From 7b7c9df9083a23c5786d967d08d489bfed604248 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Tue, 1 Feb 2022 16:11:55 -0800 Subject: [PATCH] Removal of the CWEMAP dict There is a lookup dictionary defined that maps bandit check IDs to a CWE. This is mostly unnecessary as the check can specify the exact CWE that applies to it. And this would work better for 3rd party plugins that also wish to set a CWE for their check. Maintaining a map is just another bit of maintenance. Signed-off-by: Eric Brown --- bandit/blacklists/calls.py | 24 ++++++ bandit/blacklists/imports.py | 40 +++++++++- bandit/blacklists/utils.py | 3 +- bandit/core/blacklisting.py | 3 +- bandit/core/cwemap.py | 79 ------------------- bandit/plugins/app_debug.py | 17 ++-- bandit/plugins/asserts.py | 9 ++- .../crypto_request_no_cert_validation.py | 12 ++- bandit/plugins/django_sql_injection.py | 42 ++++++++-- bandit/plugins/django_xss.py | 22 +++++- bandit/plugins/exec.py | 10 ++- .../plugins/general_bad_file_permissions.py | 10 ++- bandit/plugins/general_bind_all_interfaces.py | 9 ++- bandit/plugins/general_hardcoded_password.py | 19 ++++- bandit/plugins/general_hardcoded_tmp.py | 9 ++- .../plugins/hashlib_new_insecure_functions.py | 11 ++- bandit/plugins/injection_paramiko.py | 9 ++- bandit/plugins/injection_shell.py | 56 ++++++++++--- bandit/plugins/injection_sql.py | 9 ++- bandit/plugins/injection_wildcard.py | 10 ++- bandit/plugins/insecure_ssl_tls.py | 28 +++++-- bandit/plugins/jinja2_templates.py | 14 +++- bandit/plugins/mako_templates.py | 9 ++- bandit/plugins/snmp_security_check.py | 60 +++++++++++--- .../plugins/ssh_no_host_key_verification.py | 11 ++- bandit/plugins/try_except_continue.py | 9 ++- bandit/plugins/try_except_pass.py | 9 ++- bandit/plugins/weak_cryptographic_key.py | 9 ++- bandit/plugins/yaml_load.py | 9 ++- tests/unit/core/test_test_set.py | 4 + 30 files changed, 398 insertions(+), 167 deletions(-) delete mode 100644 bandit/core/cwemap.py diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index 0b82d1b99..480f79bb8 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -314,6 +314,7 @@ """ from bandit.blacklists import utils +from bandit.core import issue def gen_blacklist(): @@ -332,6 +333,7 @@ def gen_blacklist(): utils.build_conf_dict( "pickle", "B301", + issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, [ "pickle.loads", "pickle.load", @@ -354,6 +356,7 @@ def gen_blacklist(): utils.build_conf_dict( "marshal", "B302", + issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["marshal.load", "marshal.loads"], "Deserialization with the marshal module is possibly dangerous.", ) @@ -363,6 +366,7 @@ def gen_blacklist(): utils.build_conf_dict( "md5", "B303", + issue.Cwe.BROKEN_CRYPTO, [ "hashlib.md5", "hashlib.sha1", @@ -385,6 +389,7 @@ def gen_blacklist(): utils.build_conf_dict( "ciphers", "B304", + issue.Cwe.BROKEN_CRYPTO, [ "Crypto.Cipher.ARC2.new", "Crypto.Cipher.ARC4.new", @@ -410,6 +415,7 @@ def gen_blacklist(): utils.build_conf_dict( "cipher_modes", "B305", + issue.Cwe.BROKEN_CRYPTO, ["cryptography.hazmat.primitives.ciphers.modes.ECB"], "Use of insecure cipher mode {name}.", ) @@ -419,6 +425,7 @@ def gen_blacklist(): utils.build_conf_dict( "mktemp_q", "B306", + issue.Cwe.INSECURE_TEMP_FILE, ["tempfile.mktemp"], "Use of insecure and deprecated function (mktemp).", ) @@ -428,6 +435,7 @@ def gen_blacklist(): utils.build_conf_dict( "eval", "B307", + issue.Cwe.OS_COMMAND_INJECTION, ["eval"], "Use of possibly insecure function - consider using safer " "ast.literal_eval.", @@ -438,6 +446,7 @@ def gen_blacklist(): utils.build_conf_dict( "mark_safe", "B308", + issue.Cwe.XSS, ["django.utils.safestring.mark_safe"], "Use of mark_safe() may expose cross-site scripting " "vulnerabilities and should be reviewed.", @@ -448,6 +457,7 @@ def gen_blacklist(): utils.build_conf_dict( "httpsconnection", "B309", + issue.Cwe.CLEARTEXT_TRANSMISSION, [ "httplib.HTTPSConnection", "http.client.HTTPSConnection", @@ -463,6 +473,7 @@ def gen_blacklist(): utils.build_conf_dict( "urllib_urlopen", "B310", + issue.Cwe.PATH_TRAVERSAL, [ "urllib.urlopen", "urllib.request.urlopen", @@ -488,6 +499,7 @@ def gen_blacklist(): utils.build_conf_dict( "random", "B311", + issue.Cwe.INSUFFICIENT_RANDOM_VALUES, [ "random.random", "random.randrange", @@ -507,6 +519,7 @@ def gen_blacklist(): utils.build_conf_dict( "telnetlib", "B312", + issue.Cwe.CLEARTEXT_TRANSMISSION, ["telnetlib.*"], "Telnet-related functions are being called. Telnet is considered " "insecure. Use SSH or some other encrypted protocol.", @@ -528,6 +541,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_cElementTree", "B313", + issue.Cwe.IMPROPER_INPUT_VALIDATION, [ "xml.etree.cElementTree.parse", "xml.etree.cElementTree.iterparse", @@ -542,6 +556,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_ElementTree", "B314", + issue.Cwe.IMPROPER_INPUT_VALIDATION, [ "xml.etree.ElementTree.parse", "xml.etree.ElementTree.iterparse", @@ -556,6 +571,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_expatreader", "B315", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.sax.expatreader.create_parser"], xml_msg, ) @@ -565,6 +581,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_expatbuilder", "B316", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"], xml_msg, ) @@ -574,6 +591,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_sax", "B317", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"], xml_msg, ) @@ -583,6 +601,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_minidom", "B318", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.minidom.parse", "xml.dom.minidom.parseString"], xml_msg, ) @@ -592,6 +611,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_pulldom", "B319", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"], xml_msg, ) @@ -601,6 +621,7 @@ def gen_blacklist(): utils.build_conf_dict( "xml_bad_etree", "B320", + issue.Cwe.IMPROPER_INPUT_VALIDATION, [ "lxml.etree.parse", "lxml.etree.fromstring", @@ -623,6 +644,7 @@ def gen_blacklist(): utils.build_conf_dict( "ftplib", "B321", + issue.Cwe.CLEARTEXT_TRANSMISSION, ["ftplib.*"], "FTP-related functions are being called. FTP is considered " "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.", @@ -636,6 +658,7 @@ def gen_blacklist(): utils.build_conf_dict( "unverified_context", "B323", + issue.Cwe.IMPROPER_CERT_VALIDATION, ["ssl._create_unverified_context"], "By default, Python will create a secure, verified ssl context for" " use in such classes as HTTPSConnection. However, it still allows" @@ -651,6 +674,7 @@ def gen_blacklist(): utils.build_conf_dict( "tempnam", "B325", + issue.Cwe.INSECURE_TEMP_FILE, ["os.tempnam", "os.tmpnam"], "Use of os.tempnam() and os.tmpnam() is vulnerable to symlink " "attacks. Consider using tmpfile() instead.", diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py index c8bac64a0..a123d2b6e 100644 --- a/bandit/blacklists/imports.py +++ b/bandit/blacklists/imports.py @@ -214,6 +214,7 @@ """ from bandit.blacklists import utils +from bandit.core import issue def gen_blacklist(): @@ -232,6 +233,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_telnetlib", "B401", + issue.Cwe.CLEARTEXT_TRANSMISSION, ["telnetlib"], "A