Releases: PyCQA/bandit
Releases · PyCQA/bandit
1.7.8
What's Changed
- Incorrect tag naming in readme by @lukehinds in #1105
- Utilize PyPI's trusted publishing by @ericwb in #1107
- Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 by @dependabot in #1109
- Add 1.7.7 to versions of bug template by @ericwb in #1110
- Use datetime to avoid updating copyright year by @ericwb in #1112
- filter data is safe for tarfile extractall by @etienneschalk in #1111
- Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 by @dependabot in #1115
- [B605] Add functions that are vulnerable to shell injection. by @shihai1991 in #1116
- Add a SARIF output formatter by @ericwb in #1113
New Contributors
- @etienneschalk made their first contribution in #1111
- @shihai1991 made their first contribution in #1116
Full Changelog: 1.7.7...1.7.8
1.7.7
What's Changed
- Add the new release to bandit versions of bug template by @ericwb in #1075
- Bump actions/setup-python from 4 to 5 by @dependabot in #1076
- Handle variant in how policy is passed in paramiko by @ericwb in #1078
- Flag str.replace as possible sql injection by @costaparas in #1044
- defusedxml: Show correct module name by @kajinamit in #1081
- Add tidelift to the sponsor funding list by @ericwb in #1089
- Create a security policy by @ericwb in #1091
- Fix up issues found running Bandit on itself by @ericwb in #1093
- Add random.randbytes to blacklist calls by @ericwb in #1096
- Prepend ./ for files specified as CLI args by @ericwb in #1094
- Rework GitPython dependency to be an extra for bandit-baseline by @ericwb in #1099
- Bump actions/dependency-review-action from 3 to 4 by @dependabot in #1101
- Introduce Official Bandit Images by @lukehinds in #1088
- Remove markdown formatting in reStructuredText formatted README by @ericwb in #1103
- Downsize the org:repo name by @lukehinds in #1104
New Contributors
- @kajinamit made their first contribution in #1081
Full Changelog: 1.7.6...1.7.7
1.7.6
What's Changed
- Update bug report to include version 1.7.5 by @ericwb in #993
- Render Python 3.10 in drop down correctly by @ericwb in #997
- Remove checks for Python2 urllib by @ericwb in #999
- Improper detection of non-requests module by @ericwb in #1011
- xmlrpclib replaced with xmlrpc in Python3 by @ericwb in #1012
- language and linting updates by @marksmayo in #1015
- Adds check for crypt module usage as weak hash by @ericwb in #1018
- Switch to tox 4 by @mportesdev in #1020
- Skip unnecessary
pip install
commands in the pythonpackage.yml workflow by @mportesdev in #1021 - Update versions of used GitHub Actions by @mportesdev in #1024
- Update pre-commit hooks by @mportesdev in #1026
- Add
random.Random
to B311 checks by @shiftinv in #940 - Add a copy button to all code snippets in docs by @ericwb in #1030
- Replace pbr in favor of importlib by @ericwb in #1016
- Switch from open collective to PSF by @ericwb in #1031
- Make pre-commit run Bandit hook using a single process by @Klavionik in #1029
- Remove support for Python 3.7 due to end-of-life by @ericwb in #1034
- Update asserts.py documentation by @deronnax in #1036
- Simplify
wrap_file_object
by @mportesdev in #1037 - django_rawsql_used: support keyword arguments used in
RawSQL
by @kevinmarsh in #765 - Avoid gitpyhon CVE-2022-24439 by @carlosduelo in #1048
- Update blacklist call documentation by @costaparas in #1045
- Support ignoring blacklists by name by @costaparas in #1046
- Fix dependabot to update github actions by @ericwb in #1057
- Bump actions/checkout from 3 to 4 by @dependabot in #1058
- Fix for ReadtheDocs build by @ericwb in #1061
- fix(plugins/B507): also detect class instances by @mkniewallner in #1064
- Use mirror repository for black pre-commit hook by @mportesdev in #1070
- Add official support of Python 3.12 by @ericwb in #1068
- Fix crash on pyproject.toml without bandit config by @javajawa in #1073
- refactor: remove
importlib-metadata
