Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removal of the CWEMAP dict #789

Merged
merged 1 commit into from Feb 2, 2022
Merged

Removal of the CWEMAP dict #789

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
24 changes: 24 additions & 0 deletions bandit/blacklists/calls.py
View file
Open in desktop
Expand Up @@ -314,6 +314,7 @@

"""
from bandit.blacklists import utils
from bandit.core import issue


def gen_blacklist():
Expand All @@ -332,6 +333,7 @@ def gen_blacklist():
utils.build_conf_dict(
"pickle",
"B301",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
[
"pickle.loads",
"pickle.load",
Expand All @@ -354,6 +356,7 @@ def gen_blacklist():
utils.build_conf_dict(
"marshal",
"B302",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["marshal.load", "marshal.loads"],
"Deserialization with the marshal module is possibly dangerous.",
)
Expand All @@ -363,6 +366,7 @@ def gen_blacklist():
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"hashlib.md5",
"hashlib.sha1",
Expand All @@ -385,6 +389,7 @@ def gen_blacklist():
utils.build_conf_dict(
"ciphers",
"B304",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Cipher.ARC2.new",
"Crypto.Cipher.ARC4.new",
Expand All @@ -410,6 +415,7 @@ def gen_blacklist():
utils.build_conf_dict(
"cipher_modes",
"B305",
issue.Cwe.BROKEN_CRYPTO,
["cryptography.hazmat.primitives.ciphers.modes.ECB"],
"Use of insecure cipher mode {name}.",
)
Expand All @@ -419,6 +425,7 @@ def gen_blacklist():
utils.build_conf_dict(
"mktemp_q",
"B306",
issue.Cwe.INSECURE_TEMP_FILE,
["tempfile.mktemp"],
"Use of insecure and deprecated function (mktemp).",
)
Expand All @@ -428,6 +435,7 @@ def gen_blacklist():
utils.build_conf_dict(
"eval",
"B307",
issue.Cwe.OS_COMMAND_INJECTION,
["eval"],
"Use of possibly insecure function - consider using safer "
"ast.literal_eval.",
Expand All @@ -438,6 +446,7 @@ def gen_blacklist():
utils.build_conf_dict(
"mark_safe",
"B308",
issue.Cwe.XSS,
["django.utils.safestring.mark_safe"],
"Use of mark_safe() may expose cross-site scripting "
"vulnerabilities and should be reviewed.",
Expand All @@ -448,6 +457,7 @@ def gen_blacklist():
utils.build_conf_dict(
"httpsconnection",
"B309",
issue.Cwe.CLEARTEXT_TRANSMISSION,
[
"httplib.HTTPSConnection",
"http.client.HTTPSConnection",
Expand All @@ -463,6 +473,7 @@ def gen_blacklist():
utils.build_conf_dict(
"urllib_urlopen",
"B310",
issue.Cwe.PATH_TRAVERSAL,
[
"urllib.urlopen",
"urllib.request.urlopen",
Expand All @@ -488,6 +499,7 @@ def gen_blacklist():
utils.build_conf_dict(
"random",
"B311",
issue.Cwe.INSUFFICIENT_RANDOM_VALUES,
[
"random.random",
"random.randrange",
Expand All @@ -507,6 +519,7 @@ def gen_blacklist():
utils.build_conf_dict(
"telnetlib",
"B312",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib.*"],
"Telnet-related functions are being called. Telnet is considered "
"insecure. Use SSH or some other encrypted protocol.",
Expand All @@ -528,6 +541,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_cElementTree",
"B313",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"xml.etree.cElementTree.parse",
"xml.etree.cElementTree.iterparse",
Expand All @@ -542,6 +556,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_ElementTree",
"B314",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"xml.etree.ElementTree.parse",
"xml.etree.ElementTree.iterparse",
Expand All @@ -556,6 +571,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_expatreader",
"B315",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax.expatreader.create_parser"],
xml_msg,
)
Expand All @@ -565,6 +581,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_expatbuilder",
"B316",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.expatbuilder.parse", "xml.dom.expatbuilder.parseString"],
xml_msg,
)
Expand All @@ -574,6 +591,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_sax",
"B317",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax.parse", "xml.sax.parseString", "xml.sax.make_parser"],
xml_msg,
)
Expand All @@ -583,6 +601,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_minidom",
"B318",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.minidom.parse", "xml.dom.minidom.parseString"],
xml_msg,
)
Expand All @@ -592,6 +611,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_pulldom",
"B319",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.pulldom.parse", "xml.dom.pulldom.parseString"],
xml_msg,
)
Expand All @@ -601,6 +621,7 @@ def gen_blacklist():
utils.build_conf_dict(
"xml_bad_etree",
"B320",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"lxml.etree.parse",
"lxml.etree.fromstring",
Expand All @@ -623,6 +644,7 @@ def gen_blacklist():
utils.build_conf_dict(
"ftplib",
"B321",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib.*"],
"FTP-related functions are being called. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
Expand All @@ -636,6 +658,7 @@ def gen_blacklist():
utils.build_conf_dict(
"unverified_context",
"B323",
issue.Cwe.IMPROPER_CERT_VALIDATION,
["ssl._create_unverified_context"],
"By default, Python will create a secure, verified ssl context for"
" use in such classes as HTTPSConnection. However, it still allows"
Expand All @@ -651,6 +674,7 @@ def gen_blacklist():
utils.build_conf_dict(
"tempnam",
"B325",
issue.Cwe.INSECURE_TEMP_FILE,
["os.tempnam", "os.tmpnam"],
"Use of os.tempnam() and os.tmpnam() is vulnerable to symlink "
"attacks. Consider using tmpfile() instead.",
Expand Down
40 changes: 36 additions & 4 deletions bandit/blacklists/imports.py
View file
Open in desktop
Expand Up @@ -214,6 +214,7 @@