telnet-related module is being imported. Telnet is " "considered insecure. Use SSH or some other encrypted protocol.", @@ -243,6 +245,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_ftplib", "B402", + issue.Cwe.CLEARTEXT_TRANSMISSION, ["ftplib"], "A FTP-related module is being imported. FTP is considered " "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.", @@ -254,6 +257,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_pickle", "B403", + issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["pickle", "cPickle", "dill", "shelve"], "Consider possible security implications associated with " "{name} module.", @@ -265,6 +269,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_subprocess", "B404", + issue.Cwe.OS_COMMAND_INJECTION, ["subprocess"], "Consider possible security implications associated with the " "subprocess module.", @@ -291,6 +296,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_xml_etree", "B405", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.etree.cElementTree", "xml.etree.ElementTree"], xml_msg, "LOW", @@ -299,7 +305,12 @@ def gen_blacklist(): sets.append( utils.build_conf_dict( - "import_xml_sax", "B406", ["xml.sax"], xml_msg, "LOW" + "import_xml_sax", + "B406", + issue.Cwe.IMPROPER_INPUT_VALIDATION, + ["xml.sax"], + xml_msg, + "LOW", ) ) @@ -307,6 +318,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_xml_expat", "B407", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xml.dom.expatbuilder"], xml_msg, "LOW", @@ -315,24 +327,42 @@ def gen_blacklist(): sets.append( utils.build_conf_dict( - "import_xml_minidom", "B408", ["xml.dom.minidom"], xml_msg, "LOW" + "import_xml_minidom", + "B408", + issue.Cwe.IMPROPER_INPUT_VALIDATION, + ["xml.dom.minidom"], + xml_msg, + "LOW", ) ) sets.append( utils.build_conf_dict( - "import_xml_pulldom", "B409", ["xml.dom.pulldom"], xml_msg, "LOW" + "import_xml_pulldom", + "B409", + issue.Cwe.IMPROPER_INPUT_VALIDATION, + ["xml.dom.pulldom"], + xml_msg, + "LOW", ) ) sets.append( - utils.build_conf_dict("import_lxml", "B410", ["lxml"], lxml_msg, "LOW") + utils.build_conf_dict( + "import_lxml", + "B410", + issue.Cwe.IMPROPER_INPUT_VALIDATION, + ["lxml"], + lxml_msg, + "LOW", + ) ) sets.append( utils.build_conf_dict( "import_xmlrpclib", "B411", + issue.Cwe.IMPROPER_INPUT_VALIDATION, ["xmlrpclib"], "Using {name} to parse untrusted XML data is known to be " "vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() " @@ -346,6 +376,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_httpoxy", "B412", + issue.Cwe.IMPROPER_ACCESS_CONTROL, [ "wsgiref.handlers.CGIHandler", "twisted.web.twcgi.CGIScript", @@ -361,6 +392,7 @@ def gen_blacklist(): utils.build_conf_dict( "import_pycrypto", "B413", + issue.Cwe.BROKEN_CRYPTO, [ "Crypto.Cipher", "Crypto.Hash", diff --git a/bandit/blacklists/utils.py b/bandit/blacklists/utils.py index 8832b49c3..fa4a5c9a5 100644 --- a/bandit/blacklists/utils.py +++ b/bandit/blacklists/utils.py @@ -5,11 +5,12 @@ r"""Utils module.""" -def build_conf_dict(name, bid, qualnames, message, level="MEDIUM"): +def build_conf_dict(name, bid, cwe, qualnames, message, level="MEDIUM"): """Build and return a blacklist configuration dict.""" return { "name": name, "id": bid, + "cwe": cwe, "message": message, "qualnames": qualnames, "level": level, diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index a79b7274f..2f84ae023 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -5,7 +5,6 @@ import ast import fnmatch -from bandit.core import cwemap from bandit.core import issue @@ -13,8 +12,8 @@ def report_issue(check, name): return issue.Issue( severity=check.get("level", "MEDIUM"), confidence="HIGH", + cwe=check.get("cwe", issue.Cwe.NOTSET), text=check["message"].replace("{name}", name), - cwe=cwemap.CWEMAP[check.get("id", "LEGACY")], ident=name, test_id=check.get("id", "LEGACY"), ) diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py deleted file mode 100644 index 77144c9bb..000000000 --- a/bandit/core/cwemap.py +++ /dev/null @@ -1,79 +0,0 @@ -# -# SPDX-License-Identifier: Apache-2.0 -from bandit.core import issue - -CWEMAP = { - "B000": issue.Cwe.NOTSET, - "LEGACY": issue.Cwe.NOTSET, - # Plugins - "B101": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B102": issue.Cwe.OS_COMMAND_INJECTION, - "B103": issue.Cwe.INCORRECT_PERMISSION_ASSIGNMENT, - "B104": issue.Cwe.MULTIPLE_BINDS, - "B105": issue.Cwe.HARD_CODED_PASSWORD, - "B108": issue.Cwe.INSECURE_TEMP_FILE, - "B110": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B112": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, - "B201": issue.Cwe.CODE_INJECTION, - "B324": issue.Cwe.BROKEN_CRYPTO, - "B501": issue.Cwe.IMPROPER_CERT_VALIDATION, - "B502": issue.Cwe.BROKEN_CRYPTO, - "B503": issue.Cwe.BROKEN_CRYPTO, - "B504": issue.Cwe.BROKEN_CRYPTO, - "B505": issue.Cwe.INADEQUATE_ENCRYPTION_STRENGTH, - "B506": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B507": issue.Cwe.IMPROPER_CERT_VALIDATION, - "B601": issue.Cwe.OS_COMMAND_INJECTION, - "B602": issue.Cwe.OS_COMMAND_INJECTION, - "B603": issue.Cwe.OS_COMMAND_INJECTION, - "B604": issue.Cwe.OS_COMMAND_INJECTION, - "B605": issue.Cwe.OS_COMMAND_INJECTION, - "B606": issue.Cwe.OS_COMMAND_INJECTION, - "B607": issue.Cwe.OS_COMMAND_INJECTION, - "B608": issue.Cwe.SQL_INJECTION, - "B609": issue.Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, - "B611": issue.Cwe.SQL_INJECTION, - "B701": issue.Cwe.CODE_INJECTION, - "B702": issue.Cwe.BASIC_XSS, - "B703": issue.Cwe.BASIC_XSS, - # Calls - "B301": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, - "B302": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, - "B303": issue.Cwe.BROKEN_CRYPTO, - "B304": issue.Cwe.BROKEN_CRYPTO, - "B305": issue.Cwe.BROKEN_CRYPTO, - "B306": issue.Cwe.INSECURE_TEMP_FILE, - "B307": issue.Cwe.OS_COMMAND_INJECTION, - "B308": issue.Cwe.XSS, - "B309": issue.Cwe.CLEARTEXT_TRANSMISSION, - "B310": issue.Cwe.PATH_TRAVERSAL, - "B311": issue.Cwe.INSUFFICIENT_RANDOM_VALUES, - "B312": issue.Cwe.CLEARTEXT_TRANSMISSION, - "B313": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B314": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B315": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B316": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B317": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B318": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B319": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B320": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B321": issue.Cwe.CLEARTEXT_TRANSMISSION, - "B322": issue.Cwe.OS_COMMAND_INJECTION, - "B323": issue.Cwe.IMPROPER_CERT_VALIDATION, - "B325": issue.Cwe.INSECURE_TEMP_FILE, - # Imports - "B401": issue.Cwe.CLEARTEXT_TRANSMISSION, - "B402": issue.Cwe.CLEARTEXT_TRANSMISSION, - "B403": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, - "B404": issue.Cwe.OS_COMMAND_INJECTION, - "B405": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B406": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B407": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B408": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B409": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B410": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B411": issue.Cwe.IMPROPER_INPUT_VALIDATION, - "B412": issue.Cwe.IMPROPER_ACCESS_CONTROL, - "B413": issue.Cwe.BROKEN_CRYPTO, - "B414": issue.Cwe.BROKEN_CRYPTO, -} diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index 3fbfd7db0..fba17052b 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -22,22 +22,27 @@ >> Issue: A Flask app appears to be run with debug=True, which exposes the Werkzeug debugger and allows the execution of arbitrary code. Severity: High Confidence: High - Location: examples/flask_debug.py:10 - 9 #bad - 10 app.run(debug=True) - 11 + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) + Location: examples/flask_debug.py:10 + 9 #bad + 10 app.run(debug=True) + 11 .. seealso:: .. [1] https://flask.palletsprojects.com/en/1.1.x/quickstart/#debug-mode .. [2] https://werkzeug.palletsprojects.com/en/1.0.x/debug/ .. [3] https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/ + .. [4] https://cwe.mitre.org/data/definitions/94.html .. versionadded:: 0.15.0 +.. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -49,8 +54,8 @@ def flask_debug_true(context): if context.check_call_arg_value("debug", "True"): return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B201"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.CODE_INJECTION, text="A Flask app appears to be run with debug=True, " "which exposes the Werkzeug debugger and allows " "the execution of arbitrary code.", diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index 4d401c9c5..e0c16cb0f 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -34,6 +34,7 @@ >> Issue: Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High + CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) Location: ./examples/assert.py:1 1 assert logged_in 2 display_assets() @@ -43,14 +44,18 @@ - https://bugs.launchpad.net/juniperopenstack/+bug/1456193 - https://bugs.launchpad.net/heat/+bug/1397883 - https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement + - https://cwe.mitre.org/data/definitions/703.html .. versionadded:: 0.11.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import fnmatch import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -69,8 +74,8 @@ def assert_used(context, config): return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B101"], confidence=bandit.HIGH, + cwe=issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, text=( "Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code." diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index fc8da08d1..5121d74fa 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -25,6 +25,7 @@ >> Issue: [request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue. Severity: High Confidence: High + CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) Location: examples/requests-ssl-verify-disabled.py:4 3 requests.get('https://gmail.com', verify=True) 4 requests.get('https://gmail.com', verify=False) @@ -34,12 +35,16 @@ - https://security.openstack.org/guidelines/dg_move-data-securely.html - https://security.openstack.org/guidelines/dg_validate-certificates.html + - https://cwe.mitre.org/data/definitions/295.html .. versionadded:: 0.9.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -52,12 +57,11 @@ def request_with_no_cert_validation(context): and context.call_function_name in http_verbs ): if context.check_call_arg_value("verify", "False"): - issue = bandit.Issue( + return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B501"], confidence=bandit.HIGH, + cwe=issue.Cwe.IMPROPER_CERT_VALIDATION, text="Requests call with verify=False disabling SSL " "certificate checks, security issue.", lineno=context.get_lineno_for_call_arg("verify"), ) - return issue diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py index 217accf4a..4d5df1aaa 100644 --- a/bandit/plugins/django_sql_injection.py +++ b/bandit/plugins/django_sql_injection.py @@ -5,7 +5,7 @@ import ast import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -22,14 +22,30 @@ def keywords2dict(keywords): def django_extra_used(context): """**B610: Potential SQL injection on extra function** + :Example: + + .. code-block:: none + + >> Issue: [B610:django_extra_used] Use of extra potential SQL attack vector. + Severity: Medium Confidence: Medium + CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) + Location: examples/django_sql_injection_extra.py:29:0 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b610_django_extra_used.html + 28 tables_str = 'django_content_type" WHERE "auth_user"."username"="admin' + 29 User.objects.all().extra(tables=[tables_str]).distinct() + .. seealso:: - https://docs.djangoproject.com/en/dev/topics/security/\ #sql-injection-protection + - https://cwe.mitre.org/data/definitions/89.html .. versionadded:: 1.5.0 - """ + .. versionchanged:: 1.7.3 + CWE information added + + """ # noqa: E501 description = "Use of extra potential SQL attack vector." if context.call_function_name == "extra": kwargs = keywords2dict(context.node.keywords) @@ -75,8 +91,8 @@ def django_extra_used(context): if insecure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B611"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.SQL_INJECTION, text=description, ) @@ -86,14 +102,30 @@ def django_extra_used(context): def django_rawsql_used(context): """**B611: Potential SQL injection on RawSQL function** + :Example: + + .. code-block:: none + + >> Issue: [B611:django_rawsql_used] Use of RawSQL potential SQL attack vector. + Severity: Medium Confidence: Medium + CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) + Location: examples/django_sql_injection_raw.py:11:26 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b611_django_rawsql_used.html + 10 ' WHERE "username"="admin" OR 1=%s --' + 11 User.objects.annotate(val=RawSQL(raw, [0])) + .. seealso:: - https://docs.djangoproject.com/en/dev/topics/security/\ #sql-injection-protection + - https://cwe.mitre.org/data/definitions/89.html .. versionadded:: 1.5.0 - """ + .. versionchanged:: 1.7.3 + CWE information added + + """ # noqa: E501 description = "Use of RawSQL potential SQL attack vector." if context.is_module_imported_like("django.db.models"): if context.call_function_name == "RawSQL": @@ -101,7 +133,7 @@ def django_rawsql_used(context): if not isinstance(sql, ast.Str): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B611"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.SQL_INJECTION, text=description, ) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index c46ef4074..63a8782b7 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -5,7 +5,7 @@ import ast import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -221,8 +221,8 @@ def check_risk(node): if not secure: return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B703"], confidence=bandit.HIGH, + cwe=issue.Cwe.BASIC_XSS, text=description, ) @@ -232,6 +232,18 @@ def check_risk(node): def django_mark_safe(context): """**B703: Potential XSS on mark_safe function** + :Example: + + .. code-block:: none + + >> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function. + Severity: Medium Confidence: High + CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html) + Location: examples/mark_safe_insecure.py:159:4 