fallback by @mkniewallner in #1066 - Fixes for sphinx build by @ericwb in #1063
New Contributors
- @marksmayo made their first contribution in #1015
- @shiftinv made their first contribution in #940
- @Klavionik made their first contribution in #1029
- @deronnax made their first contribution in #1036
- @kevinmarsh made their first contribution in #765
- @carlosduelo made their first contribution in #1048
- @costaparas made their first contribution in #1045
- @dependabot made their first contribution in #1058
- @javajawa made their first contribution in #1073
Full Changelog: 1.7.5...1.7.6
1.7.5
What's Changed
- Add an example screen shot of Bandit to README by @ericwb in #847
- Bad link to screen shot by @ericwb in #848
- Use a constant for weak hashes by @ericwb in #850
- Group location line with code output by @ericwb in #822
- Fix line range using Python 3.8 end_lineno by @ericwb in #821
- Add classifier to indicate Py3 only by @ericwb in #853
- Removal of blacklist call B309 httpsconnection by @ericwb in #858
- Remove blacklist call check for os.tempnam by @ericwb in #859
- Indiciate hash type in message by @ericwb in #860
- Add the httpx module check for verify by @ericwb in #861
- Add doc for hashlib plugin by @ericwb in #862
- Make use of rich for progress bar by @ericwb in #863
- Replace
toml
withtomli
by @mkniewallner in #829 - Fix up B109 and B111 removed plugins docs by @ericwb in #864
- add check for "requests" calls without timeout by @mschfh in #743
- Fix for build breaks in format job by @ericwb in #869
- Add license and contributing links to docs by @ericwb in #867
- Remove redundant word Bandit in titles of sections by @ericwb in #873
- Add request for feedback via 👍 by @ericwb in #871
- Add a Discord link to the docs by @ericwb in #870
- Adding logging.config.listen() plugin with examples by @raj3shp in #874
- Removal of ghugo by @ericwb in #881
- Remove redundant pip line by @ericwb in #884
- Corrected documentation on configuration by @a-takahashi223 in #868
- Start testing against Python 3.11 by @mkniewallner in #887
- Add myself to sponsor list by @ericwb in #885
- Add Discord link to README by @ericwb in #875
- Update action versions in Actions workflows (#890) by @mportesdev in #893
- Add dependency review action by @ericwb in #891
- Fix an unclosed tag in HTML formatter by @mportesdev in #896
- 'Test plugin listing' in docs incorrectly pointing B612 to plugin ref of B102 by @rajaramsrn in #897
- Make small fixes in docs by @mportesdev in #899
- Specify semver range for Python 3.11 by @mportesdev in #901
- Add another bad example of yaml load by @ericwb in #905
- Add releases link in "Version control integration" by @travisjungroth in #909
- Update version of dependency-review-action by @mportesdev in #911
- Avoid redundant message if debug on by @ericwb in #913
- Remove invalid checking on hashlib by @ericwb in #914
- Add some missing curve types by @ericwb in #920
- add jsonpickle deserialization blacklist by @SugarP1g in #707
- Fix reading the number argument from config file by @KAUTH in #923
- Add end_col_offset if available by @ericwb in #851
- Enhancement Proposal: Plugin "assert_used" config-skip snippet by @marianomartinelli in #695
- Blacklist pandas read_pickle and add functional test for it by @jaspersival in #710
- Docs for request without timeout has dead link by @ericwb in #925
- Add case for global exec by @tonybaloney in #570
- Fix a false positive condition yaml_load by @ericwb in #927
- Fix issue #453 jinja2 template select_autoescape when using jinja2.select_autoescape by @kinow in #454
- Adding tarfile.extractall() plugin with examples by @yilmi in #549
- Check for deprecated TLS 1.1 by @ericwb in #928
- weak_cryptographic_key assumes positional arg by @ericwb in #930
- Fix filename of B202 in docs by @mportesdev in #932
- Remove python 2 reference in docs by @ericwb in #933
- Pass correct number of arguments to match the
