_COMMAND_INJECTION = 78 + XSS = 79 BASIC_XSS = 80 SQL_INJECTION = 89 CODE_INJECTION = 94 IMPROPER_WILDCARD_NEUTRALIZATION = 155 HARD_CODED_PASSWORD = 259 + IMPROPER_ACCESS_CONTROL = 284 IMPROPER_CERT_VALIDATION = 295 - DESERIALIZATION_OF_UNTRUSTED_DATA = 502 + CLEARTEXT_TRANSMISSION = 319 INADEQUATE_ENCRYPTION_STRENGTH = 326 BROKEN_CRYPTO = 327 + INSUFFICIENT_RANDOM_VALUES = 330 INSECURE_TEMP_FILE = 377 + DESERIALIZATION_OF_UNTRUSTED_DATA = 502 MULTIPLE_BINDS = 605 IMPROPER_CHECK_OF_EXCEPT_COND = 703 INCORRECT_PERMISSION_ASSIGNMENT = 732 diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index d9547eed2..fe4fb9568 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -40,8 +40,8 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test +from bandit.core.cwemap import CWEMAP @test.test_id('B201') @@ -52,7 +52,7 @@ def flask_debug_true(context): if context.check_call_arg_value('debug', 'True'): return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.CODE_INJECTION, + cwe=CWEMAP["B201"], confidence=bandit.MEDIUM, text="A Flask app appears to be run with debug=True, " "which exposes the Werkzeug debugger and allows " diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index fd6e5f4de..dbaf00dd2 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -41,6 +41,7 @@ """ import bandit +from bandit.core.cwemap import CWEMAP from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -50,7 +51,7 @@ def assert_used(context): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + cwe=CWEMAP["B101"], confidence=bandit.HIGH, text=("Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code.") diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index 6e1378064..01ef20042 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -42,6 +42,7 @@ """ import bandit +from bandit.core.cwemap import CWEMAP from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test @@ -55,7 +56,7 @@ def request_with_no_cert_validation(context): if context.check_call_arg_value('verify', 'False'): issue = bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.IMPROPER_CERT_VALIDATION, + cwe=CWEMAP["B501"], confidence=bandit.HIGH, text="Requests call with verify=False disabling SSL " "certificate checks, security issue.", diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py index 5f4dabbf1..9af9ddcb1 100644 --- a/bandit/plugins/django_sql_injection.py +++ b/bandit/plugins/django_sql_injection.py @@ -8,7 +8,7 @@ import ast import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -78,7 +78,7 @@ def django_extra_used(context): if insecure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.SQL_INJECTION, + cwe=CWEMAP["B611"], confidence=bandit.MEDIUM, text=description ) @@ -104,7 +104,7 @@ def django_rawsql_used(context): if not isinstance(sql, ast.Str): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.SQL_INJECTION, + cwe=CWEMAP["B611"], confidence=bandit.MEDIUM, text=description ) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index e836cb38c..1f9ed8572 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -9,8 +9,8 @@ import six import bandit -from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test +from bandit.core.cwemap import CWEMAP class DeepAssignation(object): @@ -251,7 +251,7 @@ def check_risk(node): if not secure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.BASIC_XSS, + cwe=CWEMAP["B703"], confidence=bandit.HIGH, text=description ) diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 88b71937b..110af5c82 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -35,14 +35,14 @@ import six import bandit -from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test +from bandit.core.cwemap import CWEMAP def exec_issue(): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B102"], confidence=bandit.HIGH, text="Use of exec detected." ) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index 29705a88f..3f56b8e1d 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -50,7 +50,7 @@ import stat import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -74,7 +74,7 @@ def set_bad_file_permissions(context): filename = 'NOT PARSED' return bandit.Issue( severity=sev_level, - cwe=Cwe.INCORRECT_PERMISSION_ASSIGNMENT, + cwe=CWEMAP["B103"], confidence=bandit.HIGH, text="Chmod setting a permissive mask %s on file (%s)." % (oct(mode), filename) diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index 67ffabe9d..b5f996231 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -34,7 +34,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -44,7 +44,7 @@ def hardcoded_bind_all_interfaces(context): if context.string_val == '0.0.0.0': return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.MULTIPLE_BINDS, + cwe=CWEMAP["B104"], confidence=bandit.MEDIUM, text="Possible binding to all interfaces." ) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 86abb60bf..d6d43763f 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -9,7 +9,7 @@ import sys import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -23,7 +23,7 @@ def _report(value): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.HARD_CODED_PASSWORD, + cwe=CWEMAP["B105"], confidence=bandit.MEDIUM, text=("Possible hardcoded password: '%s'" % value)) diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index 6ac5b3645..27549ea82 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -51,7 +51,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -72,7 +72,7 @@ def hardcoded_tmp_directory(context, config): if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.INSECURE_TEMP_FILE, + cwe=CWEMAP["B108"], confidence=bandit.MEDIUM, text="Probable insecure usage of temp file/directory." ) diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py index 4e9b4198d..62771b4cb 100644 --- a/bandit/plugins/hashlib_new_insecure_functions.py +++ b/bandit/plugins/hashlib_new_insecure_functions.py @@ -31,7 +31,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -49,7 +49,7 @@ def hashlib_new(context): name.lower() in ('md4', 'md5', 'sha', 'sha1')): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.BROKEN_CRYPTO, + cwe=CWEMAP["B324"], confidence=bandit.HIGH, text="Use of insecure MD4 or MD5 hash function.", lineno=context.node.lineno, diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index 67a28c240..c3ba33ef6 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -39,7 +39,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -52,6 +52,6 @@ def paramiko_calls(context): if context.is_module_imported_like(module): if context.call_function_name in ['exec_command']: return bandit.Issue(severity=bandit.MEDIUM, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B601"], confidence=bandit.MEDIUM, text=issue_text) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 61c34ae92..98c1fbac8 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -10,7 +10,7 @@ import six import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -201,7 +201,7 @@ def subprocess_popen_with_shell_equals_true(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B602"], confidence=bandit.HIGH, text='subprocess call with shell=True seems safe, but ' 'may be changed in the future, consider ' @@ -211,7 +211,7 @@ def subprocess_popen_with_shell_equals_true(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B602"], confidence=bandit.HIGH, text='subprocess call with shell=True identified, ' 'security issue.', @@ -291,7 +291,7 @@ def subprocess_without_shell_equals_true(context, config): if not has_shell(context): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B603"], confidence=bandit.HIGH, text='subprocess call - check for execution of untrusted ' 'input.', @@ -370,7 +370,7 @@ def any_other_function_with_shell_equals_true(context, config): if has_shell(context): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B604"], confidence=bandit.LOW, text='Function call with shell=True parameter identified, ' 'possible security issue.', @@ -457,7 +457,7 @@ def start_process_with_a_shell(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B605"], confidence=bandit.HIGH, text='Starting a process with a shell: ' 'Seems safe, but may be changed in the future, ' @@ -466,7 +466,7 @@ def start_process_with_a_shell(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=78, + cwe=CWEMAP["B605"], confidence=bandit.HIGH, text='Starting a process with a shell, possible injection' ' detected, security issue.' @@ -555,7 +555,7 @@ def start_process_with_no_shell(context, config): if config and context.call_function_name_qual in config['no_shell']: return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B606"], confidence=bandit.MEDIUM, text='Starting a process without a shell.' ) @@ -651,7 +651,7 @@ def start_process_with_partial_path(context, config): if isinstance(node, ast.Str) and not full_path_match.match(node.s): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.OS_COMMAND_INJECTION, + cwe=CWEMAP["B607"], confidence=bandit.HIGH, text='Starting a process with a partial executable path' ) diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index b03d65bb1..3b742d1d3 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -55,7 +55,7 @@ import re import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test from bandit.core import utils @@ -105,7 +105,7 @@ def hardcoded_sql_expressions(context): if _check_string(val[1]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.SQL_INJECTION, + cwe=CWEMAP["B608"], confidence=bandit.MEDIUM if