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b703_django_mark_safe.html + 158 str_arg = 'could be insecure' + 159 safestring.mark_safe(str_arg) + .. seealso:: - https://docs.djangoproject.com/en/dev/topics/security/\ @@ -240,10 +252,14 @@ def django_mark_safe(context): #module-django.utils.safestring - https://docs.djangoproject.com/en/dev/ref/utils/\ #django.utils.html.format_html + - https://cwe.mitre.org/data/definitions/80.html .. versionadded:: 1.5.0 - """ + .. versionchanged:: 1.7.3 + CWE information added + + """ # noqa: E501 if context.is_module_imported_like("django.utils.safestring"): affected_functions = [ "mark_safe", diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 3f89e035c..3c309d569 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -16,6 +16,7 @@ >> Issue: Use of exec detected. Severity: Medium Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/exec.py:2 1 exec("do evil") 2 exec "do evil" @@ -26,19 +27,24 @@ - https://docs.python.org/3/library/functions.html#exec - https://www.python.org/dev/peps/pep-0551/#background - https://www.python.org/dev/peps/pep-0578/#suggested-audit-hook-locations + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.9.0 + +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test def exec_issue(): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B102"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="Use of exec detected.", ) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index f8b0ac421..68e091b2f 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -23,6 +23,7 @@ >> Issue: Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium + CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) Location: ./examples/os-chmod.py:15 14 os.chmod('/etc/hosts', 0o777) 15 os.chmod('/tmp/oh_hai', 0x1ff) @@ -30,6 +31,7 @@ >> Issue: Chmod setting a permissive mask 0777 on file (key_file). Severity: High Confidence: High + CWE: CWE-732 (https://cwe.mitre.org/data/definitions/732.html) Location: ./examples/os-chmod.py:17 16 os.chmod('/etc/passwd', stat.S_IRWXU) 17 os.chmod(key_file, 0o777) @@ -40,14 +42,18 @@ - https://security.openstack.org/guidelines/dg_apply-restrictive-file-permissions.html - https://en.wikipedia.org/wiki/File_system_permissions - https://security.openstack.org + - https://cwe.mitre.org/data/definitions/732.html .. versionadded:: 0.9.0 +.. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 import stat import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -74,8 +80,8 @@ def set_bad_file_permissions(context): filename = "NOT PARSED" return bandit.Issue( severity=sev_level, - cwe=cwemap.CWEMAP["B103"], confidence=bandit.HIGH, + cwe=issue.Cwe.INCORRECT_PERMISSION_ASSIGNMENT, text="Chmod setting a permissive mask %s on file (%s)." % (oct(mode), filename), ) diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index 3b53b8e5a..4659167af 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -18,6 +18,7 @@ >> Issue: Possible binding to all interfaces. Severity: Medium Confidence: Medium + CWE: CWE-605 (https://cwe.mitre.org/data/definitions/605.html) Location: ./examples/binding.py:4 3 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 4 s.bind(('0.0.0.0', 31137)) @@ -26,12 +27,16 @@ .. seealso:: - https://nvd.nist.gov/vuln/detail/CVE-2018-1281 + - https://cwe.mitre.org/data/definitions/605.html .. versionadded:: 0.9.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -41,7 +46,7 @@ def hardcoded_bind_all_interfaces(context): if context.string_val == "0.0.0.0": return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B104"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.MULTIPLE_BINDS, text="Possible binding to all interfaces.", ) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 930e8017d..dbff53ce1 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -6,7 +6,7 @@ import re import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -19,8 +19,8 @@ def _report(value): return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B105"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.HARD_CODED_PASSWORD, text=("Possible hardcoded password: '%s'" % value), ) @@ -61,6 +61,7 @@ def hardcoded_password_string(context): >> Issue: Possible hardcoded password '(root)' Severity: Low Confidence: Low + CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html) Location: ./examples/hardcoded-passwords.py:5 4 def someFunction2(password): 5 if password == "root": @@ -69,9 +70,13 @@ def hardcoded_password_string(context): .. seealso:: - https://www.owasp.org/index.php/Use_of_hard-coded_password + - https://cwe.mitre.org/data/definitions/259.html .. versionadded:: 0.9.0 + .. versionchanged:: 1.7.3 + CWE information added + """ node = context.node if isinstance(node._bandit_parent, ast.Assign): @@ -145,6 +150,7 @@ def hardcoded_password_funcarg(context): >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'blerg' Severity: Low Confidence: Medium + CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html) Location: ./examples/hardcoded-passwords.py:16 15 16 doLogin(password="blerg") @@ -152,9 +158,13 @@ def hardcoded_password_funcarg(context): .. seealso:: - https://www.owasp.org/index.php/Use_of_hard-coded_password + - https://cwe.mitre.org/data/definitions/259.html .. versionadded:: 0.9.0 + .. versionchanged:: 1.7.3 + CWE information added + """ # looks for "function(candidate='some_string')" for kw in context.node.keywords: @@ -196,6 +206,7 @@ def hardcoded_password_default(context): >> Issue: [B107:hardcoded_password_default] Possible hardcoded password: 'Admin' Severity: Low Confidence: Medium + CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html) Location: ./examples/hardcoded-passwords.py:1 1 def someFunction(user, password="Admin"): @@ -204,9 +215,13 @@ def hardcoded_password_default(context): .. seealso:: - https://www.owasp.org/index.php/Use_of_hard-coded_password + - https://cwe.mitre.org/data/definitions/259.html .. versionadded:: 0.9.0 + .. versionchanged:: 1.7.3 + CWE information added + """ # looks for "def function(candidate='some_string')" diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index c12762e8c..53f8cd137 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -36,6 +36,7 @@ >> Issue: Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium + CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html) Location: ./examples/hardcoded-tmp.py:1 1 f = open('/tmp/abc', 'w') 2 f.write('def') @@ -43,12 +44,16 @@ .. seealso:: - https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html + - https://cwe.mitre.org/data/definitions/377.html .. versionadded:: 0.9.0 +.. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -69,7 +74,7 @@ def hardcoded_tmp_directory(context, config): if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B108"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.INSECURE_TEMP_FILE, text="Probable insecure usage of temp file/directory.", ) diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py index 35b5d7338..36e54b467 100644 --- a/bandit/plugins/hashlib_new_insecure_functions.py +++ b/bandit/plugins/hashlib_new_insecure_functions.py @@ -18,17 +18,24 @@ >> Issue: [B324:hashlib_new] Use of insecure MD4 or MD5 hash function. Severity: Medium Confidence: High + CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) Location: examples/hashlib_new_insecure_funcs.py:3 2 3 md5_hash = hashlib.new('md5', string='test') 4 print(md5_hash) +.. seealso:: + + - https://cwe.mitre.org/data/definitions/327.html .. versionadded:: 1.5.