"""
from bandit.blacklists import utils
from bandit.core import issue


def gen_blacklist():
Expand All @@ -232,6 +233,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_telnetlib",
"B401",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib"],
"A telnet-related module is being imported. Telnet is "
"considered insecure. Use SSH or some other encrypted protocol.",
Expand All @@ -243,6 +245,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_ftplib",
"B402",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib"],
"A FTP-related module is being imported. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
Expand All @@ -254,6 +257,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_pickle",
"B403",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["pickle", "cPickle", "dill", "shelve"],
"Consider possible security implications associated with "
"{name} module.",
Expand All @@ -265,6 +269,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_subprocess",
"B404",
issue.Cwe.OS_COMMAND_INJECTION,
["subprocess"],
"Consider possible security implications associated with the "
"subprocess module.",
Expand All @@ -291,6 +296,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_xml_etree",
"B405",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.etree.cElementTree", "xml.etree.ElementTree"],
xml_msg,
"LOW",
Expand All @@ -299,14 +305,20 @@ def gen_blacklist():

sets.append(
utils.build_conf_dict(
"import_xml_sax", "B406", ["xml.sax"], xml_msg, "LOW"
"import_xml_sax",
"B406",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.sax"],
xml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict(
"import_xml_expat",
"B407",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.expatbuilder"],
xml_msg,
"LOW",
Expand All @@ -315,24 +327,42 @@ def gen_blacklist():

sets.append(
utils.build_conf_dict(
"import_xml_minidom", "B408", ["xml.dom.minidom"], xml_msg, "LOW"
"import_xml_minidom",
"B408",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.minidom"],
xml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict(
"import_xml_pulldom", "B409", ["xml.dom.pulldom"], xml_msg, "LOW"
"import_xml_pulldom",
"B409",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xml.dom.pulldom"],
xml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict("import_lxml", "B410", ["lxml"], lxml_msg, "LOW")
utils.build_conf_dict(
"import_lxml",
"B410",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["lxml"],
lxml_msg,
"LOW",
)
)

sets.append(
utils.build_conf_dict(
"import_xmlrpclib",
"B411",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
["xmlrpclib"],
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() "
Expand All @@ -346,6 +376,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_httpoxy",
"B412",
issue.Cwe.IMPROPER_ACCESS_CONTROL,
[
"wsgiref.handlers.CGIHandler",
"twisted.web.twcgi.CGIScript",
Expand All @@ -361,6 +392,7 @@ def gen_blacklist():
utils.build_conf_dict(
"import_pycrypto",
"B413",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Cipher",
"Crypto.Hash",
Expand Down
3 changes: 2 additions & 1 deletion bandit/blacklists/utils.py
View file
Open in desktop
Expand Up @@ -5,11 +5,12 @@
r"""Utils module."""


def build_conf_dict(name, bid, qualnames, message, level="MEDIUM"):
def build_conf_dict(name, bid, cwe, qualnames, message, level="MEDIUM"):
"""Build and return a blacklist configuration dict."""
return {
"name": name,
"id": bid,
"cwe": cwe,
"message": message,
"qualnames": qualnames,
"level": level,
Expand Down
3 changes: 1 addition & 2 deletions bandit/core/blacklisting.py
View file
Open in desktop
Expand Up @@ -5,16 +5,15 @@
import ast
import fnmatch

from bandit.core import cwemap
from bandit.core import issue


def report_issue(check, name):
return issue.Issue(
severity=check.get("level", "MEDIUM"),
confidence="HIGH",
cwe=check.get("cwe", issue.Cwe.NOTSET),
text=check["message"].replace("{name}", name),
cwe=cwemap.CWEMAP[check.get("id", "LEGACY")],
ident=name,
test_id=check.get("id", "LEGACY"),
)
Expand Down