val[0] else bandit.LOW, text="Possible SQL injection vector through string-based " "query construction." diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index 14bfb9373..0ead3c3b6 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -97,7 +97,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test from bandit.plugins import injection_shell # NOTE(tkelsey): shared config @@ -132,7 +132,7 @@ def linux_commands_wildcard_injection(context, config): ): return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, + cwe=CWEMAP["B609"], confidence=bandit.MEDIUM, text="Possible wildcard injection in call: %s" % context.call_function_name_qual, diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py index bb1555099..87b59614c 100644 --- a/bandit/plugins/insecure_ssl_tls.py +++ b/bandit/plugins/insecure_ssl_tls.py @@ -5,7 +5,7 @@ # SPDX-License-Identifier: Apache-2.0 import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -106,7 +106,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('ssl_version', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.BROKEN_CRYPTO, + cwe=CWEMAP["B502"], confidence=bandit.HIGH, text="ssl.wrap_socket call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -116,7 +116,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('method', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.BROKEN_CRYPTO, + cwe=CWEMAP["B502"], confidence=bandit.HIGH, text="SSL.Context call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -131,7 +131,7 @@ def ssl_with_bad_version(context, config): context.get_lineno_for_call_arg('ssl_version')) return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.BROKEN_CRYPTO, + cwe=CWEMAP["B502"], confidence=bandit.MEDIUM, text="Function call with insecure SSL/TLS protocol " "identified, possible security issue.", @@ -190,7 +190,7 @@ def ssl_with_bad_defaults(context, config): if val in bad_ssl_versions: return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.BROKEN_CRYPTO, + cwe=CWEMAP["B503"], confidence=bandit.MEDIUM, text="Function definition identified with insecure SSL/TLS " "protocol version by default, possible security " @@ -250,7 +250,7 @@ def ssl_with_no_version(context): # tests for that (ssl_version is not specified). return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.BROKEN_CRYPTO, + cwe=CWEMAP["B504"], confidence=bandit.MEDIUM, text="ssl.wrap_socket call with no SSL/TLS protocol version " "specified, the default SSLv23 could be insecure, " diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py index eba26ff59..ff6baaf54 100644 --- a/bandit/plugins/jinja2_templates.py +++ b/bandit/plugins/jinja2_templates.py @@ -64,7 +64,7 @@ import ast import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -84,7 +84,7 @@ def jinja2_autoescape_false(context): getattr(node.value, 'value', None) is False)): return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.CODE_INJECTION, + cwe=CWEMAP["B701"], confidence=bandit.HIGH, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -105,7 +105,7 @@ def jinja2_autoescape_false(context): else: return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.CODE_INJECTION, + cwe=CWEMAP["B701"], confidence=bandit.MEDIUM, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -117,7 +117,7 @@ def jinja2_autoescape_false(context): # behavior return bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.CODE_INJECTION, + cwe=CWEMAP["B701"], confidence=bandit.HIGH, text="By default, jinja2 sets autoescape to False. Consider " "using autoescape=True or use the select_autoescape " diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py index 19fb641c9..d5f6bf120 100644 --- a/bandit/plugins/mako_templates.py +++ b/bandit/plugins/mako_templates.py @@ -42,7 +42,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -58,7 +58,7 @@ def use_of_mako_templates(context): # feature and thus each variable must be carefully sanitized. return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.BASIC_XSS, + cwe=CWEMAP["B702"], confidence=bandit.HIGH, text="Mako templates allow HTML/JS rendering by default and " "are inherently open to XSS attacks. Ensure variables " diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index c7c6ca744..5d5bca6e6 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -34,7 +34,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -47,7 +47,7 @@ def ssh_no_host_key_verification(context): context.call_args[0] in ['AutoAddPolicy', 'WarningPolicy']): issue = bandit.Issue( severity=bandit.HIGH, - cwe=Cwe.IMPROPER_CERT_VALIDATION, + cwe=CWEMAP["B507"], confidence=bandit.MEDIUM, text='Paramiko call with policy set to automatically trust ' 'the unknown host key.', diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index 67b968c4f..81c57177d 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -74,7 +74,7 @@ class (or no type). To accommodate this, the test may be configured to ignore import ast import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -97,6 +97,6 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + cwe=CWEMAP["B112"], confidence=bandit.HIGH, text=("Try, Except, Continue detected.")) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index 1d73b5403..0cf616785 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -73,7 +73,7 @@ class (or no type). To accommodate this, the test may be configured to ignore import ast import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -96,7 +96,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, - cwe=Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + cwe=CWEMAP["B110"], confidence=bandit.HIGH, text=("Try, Except, Pass detected.") ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index 0b5835e35..0022ecc45 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -37,7 +37,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -71,7 +71,7 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, - cwe=Cwe.INADEQUATE_ENCRYPTION_STRENGTH, + cwe=CWEMAP["B505"], confidence=bandit.HIGH, text='%s key sizes below %d bits are considered breakable. ' % (key_type, size)) diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py index 4bc4dee42..0138803cf 100644 --- a/bandit/plugins/yaml_load.py +++ b/bandit/plugins/yaml_load.py @@ -39,7 +39,7 @@ """ import bandit -from bandit.core.issue import Cwe as Cwe +from bandit.core.cwemap import CWEMAP from bandit.core import test_properties as test @@ -61,7 +61,7 @@ def yaml_load(context): ]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=Cwe.IMPROPER_INPUT_VALIDATION, + cwe=CWEMAP["B506"], confidence=bandit.HIGH, text="Use of unsafe yaml load. Allows instantiation of" " arbitrary objects. Consider yaml.safe_load().", From 0268604a36c037a666ebddd33d9f04f4b17f3971 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 7 Jul 2020 11:54:10 +0200 Subject: [PATCH 05/18] linting issues --- bandit/core/cwemap.py | 11 +++++------ bandit/plugins/app_debug.py | 2 +- bandit/plugins/asserts.py | 1 - bandit/plugins/crypto_request_no_cert_validation.py | 1 - bandit/plugins/django_xss.py | 2 +- bandit/plugins/exec.py | 2 +- 6 files changed, 8 insertions(+), 11 deletions(-) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index b186b5170..cbb10632c 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -1,9 +1,8 @@ -from bandit.core.issue import Cwe as Cwe +# -*- coding:utf-8 -*- +# +# SPDX-License-Identifier: Apache-2.0 -# We can broadly classify all calls and imports from the denylist as -# being covered by CWE-829 https://cwe.mitre.org/data/definitions/829.html. -# However, as we have more contextual information, we use the most detailed and suitable -# CWE for every call/import. +from bandit.core.issue import Cwe as Cwe CWEMAP = { # Plugins @@ -84,4 +83,4 @@ "B412": Cwe.IMPROPER_ACCESS_CONTROL, "B413": Cwe.BROKEN_CRYPTO, "B414": Cwe.BROKEN_CRYPTO, -} \ No newline at end of file +} diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index fe4fb9568..5ba564709 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -40,8 +40,8 @@ """ import bandit -from bandit.core import test_properties as test from bandit.core.cwemap import CWEMAP +from bandit.core import test_properties as test @test.test_id('B201') diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index dbaf00dd2..31e0c1d28 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -42,7 +42,6 @@ import bandit from bandit.core.cwemap import CWEMAP -from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index 01ef20042..99809085a 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -43,7 +43,6 @@ import bandit from bandit.core.cwemap import CWEMAP -from bandit.core.issue import Cwe as Cwe from bandit.core import test_properties as test diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 1f9ed8572..a2ef78da4 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -9,8 +9,8 @@ import six import bandit -from bandit.core import test_properties as test from bandit.core.cwemap import CWEMAP +from bandit.core import test_properties as test class DeepAssignation(object): diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 110af5c82..af873d966 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -35,8 +35,8 @@ import six import bandit -from bandit.core import test_properties as test from bandit.core.cwemap import CWEMAP +from bandit.core import test_properties as test def exec_issue(): From a373ef5356816c2e10e445235d1c4570583e8be6 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 7 Jul 2020 12:04:58 +0200 Subject: [PATCH 06/18] add cwe to denylist --- bandit/core/blacklisting.py | 2 ++ bandit/core/cwemap.py | 3 +++ 2 files changed, 5 insertions(+) diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index aecf1512f..d06fc4f89 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -8,12 +8,14 @@ import fnmatch from bandit.core import issue +from bandit.core.cwemap import CWEMAP def report_issue(check, name): return issue.Issue( severity=check.get('level', 'MEDIUM'), confidence='HIGH', text=check['message'].replace('{name}', name), + cwe=CWEMAP[check.get("id", 'LEGACY')], ident=name, test_id=check.get("id", 'LEGACY')) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index cbb10632c..625581fee 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -5,6 +5,9 @@ from bandit.core.issue import Cwe as Cwe CWEMAP = { + "B000": Cwe.UNDEF, + "LEGACY": Cwe.UNDEF, + # Plugins "B101": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, "B102": Cwe.OS_COMMAND_INJECTION, From e651e64482323bddbd5015c551f0ce805f2935a2 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 7 Jul 2020 12:07:09 +0200 Subject: [PATCH 07/18] make linter happy --- bandit/core/blacklisting.