%s
placeholders. by @mportesdev in #934 - Fixup some invalid pickle testing by @ericwb in #924
- Fix json and yaml formatters to respect num lines by @ericwb in #929
- Fix AttributeError on detect of tuple assign condition by @ericwb in #931
- [docs] Mention
exclude_dirs
option available in TOML and YAML by @bittner in #876 - Typo fix by @PermanAtayev in #945
- remove py2 exec example in docs by @clavedeluna in #947
- Add official Python 3.11 support by @ericwb in #964
- DOC: Add explanation on how to use pre-commit with config file by @phofl in #968
- Fix breaking build due to new tox by @ericwb in #983
- Correct build status badge in README by @gliptak in #980
- Improve detecting SQL injections in f-strings by @kfrydel in #917
- Improve handling nosec for multi-line strings by @kfrydel in #915
- Check for github action updates monthly by @jlosito in #989
- Added a bit more
project_urls
by @KOLANICH in #985
New Contributors
- @mschfh made their first contribution in #743
- @raj3shp made their first contribution in #874
- @a-takahashi223 made their first contribution in #868
- @mportesdev made their first contribution in #893
- @rajaramsrn made their first contribution in #897
- @travisjungroth made their first contribution in #909
- @SugarP1g made their first contribution in #707
- @KAUTH made their first contribution in #923
- @marianomartinelli made their first contribution in #695
- @jaspersival made their first contribution in #710
- @kinow made their first contribution in #454
- @yilmi made their first contribution in #549
- @PermanAtayev made their first contribution in #945
- @clavedeluna made their first contribution in #947
- @phofl made their first contribution in #968
- @gliptak made their first contribution in #980
- @kfrydel made their first contribution in #917
- @jlosito made their first contribution in #989
- @KOLANICH made their first contribution in #985
Full Changelog: 1.7.4...1.7.5
1.7.4
What's Changed
- Fix traceback in hashlib_insecure_functions by @ericwb in #834
- Add version 1.7.3 to dropdown by @ericwb in #833
- core/config: Fix ConfigError missing argument if toml is missing by @Holzhaus in #845
- Add 1.7.4 in issue template by @ericwb in #846
New Contributors
Full Changelog: 1.7.3...1.7.4
1.7.3
What's Changed
- Rely on toml conditionally by @sigmavirus24 in #780
- Update issue template with latest versions by @ericwb in #783
- Delete release-drafter.yml by @ericwb in #781
- Use released version of gh-action-pypi-publish by @ericwb in #784
- Update publish-to-pypi.yml by @ericwb in #785
- Delete releasenotes directory (more openstack leftovers) by @ericwb in #786
- [docs] Add Getting Started chapter (migrate from README) by @bittner in #773
- Including CWE information by @julianthome in #613
- Removal of the CWEMAP dict by @ericwb in #789
- Fix up warnings in output of tox by @ericwb in #793
- Avoid printing metrics as float point numbers by @ericwb in #794
- Add functional test of snmp_security_check by @ericwb in #791
- Disable individual tests by @mikespallino in #597
- Change up how CWE is formatted by @ericwb in #788
- Check value of usedforsecurity for hashlib by @ericwb in #798
- Remove redundant Python 3.6 code by @ericwb in #802
- Add new plugin to check use of pyghmi by @ericwb in #803
- Check for hardcoded passwords in class attributes by @noliverio in #766
- Better hashlib check for Python 3.9 by @ericwb in #805
- Fix references to the default branch name by @ericwb in #810
- Cleanup the README by @ericwb in #809
- Show usage with no arguments by @ericwb in #814
- Respect color environment variables if set by @ericwb in #813
- Cannot seek stdin on pipe by @tylerwince in #496
- Test on operating systems we can support by @ericwb in #804
- Fix up some warnings and errors in docs by @ericwb in #817
- Fix root doc for readthedocs by @ericwb in #818
- Use versioned links to docs by @ericwb in #819
