Dlint uses a simple, folder-based hierarchy written in Markdown for documentation.
DUO101YieldReturnStatementLinter"inlineCallbacks" function cannot have non-empty "return" statementDUO102BadRandomGeneratorUseLinterinsecure use of "random" module, prefer "random.SystemRandom"DUO103BadPickleUseLinterinsecure use of "pickle" or "cPickle"DUO104BadEvalUseLinteruse of "eval" is insecureDUO105BadExecUseLinteruse of "exec" is insecureDUO106BadOSUseLinterinsecure use of "os" moduleDUO107BadXMLUseLinterinsecure use of XML modules, prefer "defusedxml"DUO108BadInputUseLinteruse of "input" is insecureDUO109BadYAMLUseLinterinsecure use of "yaml" parsing function, prefer "safe_*" equivalentDUO110BadCompileUseLinteruse of "compile" is insecureDUO111BadSysUseLinterinsecure use of "sys" moduleDUO112BadZipfileUseLinteruse of "extract|extractall" is insecureDUO113InlineCallbacksYieldStatementLinter"inlineCallbacks" function missing "yield" statementDUO114ReturnValueInInlineCallbacksLinter"returnValue" in function missing "inlineCallbacks" decoratorDUO115BadTarfileUseLinteruse of "extract|extractall" is insecureDUO116BadSubprocessUseLinteruse of "shell=True" is insecure in "subprocess" moduleDUO117BadDlUseLinteravoid "dl" module useDUO118BadGlUseLinteravoid "gl" module useDUO119BadShelveUseLinteravoid "shelve" module useDUO120BadMarshalUseLinteravoid "marshal" module useDUO121BadTempfileUseLinteruse of "tempfile.mktemp" allows for race conditionsDUO122BadSSLModuleAttributeUseLinterinsecure "ssl" module attribute useDUO123BadRequestsUseLinteruse of "verify=False" is insecure in "requests" moduleDUO124BadXmlrpcUseLinterinstance with "allow_dotted_names" enabled is insecureDUO125BadCommandsUseLinteravoid "commands" module useDUO126BadPopen2UseLinteravoid "popen2" module useDUO127BadDuoClientUseLinteruse of "ca_certs=HTTP|DISABLE" is insecure in "duo_client" moduleDUO128BadOneLoginKwargUseLinterinsecure "OneLogin" SAML function callDUO129BadOneLoginModuleAttributeUseLinterinsecure "OneLogin" SAML attribute useDUO130BadHashlibUseLinterinsecure use of "hashlib" moduleDUO131BadUrllib3ModuleAttributeUseLinter"urllib3" warnings disabled, insecure connections possibleDUO132BadUrllib3KwargUseLinter"urllib3" certificate verification disabled, insecure connections possibleDUO133BadPycryptoUseLinteruse of "Crypto" module is insecureDUO134BadCryptographyModuleAttributeUseLinterinsecure "cryptography" attribute useDUO135BadDefusedxmlUseLinterenable all "forbid_*" defenses when using "defusedxml" parsingDUO136BadXmlsecModuleAttributeUseLinterinsecure "xmlsec" attribute useDUO137BadItsDangerousKwargUseLinterinsecure "itsdangerous" use allowing empty signingDUO138BadReCatastrophicUseLintercatastrophic "re" usage - denial-of-service possible
Bandit is another static analysis tool aimed at searching for security issues in Python code. Bandit is a great tool and can easily be used simultaneously with Dlint. However, there are a few advantages Dlint has over Bandit:
- Dlint can identify function calls that are insecure specifically because of
their keyword argument usage. For example,
subprocessmodule function calls that use theshell=Truekeyword argument:subprocesssecurity considerations. - Dlint can identify insecure method calls on specific objects. For example,
the
TarFile.extractallobject method can often lead to security vulnerabilities. Dlint tracks variable names of instantiated objects and searches for insecure methods used by these specific objects. - Dlint can identify insecurities arising from the use of wildcard imports. For
example,
from os import *, which results in insecure use of theosmodule, such as asystemcall. - Dlint is built upon the ubiquitous Flake8 project so it's easy to use, provides a fully-featured interface, and is backed by the Python Code Quality Authority. This means things like no more re-inventing the wheel for selecting and ignoring violations, including and excluding specific files, running multiple jobs in parallel, showing results inline in your editor, and much more.
Bandit also provides some advantages over Dlint:
- Bandit can identify SQL injections in your code: B608.
- Bandit can identify security issues resulting from hardcoded information: B104, B105, B106, B107, and B108.
Running multiple security tools over your codebase will provide a more comprehensive analysis and ensure you're coding with confidence.
- Lessons from Building Static Analysis Tools at Google (2018)
- Scaling Static Analyses at Facebook (2019)
- Static Analysis at Scale: An Instagram Story (2019)
- A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (2010)
- How to Build Static Checking Systems Using Orders of Magnitude Less Code (2016)
- What Developers Want and Need from Program Analysis: An Empirical Study (2016)
Include Dlint in your .travis.yml configuration file:
language: python
install:
- python -m pip install dlint
script:
- python -m flake8 --select=DUO /path/to/code
Include Dlint in your .circleci/config.yml configuration file:
version: 2
jobs:
build:
docker:
- image: circleci/python
steps:
- checkout
- run: python -m pip install dlint
- run: python -m flake8 --select=DUO /path/to/code
Include Dlint in your .gitlab-ci.yml configuration file:
stages:
- test
test:
image: python
before_script:
- python -m pip install dlint
script:
- python -m flake8 --select=DUO /path/to/code
Include Dlint in your Arcanist
linting process via the .arclint
configuration file:
{
"linters": {
"sample": {
"type": "flake8"
}
}
}
Dlint rules will automatically be run via flake8 once it's installed, so the
standard flake8 configuration will work. You can also utilize more granular
control over the linting process:
{
"linters": {
"sample": {
"type": "flake8"
},
"bin": ["python2.7", "python2"],
"flags": ["-m", "flake8", "--select", "DUO"]
}
}
Use the flake8-json plugin:
$ python -m pip install flake8-json
$ python -m flake8 --format=json --select=DUO ...