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index d06fc4f89..52aed51ef 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -7,8 +7,8 @@ import ast import fnmatch -from bandit.core import issue from bandit.core.cwemap import CWEMAP +from bandit.core import issue def report_issue(check, name): From c34ae533095bbac2af74dc00ac9ce44a76943be3 Mon Sep 17 00:00:00 2001 From: Julian Thome Date: Tue, 7 Jul 2020 12:35:25 +0200 Subject: [PATCH 08/18] UNDEF -> NOTSET --- bandit/core/cwemap.py | 4 ++-- bandit/core/issue.py | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index 625581fee..526a555e6 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -5,8 +5,8 @@ from bandit.core.issue import Cwe as Cwe CWEMAP = { - "B000": Cwe.UNDEF, - "LEGACY": Cwe.UNDEF, + "B000": Cwe.NOTSET, + "LEGACY": Cwe.NOTSET, # Plugins "B101": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 114f30852..6c860efee 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -15,7 +15,7 @@ class Cwe(object): - UNDEF = 0 + NOTSET = 0 IMPROPER_INPUT_VALIDATION = 20 PATH_TRAVERSAL = 22 OS_COMMAND_INJECTION = 78 @@ -39,17 +39,17 @@ class Cwe(object): MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html" - def __init__(self, id=UNDEF): + def __init__(self, id=NOTSET): self.id = id def link(self): - if self.id == Cwe.UNDEF: + if self.id == Cwe.NOTSET: return "" return Cwe.MITRE_URL_PATTERN % str(self.id) def __str__(self): - if self.id == Cwe.UNDEF: + if self.id == Cwe.NOTSET: return "" return "CWE-%i (%s)" % (self.id, self.link()) @@ -58,7 +58,7 @@ def as_dict(self): return { "id": self.id, "link": self.link() - } if self.id != Cwe.UNDEF else {} + } if self.id != Cwe.NOTSET else {} def as_jsons(self): return str(self.as_dict()) @@ -67,7 +67,7 @@ def from_dict(self, data): if 'id' in data: self.id = int(data['id']) else: - self.id = Cwe.UNDEF + self.id = Cwe.NOTSET def __eq__(self, other): return self.id == other.id From 1b5296025359ff9b0d11d350b1a654082cc82e72 Mon Sep 17 00:00:00 2001 From: Julian T Date: Tue, 12 Jan 2021 14:57:45 +0100 Subject: [PATCH 09/18] Update issue.py --- bandit/core/issue.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 28f1036d9..71238ae8f 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -175,7 +175,6 @@ def as_dict(self, with_code=True): 'line_range': self.linerange, 'col_offset': self.col_offset } - if with_code: out['code'] = self.get_code() return out From 981df3f617d2f05c746ba06e520412c503ecbf80 Mon Sep 17 00:00:00 2001 From: julian Date: Tue, 12 Jan 2021 15:55:07 +0100 Subject: [PATCH 10/18] test --- tests/unit/formatters/test_custom.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/formatters/test_custom.py b/tests/unit/formatters/test_custom.py index 3a903ac97..8ac5b4a74 100644 --- a/tests/unit/formatters/test_custom.py +++ b/tests/unit/formatters/test_custom.py @@ -25,7 +25,7 @@ def setUp(self): 'col_offset': 30} self.check_name = 'hardcoded_bind_all_interfaces' self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, - 'Possible binding to all interfaces.') + text='Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname self.issue.fname = self.context['filename'] From a917d1d5bf29772d59d3d5aa787eebafddf2e673 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 20:09:51 -0800 Subject: [PATCH 11/18] Apply suggestions from code review --- bandit/core/blacklisting.py | 4 ++-- bandit/core/cwemap.py | 2 +- bandit/plugins/app_debug.py | 2 +- bandit/plugins/asserts.py | 4 ++-- .../crypto_request_no_cert_validation.py | 4 ++-- bandit/plugins/django_sql_injection.py | 6 +++--- bandit/plugins/django_xss.py | 4 ++-- bandit/plugins/exec.py | 4 ++-- bandit/plugins/general_bad_file_permissions.py | 4 ++-- bandit/plugins/general_bind_all_interfaces.py | 4 ++-- bandit/plugins/general_hardcoded_password.py | 4 ++-- bandit/plugins/general_hardcoded_tmp.py | 4 ++-- .../plugins/hashlib_new_insecure_functions.py | 4 ++-- bandit/plugins/injection_paramiko.py | 4 ++-- bandit/plugins/injection_shell.py | 18 +++++++++--------- bandit/plugins/injection_sql.py | 4 ++-- bandit/plugins/injection_wildcard.py | 4 ++-- bandit/plugins/insecure_ssl_tls.py | 12 ++++++------ bandit/plugins/jinja2_templates.py | 8 ++++---- bandit/plugins/mako_templates.py | 4 ++-- bandit/plugins/ssh_no_host_key_verification.py | 4 ++-- bandit/plugins/try_except_continue.py | 4 ++-- bandit/plugins/try_except_pass.py | 4 ++-- bandit/plugins/weak_cryptographic_key.py | 4 ++-- bandit/plugins/yaml_load.py | 4 ++-- tests/unit/core/test_issue.py | 5 ++--- tests/unit/core/test_manager.py | 3 +-- tests/unit/formatters/test_text.py | 5 ++--- tests/unit/formatters/test_xml.py | 3 +-- 29 files changed, 68 insertions(+), 72 deletions(-) diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index 52aed51ef..dda484f19 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -7,7 +7,7 @@ import ast import fnmatch -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import issue @@ -15,7 +15,7 @@ def report_issue(check, name): return issue.Issue( severity=check.get('level', 'MEDIUM'), confidence='HIGH', text=check['message'].replace('{name}', name), - cwe=CWEMAP[check.get("id", 'LEGACY')], + cwe=cwemap.CWEMAP[check.get("id", 'LEGACY')], ident=name, test_id=check.get("id", 'LEGACY')) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index 526a555e6..9aab80dc7 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -from bandit.core.issue import Cwe as Cwe +from bandit.core import issue CWEMAP = { "B000": Cwe.NOTSET, diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index de5f8ebb0..03cd058e8 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -40,7 +40,7 @@ """ # noqa: E501 import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index 6e9fa8a2d..29466243b 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -52,7 +52,7 @@ import fnmatch import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -71,7 +71,7 @@ def assert_used(context, config): return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B101"], + cwe=cwemap.CWEMAP["B101"], confidence=bandit.HIGH, text=("Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code.") diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index 99809085a..87c813e41 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -42,7 +42,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -55,7 +55,7 @@ def request_with_no_cert_validation(context): if context.check_call_arg_value('verify', 'False'): issue = bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B501"], + cwe=cwemap.CWEMAP["B501"], confidence=bandit.HIGH, text="Requests call with verify=False disabling SSL " "certificate checks, security issue.", diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py index 9af9ddcb1..ee9c3feac 100644 --- a/bandit/plugins/django_sql_injection.py +++ b/bandit/plugins/django_sql_injection.py @@ -8,7 +8,7 @@ import ast import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -78,7 +78,7 @@ def django_extra_used(context): if insecure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B611"], + cwe=cwemap.CWEMAP["B611"], confidence=bandit.MEDIUM, text=description ) @@ -104,7 +104,7 @@ def django_rawsql_used(context): if not isinstance(sql, ast.Str): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B611"], + cwe=cwemap.CWEMAP["B611"], confidence=bandit.MEDIUM, text=description ) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 6ffbe5200..38f921c83 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -7,7 +7,7 @@ import ast import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -222,7 +222,7 @@ def check_risk(node): if not secure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B703"], + cwe=cwemap.CWEMAP["B703"], confidence=bandit.HIGH, text=description ) diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index c0e8c8c45..47a23c19a 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -33,14 +33,14 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test def exec_issue(): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B102"], + cwe=cwemap.CWEMAP["B102"], confidence=bandit.HIGH, text="Use of exec detected." ) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index 137b74f9e..d8740e450 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -50,7 +50,7 @@ import stat import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -74,7 +74,7 @@ def set_bad_file_permissions(context): filename = 'NOT PARSED' return bandit.Issue( severity=sev_level, - cwe=CWEMAP["B103"], + cwe=cwemap.CWEMAP["B103"], confidence=bandit.HIGH, text="Chmod setting a permissive mask %s on file (%s)." % (oct(mode), filename) diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index b5f996231..0cde3cce9 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -34,7 +34,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -44,7 +44,7 @@ def hardcoded_bind_all_interfaces(context): if context.string_val == '0.0.0.0': return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B104"], + cwe=cwemap.CWEMAP["B104"], confidence=bandit.MEDIUM, text="Possible binding to all interfaces." ) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index c3075dbec..0dd93834c 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -8,7 +8,7 @@ import re import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -22,7 +22,7 @@ def _report(value): return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B105"], + cwe=cwemap.CWEMAP["B105"], confidence=bandit.MEDIUM, text=("Possible hardcoded password: '%s'" % value)) diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index 3bc650197..5e831c252 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -51,7 +51,7 @@ """ # noqa: E501 import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -72,7 +72,7 @@ def hardcoded_tmp_directory(context, config): if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B108"], + cwe=cwemap.CWEMAP["B108"], confidence=bandit.MEDIUM, text="Probable insecure usage of temp file/directory." ) diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py index 62771b4cb..29d58c2ad 100644 --- a/bandit/plugins/hashlib_new_insecure_functions.py +++ b/bandit/plugins/hashlib_new_insecure_functions.py @@ -31,7 +31,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -49,7 +49,7 @@ def hashlib_new(context): name.lower() in ('md4', 'md5', 'sha', 'sha1')): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B324"], + cwe=cwemap.CWEMAP["B324"], confidence=bandit.HIGH, text="Use of insecure MD4 or MD5 hash function.", lineno=context.node.lineno, diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index c3ba33ef6..1a32950e7 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -39,7 +39,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -52,6 +52,6 @@ def paramiko_calls(context): if context.is_module_imported_like(module): if context.call_function_name in ['exec_command']: return bandit.Issue(severity=bandit.MEDIUM, - cwe=CWEMAP["B601"], + cwe=cwemap.CWEMAP["B601"], confidence=bandit.MEDIUM, text=issue_text) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 4771b9792..208e39f03 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -8,7 +8,7 @@ import re import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -199,7 +199,7 @@ def subprocess_popen_with_shell_equals_true(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B602"], + cwe=cwemap.CWEMAP["B602"], confidence=bandit.HIGH, text='subprocess call with shell=True seems safe, but ' 'may be changed in the future, consider ' @@ -209,7 +209,7 @@ def subprocess_popen_with_shell_equals_true(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B602"], + cwe=cwemap.CWEMAP["B602"], confidence=bandit.HIGH, text='subprocess call with shell=True identified, ' 'security issue.', @@ -289,7 +289,7 @@ def subprocess_without_shell_equals_true(context, config): if not has_shell(context): return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B603"], + cwe=cwemap.CWEMAP["B603"], confidence=bandit.HIGH, text='subprocess call - check for execution of untrusted ' 'input.', @@ -368,7 +368,7 @@ def any_other_function_with_shell_equals_true(context, config): if has_shell(context): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B604"], + cwe=cwemap.CWEMAP["B604"], confidence=bandit.LOW, text='Function call with shell=True parameter identified, ' 'possible security issue.', @@ -455,7 +455,7 @@ def start_process_with_a_shell(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B605"], + cwe=cwemap.CWEMAP["B605"], confidence=bandit.HIGH, text='Starting a process with a shell: ' 'Seems safe, but may be changed in the future, ' @@ -464,7 +464,7 @@ def start_process_with_a_shell(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B605"], + cwe=cwemap.CWEMAP["B605"], confidence=bandit.HIGH, text='Starting a process with a shell, possible injection' ' detected, security issue.' @@ -553,7 +553,7 @@ def start_process_with_no_shell(context, config): if config and context.call_function_name_qual in config['no_shell']: return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B606"], + cwe=cwemap.CWEMAP["B606"], confidence=bandit.MEDIUM, text='Starting a process without a shell.' ) @@ -649,7 +649,7 @@ def start_process_with_partial_path(context, config): if isinstance(node, ast.Str) and not full_path_match.match(node.s): return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B607"], + cwe=cwemap.CWEMAP["B607"], confidence=bandit.HIGH, text='Starting a process with a partial executable path' ) diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index ba8f6961e..313225212 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -55,7 +55,7 @@ import re import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test from bandit.core import utils @@ -105,7 +105,7 @@ def hardcoded_sql_expressions(context): if _check_string(val[1]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B608"], + cwe=cwemap.CWEMAP["B608"], confidence=bandit.MEDIUM if val[0] else bandit.LOW, text="Possible SQL injection vector through string-based " "query construction." diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index ab505cec0..56428f99d 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -97,7 +97,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test from bandit.plugins import injection_shell # NOTE(tkelsey): shared config @@ -132,7 +132,7 @@ def linux_commands_wildcard_injection(context, config): ): return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B609"], + cwe=cwemap.CWEMAP["B609"], confidence=bandit.MEDIUM, text="Possible wildcard injection in call: %s" % context.call_function_name_qual, diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py index bb95a525a..7d417e5ba 100644 --- a/bandit/plugins/insecure_ssl_tls.py +++ b/bandit/plugins/insecure_ssl_tls.py @@ -5,7 +5,7 @@ # SPDX-License-Identifier: Apache-2.0 import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -105,7 +105,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('ssl_version', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B502"], + cwe=cwemap.CWEMAP["B502"], confidence=bandit.HIGH, text="ssl.wrap_socket call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -115,7 +115,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('method', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B502"], + cwe=cwemap.CWEMAP["B502"], confidence=bandit.HIGH, text="SSL.Context call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -130,7 +130,7 @@ def ssl_with_bad_version(context, config): context.get_lineno_for_call_arg('ssl_version')) return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B502"], + cwe=cwemap.CWEMAP["B502"], confidence=bandit.MEDIUM, text="Function call with insecure SSL/TLS protocol " "identified, possible security issue.", @@ -188,7 +188,7 @@ def ssl_with_bad_defaults(context, config): if val in bad_ssl_versions: return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B503"], + cwe=cwemap.CWEMAP["B503"], confidence=bandit.MEDIUM, text="Function definition identified with insecure SSL/TLS " "protocol version by default, possible security " @@ -247,7 +247,7 @@ def ssl_with_no_version(context): # tests for that (ssl_version is not specified). return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B504"], + cwe=cwemap.CWEMAP["B504"], confidence=bandit.MEDIUM, text="ssl.wrap_socket call with no SSL/TLS protocol version " "specified, the default SSLv23 could be insecure, " diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py index bf5a6e666..921f9e3d1 100644 --- a/bandit/plugins/jinja2_templates.py +++ b/bandit/plugins/jinja2_templates.py @@ -63,7 +63,7 @@ import ast import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -83,7 +83,7 @@ def jinja2_autoescape_false(context): getattr(node.value, 'value', None) is False)): return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B701"], + cwe=cwemap.CWEMAP["B701"], confidence=bandit.HIGH, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -104,7 +104,7 @@ def jinja2_autoescape_false(context): else: return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B701"], + cwe=cwemap.CWEMAP["B701"], confidence=bandit.MEDIUM, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -116,7 +116,7 @@ def jinja2_autoescape_false(context): # behavior return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B701"], + cwe=cwemap.CWEMAP["B701"], confidence=bandit.HIGH, text="By default, jinja2 sets autoescape to False. Consider " "using autoescape=True or use the select_autoescape " diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py index 96f94252d..8ac16da53 100644 --- a/bandit/plugins/mako_templates.py +++ b/bandit/plugins/mako_templates.py @@ -41,7 +41,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -57,7 +57,7 @@ def use_of_mako_templates(context): # feature and thus each variable must be carefully sanitized. return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B702"], + cwe=cwemap.CWEMAP["B702"], confidence=bandit.HIGH, text="Mako templates allow HTML/JS rendering by default and " "are inherently open to XSS attacks. Ensure variables " diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index 5d5bca6e6..c34ca31b0 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -34,7 +34,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -47,7 +47,7 @@ def ssh_no_host_key_verification(context): context.call_args[0] in ['AutoAddPolicy', 'WarningPolicy']): issue = bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B507"], + cwe=cwemap.CWEMAP["B507"], confidence=bandit.MEDIUM, text='Paramiko call with policy set to automatically trust ' 'the unknown host key.', diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index 81c57177d..392a5afa8 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -74,7 +74,7 @@ class (or no type). To accommodate this, the test may be configured to ignore import ast import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -97,6 +97,6 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B112"], + cwe=cwemap.CWEMAP["B112"], confidence=bandit.HIGH, text=("Try, Except, Continue detected.")) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index 0cf616785..1b3eedaa4 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -73,7 +73,7 @@ class (or no type). To accommodate this, the test may be configured to ignore import ast import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -96,7 +96,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, - cwe=CWEMAP["B110"], + cwe=cwemap.CWEMAP["B110"], confidence=bandit.HIGH, text=("Try, Except, Pass detected.") ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index ac8e81279..487f9fdd2 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -37,7 +37,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -71,7 +71,7 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, - cwe=CWEMAP["B505"], + cwe=cwemap.CWEMAP["B505"], confidence=bandit.HIGH, text='%s key sizes below %d bits are considered breakable. ' % (key_type, size)) diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py index 45cb66753..bf7e78486 100644 --- a/bandit/plugins/yaml_load.py +++ b/bandit/plugins/yaml_load.py @@ -39,7 +39,7 @@ """ import bandit -from bandit.core.cwemap import CWEMAP +from bandit.core import cwemap from bandit.core import test_properties as test @@ -61,7 +61,7 @@ def yaml_load(context): ]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=CWEMAP["B506"], + cwe=cwemap.CWEMAP["B506"], confidence=bandit.HIGH, text="Use of unsafe yaml load. Allows instantiation of" " arbitrary objects. Consider yaml.safe_load().", diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index b05d89927..29e4cb3d6 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -10,7 +10,6 @@ import bandit from bandit.core import constants from bandit.core import issue -from bandit.core.issue import Cwe as Cwe class IssueTests(testtools.TestCase): @@ -27,7 +26,7 @@ def test_issue_str(self): "Confidence: MEDIUM at code.py:1") self.assertEqual( - expect % str(Cwe(Cwe.MULTIPLE_BINDS)), + expect % str(issue.Cwe(issue.Cwe.MULTIPLE_BINDS)), str(test_issue) ) @@ -114,7 +113,7 @@ def test_matches_issue(self): def test_get_code(self, getline): getline.return_value = b'\x08\x30' new_issue = issue.Issue(bandit.MEDIUM, - cwe=Cwe.MULTIPLE_BINDS, + cwe=issue.Cwe.MULTIPLE_BINDS, lineno=1) try: diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index 85cea7874..8ecf67aa6 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -13,13 +13,12 @@ from bandit.core import config from bandit.core import constants from bandit.core import issue -from bandit.core.issue import Cwe as Cwe from bandit.core import manager class ManagerTests(testtools.TestCase): - def _get_issue_instance(self, sev=constants.MEDIUM, cwe=Cwe.MULTIPLE_BINDS, + def _get_issue_instance(self, sev=constants.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, conf=constants.MEDIUM): new_issue = issue.Issue(sev, cwe, conf, 'Test issue') new_issue.fname = 'code.py' diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index 619ca69cd..932366097 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -13,7 +13,6 @@ from bandit.core import config from bandit.core import docs_utils from bandit.core import issue -from bandit.core.issue import Cwe as Cwe from bandit.core import manager from bandit.formatters import text as b_text @@ -134,7 +133,7 @@ def test_report_nobaseline(self, get_issue_list): 'binding.py (score: ', "CONFIDENCE: 1", "SEVERITY: 1", - "CWE: %s" % str(Cwe(Cwe.MULTIPLE_BINDS)), + "CWE: %s" % str(issue.Cwe(issue.Cwe.MULTIPLE_BINDS)), 'Files excluded (1):', 'def.py', 'Undefined: 1', @@ -191,7 +190,7 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=Cwe.MULTIPLE_BINDS, +def _get_issue_instance(severity=bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py index bf5b161fe..7005f90fa 100644 --- a/tests/unit/formatters/test_xml.py +++ b/tests/unit/formatters/test_xml.py @@ -11,7 +11,6 @@ import bandit from bandit.core import config from bandit.core import issue -from bandit.core.issue import Cwe as Cwe from bandit.core import manager from bandit.formatters import xml as b_xml @@ -27,7 +26,7 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, Cwe.MULTIPLE_BINDS, + self.issue = issue.Issue(bandit.MEDIUM, issue.Cwe.MULTIPLE_BINDS, bandit.MEDIUM, 'Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname From bf48b1a06159008df82c63cebf19e9c76eb02dd7 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 20:15:33 -0800 Subject: [PATCH 12/18] Apply suggestions from code review --- bandit/core/cwemap.py | 136 ++++++++++++++++++------------------ bandit/plugins/app_debug.py | 2 +- 2 files changed, 69 insertions(+), 69 deletions(-) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index 9aab80dc7..7766a5c43 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -9,81 +9,81 @@ "LEGACY": Cwe.NOTSET, # Plugins - "B101": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B102": Cwe.OS_COMMAND_INJECTION, - "B103": Cwe.INCORRECT_PERMISSION_ASSIGNMENT, - "B104": Cwe.MULTIPLE_BINDS, - "B105": Cwe.HARD_CODED_PASSWORD, - "B108": Cwe.INSECURE_TEMP_FILE, - "B110": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B112": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + "B101": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + "B102": issue.Cwe.OS_COMMAND_INJECTION, + "B103": issue.Cwe.INCORRECT_PERMISSION_ASSIGNMENT, + "B104": issue.Cwe.MULTIPLE_BINDS, + "B105": issue.Cwe.HARD_CODED_PASSWORD, + "B108": issue.Cwe.INSECURE_TEMP_FILE, + "B110": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, + "B112": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B201": Cwe.CODE_INJECTION, + "B201": issue.Cwe.CODE_INJECTION, - "B324": Cwe.BROKEN_CRYPTO, + "B324": issue.Cwe.BROKEN_CRYPTO, - "B501": Cwe.IMPROPER_CERT_VALIDATION, - "B502": Cwe.BROKEN_CRYPTO, - "B503": Cwe.BROKEN_CRYPTO, - "B504": Cwe.BROKEN_CRYPTO, - "B505": Cwe.INADEQUATE_ENCRYPTION_STRENGTH, - "B506": Cwe.IMPROPER_INPUT_VALIDATION, - "B507": Cwe.IMPROPER_CERT_VALIDATION, + "B501": issue.Cwe.IMPROPER_CERT_VALIDATION, + "B502": issue.Cwe.BROKEN_CRYPTO, + "B503": issue.Cwe.BROKEN_CRYPTO, + "B504": issue.Cwe.BROKEN_CRYPTO, + "B505": issue.Cwe.INADEQUATE_ENCRYPTION_STRENGTH, + "B506": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B507": issue.Cwe.IMPROPER_CERT_VALIDATION, - "B601": Cwe.OS_COMMAND_INJECTION, - "B602": Cwe.OS_COMMAND_INJECTION, - "B603": Cwe.OS_COMMAND_INJECTION, - "B604": Cwe.OS_COMMAND_INJECTION, - "B605": Cwe.OS_COMMAND_INJECTION, - "B606": Cwe.OS_COMMAND_INJECTION, - "B607": Cwe.OS_COMMAND_INJECTION, - "B608": Cwe.SQL_INJECTION, - "B609": Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, - "B611": Cwe.SQL_INJECTION, + "B601": issue.Cwe.OS_COMMAND_INJECTION, + "B602": issue.Cwe.OS_COMMAND_INJECTION, + "B603": issue.Cwe.OS_COMMAND_INJECTION, + "B604": issue.Cwe.OS_COMMAND_INJECTION, + "B605": issue.Cwe.OS_COMMAND_INJECTION, + "B606": issue.Cwe.OS_COMMAND_INJECTION, + "B607": issue.Cwe.OS_COMMAND_INJECTION, + "B608": issue.Cwe.SQL_INJECTION, + "B609": issue.Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, + "B611": issue.Cwe.SQL_INJECTION, - "B701": Cwe.CODE_INJECTION, - "B702": Cwe.BASIC_XSS, - "B703": Cwe.BASIC_XSS, + "B701": issue.Cwe.CODE_INJECTION, + "B702": issue.Cwe.BASIC_XSS, + "B703": issue.Cwe.BASIC_XSS, # Calls - "B301": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, - "B302": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, - "B303": Cwe.BROKEN_CRYPTO, - "B304": Cwe.BROKEN_CRYPTO, - "B305": Cwe.BROKEN_CRYPTO, - "B306": Cwe.INSECURE_TEMP_FILE, - "B307": Cwe.OS_COMMAND_INJECTION, - "B308": Cwe.XSS, - "B309": Cwe.CLEARTEXT_TRANSMISSION, - "B310": Cwe.PATH_TRAVERSAL, - "B311": Cwe.INSUFFICIENT_RANDOM_VALUES, - "B312": Cwe.CLEARTEXT_TRANSMISSION, - "B313": Cwe.IMPROPER_INPUT_VALIDATION, - "B314": Cwe.IMPROPER_INPUT_VALIDATION, - "B315": Cwe.IMPROPER_INPUT_VALIDATION, - "B316": Cwe.IMPROPER_INPUT_VALIDATION, - "B317": Cwe.IMPROPER_INPUT_VALIDATION, - "B318": Cwe.IMPROPER_INPUT_VALIDATION, - "B319": Cwe.IMPROPER_INPUT_VALIDATION, - "B320": Cwe.IMPROPER_INPUT_VALIDATION, - "B321": Cwe.CLEARTEXT_TRANSMISSION, - "B322": Cwe.OS_COMMAND_INJECTION, - "B323": Cwe.IMPROPER_CERT_VALIDATION, - "B325": Cwe.INSECURE_TEMP_FILE, + "B301": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, + "B302": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, + "B303": issue.Cwe.BROKEN_CRYPTO, + "B304": issue.Cwe.BROKEN_CRYPTO, + "B305": issue.Cwe.BROKEN_CRYPTO, + "B306": issue.Cwe.INSECURE_TEMP_FILE, + "B307": issue.Cwe.OS_COMMAND_INJECTION, + "B308": issue.Cwe.XSS, + "B309": issue.Cwe.CLEARTEXT_TRANSMISSION, + "B310": issue.Cwe.PATH_TRAVERSAL, + "B311": issue.Cwe.INSUFFICIENT_RANDOM_VALUES, + "B312": issue.Cwe.CLEARTEXT_TRANSMISSION, + "B313": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B314": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B315": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B316": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B317": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B318": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B319": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B320": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B321": issue.Cwe.CLEARTEXT_TRANSMISSION, + "B322": issue.Cwe.OS_COMMAND_INJECTION, + "B323": issue.Cwe.IMPROPER_CERT_VALIDATION, + "B325": issue.Cwe.INSECURE_TEMP_FILE, # Imports - "B401": Cwe.CLEARTEXT_TRANSMISSION, - "B402": Cwe.CLEARTEXT_TRANSMISSION, - "B403": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, - "B404": Cwe.OS_COMMAND_INJECTION, - "B405": Cwe.IMPROPER_INPUT_VALIDATION, - "B406": Cwe.IMPROPER_INPUT_VALIDATION, - "B407": Cwe.IMPROPER_INPUT_VALIDATION, - "B408": Cwe.IMPROPER_INPUT_VALIDATION, - "B409": Cwe.IMPROPER_INPUT_VALIDATION, - "B410": Cwe.IMPROPER_INPUT_VALIDATION, - "B411": Cwe.IMPROPER_INPUT_VALIDATION, - "B412": Cwe.IMPROPER_ACCESS_CONTROL, - "B413": Cwe.BROKEN_CRYPTO, - "B414": Cwe.BROKEN_CRYPTO, + "B401": issue.Cwe.CLEARTEXT_TRANSMISSION, + "B402": issue.Cwe.CLEARTEXT_TRANSMISSION, + "B403": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, + "B404": issue.Cwe.OS_COMMAND_INJECTION, + "B405": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B406": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B407": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B408": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B409": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B410": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B411": issue.Cwe.IMPROPER_INPUT_VALIDATION, + "B412": issue.Cwe.IMPROPER_ACCESS_CONTROL, + "B413": issue.Cwe.BROKEN_CRYPTO, + "B414": issue.Cwe.BROKEN_CRYPTO, } diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index 03cd058e8..01d2b6fbf 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -52,7 +52,7 @@ def flask_debug_true(context): if context.check_call_arg_value('debug', 'True'): return bandit.Issue( severity=bandit.HIGH, - cwe=CWEMAP["B201"], + cwe=cwemap.CWEMAP["B201"], confidence=bandit.MEDIUM, text="A Flask app appears to be run with debug=True, " "which exposes the Werkzeug debugger and allows " From 01b50d15845a4e7d078de659edc062845826ce8f Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 21:51:49 -0800 Subject: [PATCH 13/18] Apply suggestions from code review --- bandit/core/cwemap.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index 7766a5c43..2bdaedd7e 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -5,8 +5,8 @@ from bandit.core import issue CWEMAP = { - "B000": Cwe.NOTSET, - "LEGACY": Cwe.NOTSET, + "B000": issue.Cwe.NOTSET, + "LEGACY": issue.Cwe.NOTSET, # Plugins "B101": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, From 8284b59d24155ee96a4f97c4dd4f8beda9d51260 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 21:58:39 -0800 Subject: [PATCH 14/18] Apply suggestions from code review --- tests/unit/core/test_issue.py | 2 +- tests/unit/core/test_manager.py | 2 +- tests/unit/formatters/test_json.py | 7 +++---- 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index ebc66f573..1d524a9f4 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -118,7 +118,7 @@ def test_get_code(self, getline): self.fail("Bytes not properly decoded in issue.get_code()") -def _get_issue_instance(severity=bandit.MEDIUM, cwe=Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): +def _get_issue_instance(severity=bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index 1095c39aa..42d889c35 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -172,7 +172,7 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning): def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = [ - issue.Issue(severity=level, cwe=Cwe.MULTIPLE_BINDS, confidence=level) for level in levels + issue.Issue(severity=level, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=level) for level in levels ] r = [ diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index d4730cf8d..55afa9164 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -12,7 +12,6 @@ from bandit.core import config from bandit.core import constants from bandit.core import issue -from bandit.core.issue import Cwe as Cwe from bandit.core import manager from bandit.core import metrics from bandit.formatters import json as b_json @@ -31,12 +30,12 @@ def setUp(self): } self.check_name = "hardcoded_bind_all_interfaces" self.issue = issue.Issue( - bandit.MEDIUM, Cwe.MULTIPLE_BINDS, bandit.MEDIUM, "Possible binding to all interfaces." + bandit.MEDIUM, issue.Cwe.MULTIPLE_BINDS, bandit.MEDIUM, "Possible binding to all interfaces." ) self.candidates = [ - issue.Issue(Cwe.MULTIPLE_BINDS, bandit.LOW, bandit.LOW, "Candidate A", lineno=1), - issue.Issue(bandit.HIGH, Cwe.MULTIPLE_BINDS, bandit.HIGH, "Candiate B", lineno=2), + issue.Issue(issue.Cwe.MULTIPLE_BINDS, bandit.LOW, bandit.LOW, "Candidate A", lineno=1), + issue.Issue(bandit.HIGH, issue.Cwe.MULTIPLE_BINDS, bandit.HIGH, "Candiate B", lineno=2), ] self.manager.out_file = self.tmp_fname From c3d29c00f2e240c4fb9b5e449cb1a8c97f271e13 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 22:45:34 -0800 Subject: [PATCH 15/18] Update tests/functional/test_functional.py --- tests/functional/test_functional.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 5aa0132e2..ab2ada95e 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -765,10 +765,10 @@ def test_baseline_filter(self): "filename": "{}/examples/flask_debug.py", "issue_confidence": "MEDIUM", "issue_severity": "HIGH", - "issue_cwe": { + "issue_cwe": {{ "id": 94, "link": "https://cwe.mitre.org/data/definitions/94.html" - }, + }}, "issue_text": "{}", "line_number": 10, "col_offset": 0, From 56fc63b0f9ebb60badf211b671a174fcde213d93 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 23:28:30 -0800 Subject: [PATCH 16/18] Apply suggestions from code review --- bandit/core/issue.py | 3 ++- bandit/formatters/screen.py | 3 ++- bandit/formatters/text.py | 3 ++- bandit/formatters/xml.py | 5 ++++- bandit/plugins/django_xss.py | 4 +++- bandit/plugins/injection_paramiko.py | 2 +- tests/unit/core/test_issue.py | 11 +++++++++-- tests/unit/core/test_manager.py | 11 +++++++++-- tests/unit/formatters/test_csv.py | 5 ++++- tests/unit/formatters/test_custom.py | 4 +++- tests/unit/formatters/test_html.py | 5 ++++- tests/unit/formatters/test_json.py | 21 ++++++++++++++++++--- tests/unit/formatters/test_screen.py | 5 ++++- tests/unit/formatters/test_text.py | 5 ++++- tests/unit/formatters/test_xml.py | 5 ++++- tests/unit/formatters/test_yaml.py | 5 ++++- 16 files changed, 77 insertions(+), 20 deletions(-) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index f0f558957..8b6d62c92 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -100,7 +100,8 @@ def __init__( def __str__(self): return ( - "Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: " "%s at %s:%i" + "Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: " + "%s at %s:%i" ) % ( self.text, self.test_id, diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py index 80d506472..a3c692fd5 100644 --- a/bandit/formatters/screen.py +++ b/bandit/formatters/screen.py @@ -112,7 +112,8 @@ def _output_issue_str( bits.append( "%s Severity: %s CWE: %s Confidence: %s" - % (indent, issue.severity.capitalize(), str(issue.cwe), issue.confidence.capitalize()) + % (indent, issue.severity.capitalize(), str(issue.cwe), + issue.confidence.capitalize()) ) bits.append( diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 52a9e6f00..80421c513 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -80,7 +80,8 @@ def _output_issue_str( bits.append( "%s Severity: %s CWE: %s Confidence: %s" - % (indent, issue.severity.capitalize(), str(issue.cwe), issue.confidence.capitalize()) + % (indent, issue.severity.capitalize(), str(issue.cwe), + issue.confidence.capitalize()) ) bits.append( diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index 14bb87de5..f3f9421bb 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -55,7 +55,10 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): root, "testcase", classname=issue.fname, name=test ) - text = "Test ID: %s Severity: %s CWE: %s Confidence: %s\n%s\nLocation %s:%s" + text = ( + "Test ID: %s Severity: %s CWE: %s Confidence: %s\n%s\n" + "Location %s:%s" + ) text = text % ( issue.test_id, issue.severity, diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 1c819b809..c25609374 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -220,7 +220,9 @@ def check_risk(node): if not secure: return bandit.Issue( - severity=bandit.MEDIUM, cwe=cwemap.CWEMAP["B703"], confidence=bandit.HIGH, text=description + severity=bandit.MEDIUM, + cwe=cwemap.CWEMAP["B703"], + confidence=bandit.HIGH, text=description ) diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index c8e524238..e92b3049d 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -52,7 +52,7 @@ def paramiko_calls(context): if context.call_function_name in ["exec_command"]: return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B601"], + cwe=cwemap.CWEMAP["B601"], confidence=bandit.MEDIUM, text=issue_text, ) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index 1d524a9f4..9ea45e536 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -110,7 +110,11 @@ def test_matches_issue(self): @mock.patch("linecache.getline") def test_get_code(self, getline): getline.return_value = b"\x08\x30" - new_issue = issue.Issue(bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, lineno=1) + new_issue = issue.Issue( + bandit.