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -50,8 +57,8 @@ def hashlib_new(context): ): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B324"], confidence=bandit.HIGH, + cwe=issue.Cwe.BROKEN_CRYPTO, text="Use of insecure MD4 or MD5 hash function.", lineno=context.node.lineno, ) diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index e92b3049d..674fe0b9b 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -21,6 +21,7 @@ >> Issue: Possible shell injection via Paramiko call, check inputs are properly sanitized. Severity: Medium Confidence: Medium + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/paramiko_injection.py:4 3 # this is not safe 4 paramiko.exec_command('something; really; unsafe') @@ -31,12 +32,16 @@ - https://security.openstack.org - https://github.com/paramiko/paramiko - https://www.owasp.org/index.php/Command_Injection + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.12.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -52,7 +57,7 @@ def paramiko_calls(context): if context.call_function_name in ["exec_command"]: return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B601"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text=issue_text, ) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 8a6fb1591..19c31d209 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -6,7 +6,7 @@ import re import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -162,6 +162,7 @@ def subprocess_popen_with_shell_equals_true(context, config): >> Issue: subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell Severity: Low Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/subprocess_shell.py:21 20 subprocess.check_call(['/bin/ls', '-l'], shell=False) 21 subprocess.check_call('/bin/ls -l', shell=True) @@ -170,6 +171,7 @@ def subprocess_popen_with_shell_equals_true(context, config): >> Issue: call with shell=True contains special shell characters, consider moving extra logic into Python code Severity: Medium Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/subprocess_shell.py:26 25 26 subprocess.Popen('/bin/ls *', shell=True) @@ -177,6 +179,7 @@ def subprocess_popen_with_shell_equals_true(context, config): >> Issue: subprocess call with shell=True identified, security issue. Severity: High Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/subprocess_shell.py:27 26 subprocess.Popen('/bin/ls *', shell=True) 27 subprocess.Popen('/bin/ls %s' % ('something',), shell=True) @@ -188,8 +191,13 @@ def subprocess_popen_with_shell_equals_true(context, config): - https://docs.python.org/3/library/subprocess.html#frequently-used-arguments - https://security.openstack.org/guidelines/dg_use-subprocess-securely.html - https://security.openstack.org/guidelines/dg_avoid-shell-true.html + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.9.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 if config and context.call_function_name_qual in config["subprocess"]: if has_shell(context): @@ -198,8 +206,8 @@ def subprocess_popen_with_shell_equals_true(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B602"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="subprocess call with shell=True seems safe, but " "may be changed in the future, consider " "rewriting without shell", @@ -208,8 +216,8 @@ def subprocess_popen_with_shell_equals_true(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B602"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="subprocess call with shell=True identified, " "security issue.", lineno=context.get_lineno_for_call_arg("shell"), @@ -270,6 +278,7 @@ def subprocess_without_shell_equals_true(context, config): >> Issue: subprocess call - check for execution of untrusted input. Severity: Low Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/subprocess_shell.py:23 22 23 subprocess.check_output(['/bin/ls', '-l']) @@ -281,15 +290,20 @@ def subprocess_without_shell_equals_true(context, config): - https://docs.python.org/3/library/subprocess.html#frequently-used-arguments - https://security.openstack.org/guidelines/dg_avoid-shell-true.html - https://security.openstack.org/guidelines/dg_use-subprocess-securely.html + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.9.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 if config and context.call_function_name_qual in config["subprocess"]: if not has_shell(context): return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B603"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="subprocess call - check for execution of untrusted " "input.", lineno=context.get_lineno_for_call_arg("shell"), @@ -351,6 +365,7 @@ def any_other_function_with_shell_equals_true(context, config): >> Issue: Function call with shell=True parameter identified, possible security issue. Severity: Medium Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/subprocess_shell.py:9 8 pop('/bin/gcc --version', shell=True) 9 Popen('/bin/gcc --version', shell=True) @@ -360,15 +375,20 @@ def any_other_function_with_shell_equals_true(context, config): - https://security.openstack.org/guidelines/dg_avoid-shell-true.html - https://security.openstack.org/guidelines/dg_use-subprocess-securely.html + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.9.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 if config and context.call_function_name_qual not in config["subprocess"]: if has_shell(context): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B604"], confidence=bandit.LOW, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="Function call with shell=True parameter identified, " "possible security issue.", lineno=context.get_lineno_for_call_arg("shell"), @@ -435,6 +455,7 @@ def start_process_with_a_shell(context, config): >> Issue: Starting a process with a shell: check for injection. Severity: Low Confidence: Medium + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: examples/os_system.py:3 2 3 os.system('/bin/echo hi') @@ -445,8 +466,13 @@ def start_process_with_a_shell(context, config): - https://docs.python.org/3/library/os.html#os.system - https://docs.python.org/3/library/subprocess.html#frequently-used-arguments - https://security.openstack.org/guidelines/dg_use-subprocess-securely.html + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.10.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 if config and context.call_function_name_qual in config["shell"]: if len(context.call_args) > 0: @@ -454,8 +480,8 @@ def start_process_with_a_shell(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B605"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="Starting a process with a shell: " "Seems safe, but may be changed in the future, " "consider rewriting without shell", @@ -463,8 +489,8 @@ def start_process_with_a_shell(context, config): else: return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B605"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="Starting a process with a shell, possible injection" " detected, security issue.", ) @@ -534,6 +560,7 @@ def start_process_with_no_shell(context, config): >> Issue: [start_process_with_no_shell] Starting a process without a shell. Severity: Low Confidence: Medium + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: examples/os-spawn.py:8 7 os.spawnv(mode, path, args) 8 os.spawnve(mode, path, args, env) @@ -545,15 +572,20 @@ def start_process_with_no_shell(context, config): - https://docs.python.org/3/library/os.html#os.system - https://docs.python.org/3/library/subprocess.html#frequently-used-arguments - https://security.openstack.org/guidelines/dg_use-subprocess-securely.html + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.10.