- Use CWE link in HTML formatter by @ericwb in #825
- Improve performance of linerange by @Krock21rus in #629
- Inaccurate message in hashlib check by @ericwb in #827
- Target Python >= 3.7 in pre-commit hooks by @mkniewallner in #830
- Center the bandit logo in readme by @ericwb in #823
- Build of artifact fails if raw directive used by @ericwb in #831
New Contributors
- @bittner made their first contribution in #773
- @julianthome made their first contribution in #613
- @noliverio made their first contribution in #766
- @Krock21rus made their first contribution in #629
Full Changelog: 1.7.2...1.7.3
1.7.2
What's Changed
- Fix broken reported URL link for B107 by @bagerard in #751
- test_help_arg: remove assert on 'optional arguments' by @mikelolasagasti in #752
- Create FUNDING.yml by @ericwb in #774
- Start using auto-formatters by @sigmavirus24 in #754
- Drop end-of-life Python 3.5 by @ericwb in #746
- Drop end-of-life Python 3.6 by @ericwb in #777
- Fixup typo by @spagh-eddie in #769
- Fix README.rst by @stannum-l in #365
- Added snmp_security check plugin for various SNMP checks by @Jed-Giblin in #403
- Remove leftover openstack code by @ericwb in #778
- Correctly define extras in
setup.cfg
by @mkniewallner in #755
New Contributors
- @bagerard made their first contribution in #751
- @mikelolasagasti made their first contribution in #752
- @sigmavirus24 made their first contribution in #754
- @spagh-eddie made their first contribution in #769
- @Jed-Giblin made their first contribution in #403
- @mkniewallner made their first contribution in #755
Full Changelog: 1.7.1...1.7.2
1.7.1
What's Changed
- Specify output_file encoding as utf-8 by @Brcrwilliams in #364
- Specify language_version in .pre-commit-hooks.yaml by @jdufresne in #670
- Clearer message for subprocess module use by @ericwb in #667
- Add the column offset to the issue model by @tonybaloney in #618
- Show column offset on all formatters by @ericwb in #673
- More complete removal of Python2 code by @ericwb in #674
- Small syntax and formatting cleanup by @ericwb in #676
- Updates to address docstring code scan issues, add flake8 configuration by @asears in #671
- More cleanup of license headers by @ericwb in #679
- Replace http with https URLs by @ericwb in #680
- Add default labels to issues by @ericwb in #681
- Prevent creation of blank issues by @ericwb in #682
- Include the line number when using HTML output format by @aludwin1 in #683
- Add support for Python 3.9 by @ericwb in #650
- Add numeric options for severity and confidence by @nathanstocking in #702
- #694 Bandit fails when using importlib with named arguments by @maciejstromich in #701
- Add license to package installation metadata by @RobbeSneyders in #705
- Mock part of python 3.x by @ericwb in #685
- Remove statement about Py3 by @ericwb in #713
- Use new issue template format by @ericwb in #717
- Fix syntax error in bug report by @ericwb in #718
- Remove steps in reproduce section by @ericwb in #719
- Fix syntax errors in bug report by @ericwb in #720
- document that random.choices() isn't secure either by @taybin in #728
- PEP-518 support: configure bandit via pyproject.toml by @orsinium in #401
- Always use a Loader in yaml.load by @ericwb in #745
- fix reading initial values from .bandit by @alipqb in #722
New Contributors
- @Brcrwilliams made their first contribution in #364
- @jdufresne made their first contribution in #670
- @tonybaloney made their first contribution in #618
- @asears made their first contribution in #671
- @aludwin1 made their first contribution in #683
- @nathanstocking made their first contribution in #702
- @RobbeSneyders made their first contribution in #705
- @taybin made their first contribution in #728
- @orsinium made their first contribution in #401
- @alipqb made their first contribution in #722
Full Changelog: 1.7.0...1.7.1
1.7.0
What's Changed
- Use GitHub Action badge for build by @ericwb in #651