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + lineno=1 + ) try: new_issue.get_code() @@ -118,7 +122,10 @@ def test_get_code(self, getline): self.fail("Bytes not properly decoded in issue.get_code()") -def _get_issue_instance(severity=bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): +def _get_issue_instance( + severity=bandit.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index 42d889c35..1fa39d4a4 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -15,7 +15,11 @@ class ManagerTests(testtools.TestCase): - def _get_issue_instance(self, sev=constants.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, conf=constants.MEDIUM): + def _get_issue_instance( + self, + sev=constants.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + conf=constants.MEDIUM): new_issue = issue.Issue(sev, cwe, conf, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" @@ -172,7 +176,10 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning): def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = [ - issue.Issue(severity=level, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=level) for level in levels + issue.Issue( + severity=level, + cwe=issue.Cwe.MULTIPLE_BINDS, + confidence=level) for level in levels ] r = [ diff --git a/tests/unit/formatters/test_csv.py b/tests/unit/formatters/test_csv.py index 1906fc8d1..2a9c871ef 100644 --- a/tests/unit/formatters/test_csv.py +++ b/tests/unit/formatters/test_csv.py @@ -26,7 +26,10 @@ def setUp(self): } self.check_name = "hardcoded_bind_all_interfaces" self.issue = issue.Issue( - bandit.MEDIUM, 123, bandit.MEDIUM, "Possible binding to all interfaces." + bandit.MEDIUM, + 123, + bandit.MEDIUM, + "Possible binding to all interfaces." ) self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_custom.py b/tests/unit/formatters/test_custom.py index 5a25106b6..447d27319 100644 --- a/tests/unit/formatters/test_custom.py +++ b/tests/unit/formatters/test_custom.py @@ -25,7 +25,9 @@ def setUp(self): } self.check_name = "hardcoded_bind_all_interfaces" self.issue = issue.Issue( - bandit.MEDIUM, bandit.MEDIUM, text="Possible binding to all interfaces." + bandit.MEDIUM, + bandit.MEDIUM, + text="Possible binding to all interfaces." ) self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_html.py b/tests/unit/formatters/test_html.py index 3d2fd0637..148ba7e73 100644 --- a/tests/unit/formatters/test_html.py +++ b/tests/unit/formatters/test_html.py @@ -149,7 +149,10 @@ def test_escaping(self, get_issue_list, get_code): self.assertNotIn(marker, contents) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM): +def _get_issue_instance( + severity=bandit.MEDIUM, + cwe=123, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index 55afa9164..7e25ff026 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -30,12 +30,27 @@ def setUp(self): } self.check_name = "hardcoded_bind_all_interfaces" self.issue = issue.Issue( - bandit.MEDIUM, issue.Cwe.MULTIPLE_BINDS, bandit.MEDIUM, "Possible binding to all interfaces." + bandit.MEDIUM, + issue.Cwe.MULTIPLE_BINDS, + bandit.MEDIUM, + "Possible binding to all interfaces." ) self.candidates = [ - issue.Issue(issue.Cwe.MULTIPLE_BINDS, bandit.LOW, bandit.LOW, "Candidate A", lineno=1), - issue.Issue(bandit.HIGH, issue.Cwe.MULTIPLE_BINDS, bandit.HIGH, "Candiate B", lineno=2), + issue.Issue( + issue.Cwe.MULTIPLE_BINDS, + bandit.LOW, + bandit.LOW, + "Candidate A", + lineno=1 + ), + issue.Issue( + bandit.HIGH, + issue.Cwe.MULTIPLE_BINDS, + bandit.HIGH, + "Candiate B", + lineno=2 + ), ] self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py index efee617d5..a12ceda17 100644 --- a/tests/unit/formatters/test_screen.py +++ b/tests/unit/formatters/test_screen.py @@ -233,7 +233,10 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM): +def _get_issue_instance( + severity=bandit.MEDIUM, + cwe=123, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index 67a391aaa..e96e6ef14 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -204,7 +204,10 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=bandit.MEDIUM): +def _get_issue_instance( + severity=bandit.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + confidence=bandit.MEDIUM): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py index 18c1ee50b..64f1d705c 100644 --- a/tests/unit/formatters/test_xml.py +++ b/tests/unit/formatters/test_xml.py @@ -27,7 +27,10 @@ def setUp(self): } self.check_name = "hardcoded_bind_all_interfaces" self.issue = issue.Issue( - bandit.MEDIUM, issue.Cwe.MULTIPLE_BINDS, bandit.MEDIUM, "Possible binding to all interfaces." + bandit.MEDIUM, + issue.Cwe.MULTIPLE_BINDS, + bandit.MEDIUM, + "Possible binding to all interfaces." ) self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_yaml.py b/tests/unit/formatters/test_yaml.py index 1ac4145fe..5674abc93 100644 --- a/tests/unit/formatters/test_yaml.py +++ b/tests/unit/formatters/test_yaml.py @@ -30,7 +30,10 @@ def setUp(self): } self.check_name = "hardcoded_bind_all_interfaces" self.issue = issue.Issue( - bandit.MEDIUM, 123, bandit.MEDIUM, "Possible binding to all interfaces." + bandit.MEDIUM, + 123, + bandit.MEDIUM, + "Possible binding to all interfaces." ) self.candidates = [ From cbc3deb52b4866900a5dae2f71e6f74c8fb8b27f Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 29 Jan 2022 23:54:07 -0800 Subject: [PATCH 17/18] Apply suggestions from code review --- bandit/core/cwemap.py | 8 -------- bandit/core/issue.py | 15 ++++++++------- bandit/formatters/screen.py | 8 ++++++-- bandit/formatters/text.py | 8 ++++++-- bandit/plugins/django_xss.py | 3 ++- tests/unit/core/test_issue.py | 24 ++++++++++++------------ tests/unit/core/test_manager.py | 19 +++++++++++-------- tests/unit/formatters/test_csv.py | 2 +- tests/unit/formatters/test_custom.py | 2 +- tests/unit/formatters/test_html.py | 5 ++--- tests/unit/formatters/test_json.py | 6 +++--- tests/unit/formatters/test_screen.py | 5 ++--- tests/unit/formatters/test_text.py | 7 ++++--- tests/unit/formatters/test_xml.py | 2 +- tests/unit/formatters/test_yaml.py | 2 +- 15 files changed, 60 insertions(+), 56 deletions(-) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index 2bdaedd7e..8210d9daf 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -1,13 +1,10 @@ -# -*- coding:utf-8 -*- # # SPDX-License-Identifier: Apache-2.0 - from bandit.core import issue CWEMAP = { "B000": issue.Cwe.NOTSET, "LEGACY": issue.Cwe.NOTSET, - # Plugins "B101": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, "B102": issue.Cwe.OS_COMMAND_INJECTION, @@ -17,11 +14,8 @@ "B108": issue.Cwe.INSECURE_TEMP_FILE, "B110": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, "B112": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B201": issue.Cwe.CODE_INJECTION, - "B324": issue.Cwe.BROKEN_CRYPTO, - "B501": issue.Cwe.IMPROPER_CERT_VALIDATION, "B502": issue.Cwe.BROKEN_CRYPTO, "B503": issue.Cwe.BROKEN_CRYPTO, @@ -29,7 +23,6 @@ "B505": issue.Cwe.INADEQUATE_ENCRYPTION_STRENGTH, "B506": issue.Cwe.IMPROPER_INPUT_VALIDATION, "B507": issue.Cwe.IMPROPER_CERT_VALIDATION, - "B601": issue.Cwe.OS_COMMAND_INJECTION, "B602": issue.Cwe.OS_COMMAND_INJECTION, "B603": issue.Cwe.OS_COMMAND_INJECTION, @@ -40,7 +33,6 @@ "B608": issue.Cwe.SQL_INJECTION, "B609": issue.Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, "B611": issue.Cwe.SQL_INJECTION, - "B701": issue.Cwe.CODE_INJECTION, "B702": issue.Cwe.BASIC_XSS, "B703": issue.Cwe.BASIC_XSS, diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 8b6d62c92..47ac1f15e 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -7,7 +7,7 @@ from bandit.core import constants -class Cwe(object): +class Cwe(): NOTSET = 0 IMPROPER_INPUT_VALIDATION = 20 PATH_TRAVERSAL = 22 @@ -48,17 +48,18 @@ def __str__(self): return "CWE-%i (%s)" % (self.id, self.link()) def as_dict(self): - return { - "id": self.id, - "link": self.link() - } if self.id != Cwe.NOTSET else {} + return ( + {"id": self.id, "link": self.link()} + if self.id != Cwe.NOTSET + else {} + ) def as_jsons(self): return str(self.as_dict()) def from_dict(self, data): - if 'id' in data: - self.id = int(data['id']) + if "id" in data: + self.id = int(data["id"]) else: self.id = Cwe.NOTSET diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py index a3c692fd5..c1e204382 100644 --- a/bandit/formatters/screen.py +++ b/bandit/formatters/screen.py @@ -112,8 +112,12 @@ def _output_issue_str( bits.append( "%s Severity: %s CWE: %s Confidence: %s" - % (indent, issue.severity.capitalize(), str(issue.cwe), - issue.confidence.capitalize()) + % ( + indent, + issue.severity.capitalize(), + str(issue.cwe), + issue.confidence.capitalize(), + ) ) bits.append( diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 80421c513..3e821d1d6 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -80,8 +80,12 @@ def _output_issue_str( bits.append( "%s Severity: %s CWE: %s Confidence: %s" - % (indent, issue.severity.capitalize(), str(issue.cwe), - issue.confidence.capitalize()) + % ( + indent, + issue.severity.capitalize(), + str(issue.cwe), + issue.confidence.capitalize(), + ) ) bits.append( diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index c25609374..13adc7ec1 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -222,7 +222,8 @@ def check_risk(node): return bandit.Issue( severity=bandit.MEDIUM, cwe=cwemap.CWEMAP["B703"], - confidence=bandit.HIGH, text=description + confidence=bandit.HIGH, + text=description ) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index 9ea45e536..b69223944 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -18,14 +18,15 @@ def test_issue_create(self): def test_issue_str(self): test_issue = _get_issue_instance() - expect = ("Issue: 'Test issue' from B999:bandit_plugin:" - ' CWE: %s,' - " Severity: MEDIUM " - "Confidence: MEDIUM at code.py:1") + expect = ( + "Issue: 'Test issue' from B999:bandit_plugin:" + " CWE: %s," + " Severity: MEDIUM " + "Confidence: MEDIUM at code.py:1" + ) self.assertEqual( - expect % str(issue.Cwe(issue.Cwe.MULTIPLE_BINDS)), - str(test_issue) + expect % str(issue.Cwe(issue.Cwe.MULTIPLE_BINDS)), str(test_issue) ) def test_issue_as_dict(self): @@ -111,9 +112,7 @@ def test_matches_issue(self): def test_get_code(self, getline): getline.return_value = b"\x08\x30" new_issue = issue.Issue( - bandit.MEDIUM, - cwe=issue.Cwe.MULTIPLE_BINDS, - lineno=1 + bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, lineno=1 ) try: @@ -123,9 +122,10 @@ def test_get_code(self, getline): def _get_issue_instance( - severity=bandit.MEDIUM, - cwe=issue.Cwe.MULTIPLE_BINDS, - confidence=bandit.MEDIUM): + severity=bandit.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + confidence=bandit.MEDIUM +): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index 1fa39d4a4..5f9afdab1 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -16,10 +16,11 @@ class ManagerTests(testtools.TestCase): def _get_issue_instance( - self, - sev=constants.MEDIUM, - cwe=issue.Cwe.MULTIPLE_BINDS, - conf=constants.MEDIUM): + self, + sev=constants.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + conf=constants.MEDIUM + ): new_issue = issue.Issue(sev, cwe, conf, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" @@ -147,7 +148,9 @@ def test_populate_baseline_success(self): } ] } - """ % ('https://cwe.mitre.org/data/definitions/605.html') + """ % ( + "https://cwe.mitre.org/data/definitions/605.html" + ) issue_dictionary = { "code": "test code", "filename": "example_file.py", @@ -177,9 +180,9 @@ def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = [ issue.Issue( - severity=level, - cwe=issue.Cwe.MULTIPLE_BINDS, - confidence=level) for level in levels + severity=level, cwe=issue.Cwe.MULTIPLE_BINDS, confidence=level + ) + for level in levels ] r = [ diff --git a/tests/unit/formatters/test_csv.py b/tests/unit/formatters/test_csv.py index 2a9c871ef..fd9166e30 100644 --- a/tests/unit/formatters/test_csv.py +++ b/tests/unit/formatters/test_csv.py @@ -29,7 +29,7 @@ def setUp(self): bandit.MEDIUM, 123, bandit.MEDIUM, - "Possible binding to all interfaces." + "Possible binding to all interfaces.", ) self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_custom.py b/tests/unit/formatters/test_custom.py index 447d27319..908ddb3e7 100644 --- a/tests/unit/formatters/test_custom.py +++ b/tests/unit/formatters/test_custom.py @@ -27,7 +27,7 @@ def setUp(self): self.issue = issue.Issue( bandit.MEDIUM, bandit.MEDIUM, - text="Possible binding to all interfaces." + text="Possible binding to all interfaces.", ) self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_html.py b/tests/unit/formatters/test_html.py index 148ba7e73..07e6bd0b4 100644 --- a/tests/unit/formatters/test_html.py +++ b/tests/unit/formatters/test_html.py @@ -150,9 +150,8 @@ def test_escaping(self, get_issue_list, get_code): def _get_issue_instance( - severity=bandit.MEDIUM, - cwe=123, - confidence=bandit.MEDIUM): + severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM +): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index 7e25ff026..ddc1cde51 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -33,7 +33,7 @@ def setUp(self): bandit.MEDIUM, issue.Cwe.MULTIPLE_BINDS, bandit.MEDIUM, - "Possible binding to all interfaces." + "Possible binding to all interfaces.", ) self.candidates = [ @@ -42,14 +42,14 @@ def setUp(self): bandit.LOW, bandit.LOW, "Candidate A", - lineno=1 + lineno=1, ), issue.Issue( bandit.HIGH, issue.Cwe.MULTIPLE_BINDS, bandit.HIGH, "Candiate B", - lineno=2 + lineno=2, ), ] diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py index a12ceda17..e2d420aed 100644 --- a/tests/unit/formatters/test_screen.py +++ b/tests/unit/formatters/test_screen.py @@ -234,9 +234,8 @@ def test_report_baseline(self, get_issue_list): def _get_issue_instance( - severity=bandit.MEDIUM, - cwe=123, - confidence=bandit.MEDIUM): + severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM +): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index e96e6ef14..db1f921f1 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -205,9 +205,10 @@ def test_report_baseline(self, get_issue_list): def _get_issue_instance( - severity=bandit.MEDIUM, - cwe=issue.Cwe.MULTIPLE_BINDS, - confidence=bandit.MEDIUM): + severity=bandit.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, + confidence=bandit.MEDIUM +): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" new_issue.test = "bandit_plugin" diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py index 64f1d705c..64e271882 100644 --- a/tests/unit/formatters/test_xml.py +++ b/tests/unit/formatters/test_xml.py @@ -30,7 +30,7 @@ def setUp(self): bandit.MEDIUM, issue.Cwe.MULTIPLE_BINDS, bandit.MEDIUM, - "Possible binding to all interfaces." + "Possible binding to all interfaces.", ) self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_yaml.py b/tests/unit/formatters/test_yaml.py index 5674abc93..30df3851d 100644 --- a/tests/unit/formatters/test_yaml.py +++ b/tests/unit/formatters/test_yaml.py @@ -33,7 +33,7 @@ def setUp(self): bandit.MEDIUM, 123, bandit.MEDIUM, - "Possible binding to all interfaces." + "Possible binding to all interfaces.", ) self.candidates = [ From 282ad3d77ed3b5282fe52b017ba11e03b84be25e Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 30 Jan 2022 00:00:23 -0800 Subject: [PATCH 18/18] Apply suggestions from code review --- bandit/core/cwemap.py | 2 -- bandit/core/issue.py | 2 +- bandit/plugins/django_xss.py | 2 +- tests/unit/core/test_issue.py | 2 +- tests/unit/core/test_manager.py | 2 +- tests/unit/formatters/test_text.py | 2 +- 6 files changed, 5 insertions(+), 7 deletions(-) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py index 8210d9daf..77144c9bb 100644 --- a/bandit/core/cwemap.py +++ b/bandit/core/cwemap.py @@ -36,7 +36,6 @@ "B701": issue.Cwe.CODE_INJECTION, "B702": issue.Cwe.BASIC_XSS, "B703": issue.Cwe.BASIC_XSS, - # Calls "B301": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, "B302": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, @@ -62,7 +61,6 @@ "B322": issue.Cwe.OS_COMMAND_INJECTION, "B323": issue.Cwe.IMPROPER_CERT_VALIDATION, "B325": issue.Cwe.INSECURE_TEMP_FILE, - # Imports "B401": issue.Cwe.CLEARTEXT_TRANSMISSION, "B402": issue.Cwe.CLEARTEXT_TRANSMISSION, diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 47ac1f15e..e9727a001 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -7,7 +7,7 @@ from bandit.core import constants -class Cwe(): +class Cwe: NOTSET = 0 IMPROPER_INPUT_VALIDATION = 20 PATH_TRAVERSAL = 22 diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 13adc7ec1..c46ef4074 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -223,7 +223,7 @@ def check_risk(node): severity=bandit.MEDIUM, cwe=cwemap.CWEMAP["B703"], confidence=bandit.HIGH, - text=description + text=description, ) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index b69223944..dd1c72b9c 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -124,7 +124,7 @@ def test_get_code(self, getline): def _get_issue_instance( severity=bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, - confidence=bandit.MEDIUM + confidence=bandit.MEDIUM, ): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py" diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index 5f9afdab1..b507d104c 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -19,7 +19,7 @@ def _get_issue_instance( self, sev=constants.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, - conf=constants.MEDIUM + conf=constants.MEDIUM, ): new_issue = issue.Issue(sev, cwe, conf, "Test issue") new_issue.fname = "code.py" diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index db1f921f1..2ce80d499 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -207,7 +207,7 @@ def test_report_baseline(self, get_issue_list): def _get_issue_instance( severity=bandit.MEDIUM, cwe=issue.Cwe.MULTIPLE_BINDS, - confidence=bandit.MEDIUM + confidence=bandit.MEDIUM, ): new_issue = issue.Issue(severity, cwe, confidence, "Test issue") new_issue.fname = "code.py"