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 if config and context.call_function_name_qual in config["no_shell"]: return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B606"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="Starting a process without a shell.", ) @@ -622,6 +654,7 @@ def start_process_with_partial_path(context, config): >> Issue: Starting a process with a partial executable path Severity: Low Confidence: High + CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/partial_path_process.py:3 2 from subprocess import Popen as pop 3 pop('gcc --version', shell=False) @@ -630,8 +663,13 @@ def start_process_with_partial_path(context, config): - https://security.openstack.org - https://docs.python.org/3/library/os.html#process-management + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.13.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ if config and len(context.call_args): @@ -650,7 +688,7 @@ def start_process_with_partial_path(context, config): if isinstance(node, ast.Str) and not full_path_match.match(node.s): return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B607"], confidence=bandit.HIGH, + cwe=issue.Cwe.OS_COMMAND_INJECTION, text="Starting a process with a partial executable path", ) diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index 712992c28..7f0d8ccfc 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -35,6 +35,7 @@ >> Issue: Possible SQL injection vector through string-based query construction. Severity: Medium Confidence: Low + CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html) Location: ./examples/sql_statements_without_sql_alchemy.py:4 3 query = "DELETE FROM foo WHERE id = '%s'" % identifier 4 query = "UPDATE foo SET value = 'b' WHERE id = '%s'" % identifier @@ -44,15 +45,19 @@ - https://www.owasp.org/index.php/SQL_Injection - https://security.openstack.org/guidelines/dg_parameterize-database-queries.html + - https://cwe.mitre.org/data/definitions/89.html .. versionadded:: 0.9.0 +.. versionchanged:: 1.7.3 + CWE information added + """ # noqa: E501 import ast import re import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test from bandit.core import utils @@ -105,8 +110,8 @@ def hardcoded_sql_expressions(context): if _check_string(val[1]): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B608"], confidence=bandit.MEDIUM if val[0] else bandit.LOW, + cwe=issue.Cwe.SQL_INJECTION, text="Possible SQL injection vector through string-based " "query construction.", ) diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index c105e591f..c4209fb25 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -71,6 +71,7 @@ >> Issue: Possible wildcard injection in call: subprocess.Popen Severity: High Confidence: Medium + CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/wildcard-injection.py:8 7 o.popen2('/bin/chmod *') 8 subp.Popen('/bin/chown *', shell=True) @@ -78,6 +79,7 @@ >> Issue: subprocess call - check for execution of untrusted input. Severity: Low Confidence: High + CWE-78 (https://cwe.mitre.org/data/definitions/78.html) Location: ./examples/wildcard-injection.py:11 10 # Not vulnerable to wildcard injection 11 subp.Popen('/bin/rsync *') @@ -89,12 +91,16 @@ - https://security.openstack.org - https://en.wikipedia.org/wiki/Wildcard_character - https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt + - https://cwe.mitre.org/data/definitions/78.html .. versionadded:: 0.9.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test from bandit.plugins import injection_shell # NOTE(tkelsey): shared config @@ -130,8 +136,8 @@ def linux_commands_wildcard_injection(context, config): ): return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B609"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.IMPROPER_WILDCARD_NEUTRALIZATION, text="Possible wildcard injection in call: %s" % context.call_function_name_qual, lineno=context.get_lineno_for_call_arg("shell"), diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py index bc09f0955..80f2e5cfc 100644 --- a/bandit/plugins/insecure_ssl_tls.py +++ b/bandit/plugins/insecure_ssl_tls.py @@ -3,7 +3,7 @@ # # SPDX-License-Identifier: Apache-2.0 import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -86,6 +86,7 @@ def ssl_with_bad_version(context, config): >> Issue: ssl.wrap_socket call with insecure SSL/TLS protocol version identified, security issue. Severity: High Confidence: High + CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) Location: ./examples/ssl-insecure-version.py:13 12 # strict tests 13 ssl.wrap_socket(ssl_version=ssl.PROTOCOL_SSLv3) @@ -98,16 +99,21 @@ def ssl_with_bad_version(context, config): - https://heartbleed.com/ - https://en.wikipedia.org/wiki/POODLE - https://security.openstack.org/guidelines/dg_move-data-securely.html + - https://cwe.mitre.org/data/definitions/327.html .. versionadded:: 0.9.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ bad_ssl_versions = get_bad_proto_versions(config) if context.call_function_name_qual == "ssl.wrap_socket": if context.check_call_arg_value("ssl_version", bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B502"], confidence=bandit.HIGH, + cwe=issue.Cwe.BROKEN_CRYPTO, text="ssl.wrap_socket call with insecure SSL/TLS protocol " "version identified, security issue.", lineno=context.get_lineno_for_call_arg("ssl_version"), @@ -116,8 +122,8 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value("method", bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B502"], confidence=bandit.HIGH, + cwe=issue.Cwe.BROKEN_CRYPTO, text="SSL.Context call with insecure SSL/TLS protocol " "version identified, security issue.", lineno=context.get_lineno_for_call_arg("method"), @@ -135,8 +141,8 @@ def ssl_with_bad_version(context, config): ) or context.get_lineno_for_call_arg("ssl_version") return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B502"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.BROKEN_CRYPTO, text="Function call with insecure SSL/TLS protocol " "identified, possible security issue.", lineno=lineno, @@ -171,6 +177,7 @@ def ssl_with_bad_defaults(context, config): >> Issue: Function definition identified with insecure SSL/TLS protocol version by default, possible security issue. Severity: Medium Confidence: Medium + CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) Location: ./examples/ssl-insecure-version.py:28 27 28 def open_ssl_socket(version=SSL.SSLv2_METHOD): @@ -185,6 +192,10 @@ def ssl_with_bad_defaults(context, config): - https://security.openstack.org/guidelines/dg_move-data-securely.html .. versionadded:: 0.9.