- Remove universal support on the wheel by @ericwb in #655
- Give some tips on how to resolve B101 in the doc by @xuhdev in #616
- Remove blacklist call to input() by @ericwb in #662
- Create CODEOWNERS by @ericwb in #661
New Contributors
Full Changelog: 1.6.3...1.7.0
1.6.3
What's Changed
- Replace setattr by @tylerwince in #493
- Fix 3.8 errors by @tylerwince in #509
- get_url returns different urls calling twice (bug #506) by @ehooo in #507
- fix B603 docstring by @graingert in #524
- --exit-zero option by @maciejstromich in #510
- fix the documentation file README.rst by @MrDolev in #533
- Cleanup comments after #510 by @florczakraf in #532
- Update test requirements to latest versions by @ericwb in #535
- Remove obsolete "sudo" keyword. by @jugmac00 in #538
- Remove unused bindep.txt file by @ericwb in #539
- Revert "Revert "Update python documentation links for version 3 counterparts"" by @ericwb in #540
- Add several ini options for .bandit file by @vuolter in #508
- Add type checking to name node of hashlib_new by @teeann in #516
- Add more missing ini options by @ericwb in #541
- Add shelve to the pickle blacklists by @auscompgeek in #542
- Fix readme file on Extending Bandit on list things by @MrDolev in #534
- Add official support of Python 3.8 by @ericwb in #547
- update README to add info about badge by @zachvalenta in #482
- Fix docs for B610,B611,B703 by @amacfie in #555
- Use SPDX license identifier instead of bulky headers by @ericwb in #530
- Add a section explaining "nosec" by @exhuma in #554
- replace 'then' with 'than' by @pwoolvett in #557
- Add sha1 to the list of insecure hashes by @ericwb in #561
- Use GitHub Actions to run CI by @ericwb in #565
- Ignore common directories by default by @ericwb in #544
- Add push and pull request to GH Action trigger by @ericwb in #567
- Add contributing file by @Glyphack in #572
- Fix contributing typo by @Glyphack in #582
- [DOC] Support python3 venv creation by @look4regev in #583
- Cleanup some typos in recent contributor guide by @ericwb in #585
- Fix colorama not being disabled after being used by @adambenali in #586
- Fix typo for activating venv by @bavedarnow in #590
- Bump pyyaml by @dosisod in #588
- Update CODE_OF_CONDUCT.md by @ericwb in #591
- Resolve 'NoneType' object has no attribute 'id'Traceback in django_mark_safe by @ehooo in #598
- [FIX] blacklist: fix typo in import_ftplib by @Yenthe666 in #601
- Add release notes project URL by @scop in #610
- Drop Python2 build, test, and install by @ericwb in #615
- Fix # noqa rendering in docs by @DrGFreeman in #645
- Don't show progress information on --quiet by @fniessink in #641
- Add skip configuration to assert_used by @wilbertom in #633
- GitHub Action to publish to Test PyPI by @ericwb in #652
- Add workflow to publish to PyPI by @ericwb in #653
New Contributors
- @graingert made their first contribution in #524
- @MrDolev made their first contribution in #533
- @florczakraf made their first contribution in #532
- @jugmac00 made their first contribution in #538
- @vuolter made their first contribution in #508
- @teeann made their first contribution in #516
- @auscompgeek made their first contribution in #542
- @zachvalenta made their first contribution in #482
- @amacfie made their first contribution in #555
- @exhuma made their first contribution in #554
- @pwoolvett made their first contribution in #557
- @Glyphack made their first contribution in #572
- @look4regev made their first contribution in #583
- @adambenali made their first contribution in #586
- @bavedarnow made their first contribution in #590
- @dosisod made their first contribution in #588
- @Yenthe666 made their first contribution in #601
- @scop made their first contribution in #610
- @DrGFreeman made their first contribution in #645
- @fniessink made their first contribution in #641
- @wilbertom made their first contribution in #633
Full Changelog: 1.6.2...1.6.3