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ bad_ssl_versions = get_bad_proto_versions(config) @@ -193,8 +204,8 @@ def ssl_with_bad_defaults(context, config): if val in bad_ssl_versions: return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B503"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.BROKEN_CRYPTO, text="Function definition identified with insecure SSL/TLS " "protocol version by default, possible security " "issue.", @@ -229,6 +240,7 @@ def ssl_with_no_version(context): specified, the default SSLv23 could be insecure, possible security issue. Severity: Low Confidence: Medium + CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html) Location: ./examples/ssl-insecure-version.py:23 22 23 ssl.wrap_socket() @@ -243,6 +255,10 @@ def ssl_with_no_version(context): - https://security.openstack.org/guidelines/dg_move-data-securely.html .. versionadded:: 0.9.0 + + .. versionchanged:: 1.7.3 + CWE information added + """ if context.call_function_name_qual == "ssl.wrap_socket": if context.check_call_arg_value("ssl_version") is None: @@ -252,8 +268,8 @@ def ssl_with_no_version(context): # tests for that (ssl_version is not specified). return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B504"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.BROKEN_CRYPTO, text="ssl.wrap_socket call with no SSL/TLS protocol version " "specified, the default SSLv23 could be insecure, " "possible security issue.", diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py index 0edc38316..f0b23e03b 100644 --- a/bandit/plugins/jinja2_templates.py +++ b/bandit/plugins/jinja2_templates.py @@ -26,6 +26,7 @@ >> Issue: Using jinja2 templates with autoescape=False is dangerous and can lead to XSS. Use autoescape=True to mitigate XSS vulnerabilities. Severity: High Confidence: High + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) Location: ./examples/jinja2_templating.py:11 10 templateEnv = jinja2.Environment(autoescape=False, loader=templateLoader) @@ -38,6 +39,7 @@ autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities. Severity: High Confidence: High + CWE: CWE-94 (https://cwe.mitre.org/data/definitions/94.html) Location: ./examples/jinja2_templating.py:15 14 15 Environment(loader=templateLoader, @@ -53,14 +55,18 @@ - https://realpython.com/primer-on-jinja-templating/ - https://jinja.palletsprojects.com/en/2.11.x/api/#autoescaping - https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html + - https://cwe.mitre.org/data/definitions/94.html .. versionadded:: 0.10.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import ast import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -81,8 +87,8 @@ def jinja2_autoescape_false(context): ): return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B701"], confidence=bandit.HIGH, + cwe=issue.Cwe.CODE_INJECTION, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " "Use autoescape=True or use the " @@ -107,8 +113,8 @@ def jinja2_autoescape_false(context): else: return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B701"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.CODE_INJECTION, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " "Ensure autoescape=True or use the " @@ -119,8 +125,8 @@ def jinja2_autoescape_false(context): # behavior return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B701"], confidence=bandit.HIGH, + cwe=issue.Cwe.CODE_INJECTION, text="By default, jinja2 sets autoescape to False. Consider " "using autoescape=True or use the select_autoescape " "function to mitigate XSS vulnerabilities.", diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py index 42b96160a..26fa9de76 100644 --- a/bandit/plugins/mako_templates.py +++ b/bandit/plugins/mako_templates.py @@ -22,6 +22,7 @@ properly sanitized via the 'n', 'h' or 'x' flags (depending on context). For example, to HTML escape the variable 'data' do ${ data |h }. Severity: Medium Confidence: High + CWE: CWE-80 (https://cwe.mitre.org/data/definitions/80.html) Location: ./examples/mako_templating.py:10 9 10 mako.template.Template("hern") @@ -33,12 +34,16 @@ - https://www.makotemplates.org/ - `OWASP XSS `_ - https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html + - https://cwe.mitre.org/data/definitions/80.html .. versionadded:: 0.10.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -54,8 +59,8 @@ def use_of_mako_templates(context): # feature and thus each variable must be carefully sanitized. return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B702"], confidence=bandit.HIGH, + cwe=issue.Cwe.BASIC_XSS, text="Mako templates allow HTML/JS rendering by default and " "are inherently open to XSS attacks. Ensure variables " "in all templates are properly sanitized via the 'n', " diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 02308bd81..1d207cdec 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -3,6 +3,7 @@ # # SPDX-License-Identifier: Apache-2.0 import bandit +from bandit.core import issue from bandit.core import test_properties as test @@ -14,15 +15,34 @@ def snmp_insecure_version_check(context): This test is for checking for the usage of insecure SNMP version like v1, v2c - Using the pysnmp documentation: - http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html - Please update your code to use more secure versions of SNMP. + :Example: + + .. code-block:: none + >> Issue: [B508:snmp_insecure_version_check] The use of SNMPv1 and + SNMPv2 is insecure. You should use SNMPv3 if able. + Severity: Medium Confidence: High + CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) + Location: examples/snmp.py:4:4 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b508_snmp_insecure_version_check.html + 3 # SHOULD FAIL + 4 a = CommunityData('public', mpModel=0) + 5 # SHOULD FAIL + + .. seealso:: + + - http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html + - https://cwe.mitre.org/data/definitions/319.html + .. versionadded:: 1.7.2 - """ - if context.call_function_name_qual == "CommunityData": + .. versionchanged:: 1.7.3 + CWE information added + + """ # noqa: E501 + + if context.call_function_name_qual == "pysnmp.hlapi.CommunityData": # We called community data. Lets check our args if context.check_call_arg_value( "mpModel", 0 @@ -30,6 +50,7 @@ def snmp_insecure_version_check(context): return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.HIGH, + cwe=issue.Cwe.CLEARTEXT_TRANSMISSION, text="The use of SNMPv1 and SNMPv2 is insecure. " "You should use SNMPv3 if able.", lineno=context.get_lineno_for_call_arg("CommunityData"), @@ -44,9 +65,6 @@ def snmp_crypto_check(context): This test is for checking for the usage of insecure SNMP cryptography: v3 using noAuthNoPriv. - Using the pysnmp documentation: - http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html - Please update your code to use more secure versions of SNMP. For example: Instead of: @@ -55,14 +73,36 @@ def snmp_crypto_check(context): Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol `UsmUserData("securityName", "authName", "privName")` + :Example: + + .. code-block:: none + + >> Issue: [B509:snmp_crypto_check] You should not use SNMPv3 without encryption. noAuthNoPriv & authNoPriv is insecure + Severity: Medium CWE: CWE-319 (https://cwe.mitre.org/data/definitions/319.html) Confidence: High + Location: examples/snmp.py:6:11 + More Info: https://bandit.readthedocs.io/en/latest/plugins/b509_snmp_crypto_check.html + 5 # SHOULD FAIL + 6 insecure = UsmUserData("securityName") + 7 # SHOULD FAIL + + .. seealso:: + + - http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html + - https://cwe.mitre.org/data/definitions/319.html + .. versionadded:: 1.7.2 - """ - if context.call_function_name_qual == "UsmUserData": + .. versionchanged:: 1.7.3 + CWE information added + + """ # noqa: E501 + + if context.call_function_name_qual == "pysnmp.hlapi.UsmUserData": if context.call_args_count < 3: return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.HIGH, + cwe=issue.Cwe.CLEARTEXT_TRANSMISSION, text="You should not use SNMPv3 without encryption. " "noAuthNoPriv & authNoPriv is insecure", lineno=context.get_lineno_for_call_arg("UsmUserData"), diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index 031f0e8a6..2f4390320 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -22,6 +22,7 @@ >> Issue: [B507:ssh_no_host_key_verification] Paramiko call with policy set to automatically trust the unknown host key. Severity: High Confidence: Medium + CWE: CWE-295 (https://cwe.mitre.org/data/definitions/295.html) Location: examples/no_host_key_verification.py:4 3 ssh_client = client.SSHClient() 4 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) @@ -30,9 +31,12 @@ .. versionadded:: 1.5.1 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -47,14 +51,13 @@ def ssh_no_host_key_verification(context): "AutoAddPolicy", "WarningPolicy", ]: - issue = bandit.Issue( + return bandit.Issue( severity=bandit.HIGH, - cwe=cwemap.CWEMAP["B507"], confidence=bandit.MEDIUM, + cwe=issue.Cwe.IMPROPER_CERT_VALIDATION, text="Paramiko call with policy set to automatically trust " "the unknown host key.", lineno=context.get_lineno_for_call_arg( "set_missing_host_key_policy" ), ) - return issue diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index 854fe6fc9..c2e3ad493 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -57,6 +57,7 @@ class (or no type). To accommodate this, the test may be configured to ignore >> Issue: Try, Except, Continue detected. Severity: Low Confidence: High + CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) Location: ./examples/try_except_continue.py:5 4 a = i 5 except: @@ -65,14 +66,18 @@ class (or no type). To accommodate this, the test may be configured to ignore .. seealso:: - https://security.openstack.org + - https://cwe.mitre.org/data/definitions/703.html .. versionadded:: 1.0.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import ast import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -97,7 +102,7 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B112"], confidence=bandit.HIGH, + cwe=issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, text=("Try, Except, Continue detected."), ) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index 2ca64b214..eda0ef800 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -55,6 +55,7 @@ class (or no type). To accommodate this, the test may be configured to ignore >> Issue: Try, Except, Pass detected. Severity: Low Confidence: High + CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html) Location: ./examples/try_except_pass.py:4 3 a = 1 4 except: @@ -63,14 +64,18 @@ class (or no type). To accommodate this, the test may be configured to ignore .. seealso:: - https://security.openstack.org + - https://cwe.mitre.org/data/definitions/703.html .. versionadded:: 0.13.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import ast import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -95,7 +100,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, - cwe=cwemap.CWEMAP["B110"], confidence=bandit.HIGH, + cwe=issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND, text=("Try, Except, Pass detected."), ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index 8e5dc1f94..faa0a3eba 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -20,6 +20,7 @@ >> Issue: DSA key sizes below 1024 bits are considered breakable. Severity: High Confidence: High + CWE: CWE-326 (https://cwe.mitre.org/data/definitions/326.html) Location: examples/weak_cryptographic_key_sizes.py:36 35 # Also incorrect: without keyword args 36 dsa.generate_private_key(512, @@ -30,12 +31,16 @@ - https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final - https://security.openstack.org/guidelines/dg_strong-crypto.html + - https://cwe.mitre.org/data/definitions/326.html .. versionadded:: 0.14.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -75,8 +80,8 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, - cwe=cwemap.CWEMAP["B505"], confidence=bandit.HIGH, + cwe=issue.Cwe.INADEQUATE_ENCRYPTION_STRENGTH, text="%s key sizes below %d bits are considered breakable. " % (key_type, size), ) diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py index 3bc6603b9..dec77ee26 100644 --- a/bandit/plugins/yaml_load.py +++ b/bandit/plugins/yaml_load.py @@ -22,6 +22,7 @@ >> Issue: [yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load(). Severity: Medium Confidence: High + CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) Location: examples/yaml_load.py:5 4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3}) 5 y = yaml.load(ystr) @@ -31,12 +32,16 @@ .. seealso:: - https://pyyaml.org/wiki/PyYAMLDocumentation#LoadingYAML + - https://cwe.mitre.org/data/definitions/20.html .. versionadded:: 1.0.0 +.. versionchanged:: 1.7.3 + CWE information added + """ import bandit -from bandit.core import cwemap +from bandit.core import issue from bandit.core import test_properties as test @@ -60,8 +65,8 @@ def yaml_load(context): ): return bandit.Issue( severity=bandit.MEDIUM, - cwe=cwemap.CWEMAP["B506"], confidence=bandit.HIGH, + cwe=issue.Cwe.IMPROPER_INPUT_VALIDATION, text="Use of unsafe yaml load. Allows instantiation of" " arbitrary objects. Consider yaml.safe_load().", lineno=context.node.lineno, diff --git a/tests/unit/core/test_test_set.py b/tests/unit/core/test_test_set.py index 117de71ef..77c5f88af 100644 --- a/tests/unit/core/test_test_set.py +++ b/tests/unit/core/test_test_set.py @@ -9,6 +9,7 @@ from bandit.blacklists import utils from bandit.core import extension_loader +from bandit.core import issue from bandit.core import test_properties as test from bandit.core import test_set @@ -21,6 +22,7 @@ def test_plugin(): utils.build_conf_dict( "telnet", "B401", + issue.Cwe.CLEARTEXT_TRANSMISSION, ["telnetlib"], "A telnet-related module is being imported. Telnet is " "considered insecure. Use SSH or some other encrypted protocol.", @@ -32,6 +34,7 @@ def test_plugin(): utils.build_conf_dict( "marshal", "B302", + issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["marshal.load", "marshal.loads"], "Deserialization with the marshal module is possibly dangerous.", ) @@ -147,6 +150,7 @@ def test_profile_blacklist_compat(self): utils.build_conf_dict( "marshal", "B302", + issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["marshal.load", "marshal.loads"], ( "Deserialization with the marshal module is possibly "