Dlint uses a simple, folder-based hierarchy written in Markdown for documentation.
DUO101
YieldReturnStatementLinter
"inlineCallbacks" function cannot have non-empty "return" statementDUO102
BadRandomGeneratorUseLinter
insecure use of "random" module, prefer "random.SystemRandom"DUO103
BadPickleUseLinter
insecure use of "pickle" or "cPickle"DUO104
BadEvalUseLinter
use of "eval" is insecureDUO105
BadExecUseLinter
use of "exec" is insecureDUO106
BadOSUseLinter
insecure use of "os" moduleDUO107
BadXMLUseLinter
insecure use of XML modules, prefer "defusedxml"DUO108
BadInputUseLinter
use of "input" is insecureDUO109
BadYAMLUseLinter
insecure use of "yaml" parsing function, prefer "safe_*" equivalentDUO110
BadCompileUseLinter
use of "compile" is insecureDUO111
BadSysUseLinter
insecure use of "sys" moduleDUO112
BadZipfileUseLinter
use of "extract|extractall" is insecureDUO113
InlineCallbacksYieldStatementLinter
"inlineCallbacks" function missing "yield" statementDUO114
ReturnValueInInlineCallbacksLinter
"returnValue" in function missing "inlineCallbacks" decoratorDUO115
BadTarfileUseLinter
use of "extract|extractall" is insecureDUO116
BadSubprocessUseLinter
use of "shell=True" is insecure in "subprocess" moduleDUO117
BadDlUseLinter
avoid "dl" module useDUO118
BadGlUseLinter
avoid "gl" module useDUO119
BadShelveUseLinter
avoid "shelve" module useDUO120
BadMarshalUseLinter
avoid "marshal" module useDUO121
BadTempfileUseLinter
use of "tempfile.mktemp" allows for race conditionsDUO122
BadSSLModuleAttributeUseLinter
insecure "ssl" module attribute useDUO123
BadRequestsUseLinter
use of "verify=False" is insecure in "requests" moduleDUO124
BadXmlrpcUseLinter
instance with "allow_dotted_names" enabled is insecureDUO125
BadCommandsUseLinter
avoid "commands" module useDUO126
BadPopen2UseLinter
avoid "popen2" module useDUO127
BadDuoClientUseLinter
use of "ca_certs=HTTP|DISABLE" is insecure in "duo_client" moduleDUO128
BadOneLoginKwargUseLinter
insecure "OneLogin" SAML function callDUO129
BadOneLoginModuleAttributeUseLinter
insecure "OneLogin" SAML attribute useDUO130
BadHashlibUseLinter
insecure use of "hashlib" moduleDUO131
BadUrllib3ModuleAttributeUseLinter
"urllib3" warnings disabled, insecure connections possibleDUO132
BadUrllib3KwargUseLinter
"urllib3" certificate verification disabled, insecure connections possibleDUO133
BadPycryptoUseLinter
use of "Crypto" module is insecureDUO134
BadCryptographyModuleAttributeUseLinter
insecure "cryptography" attribute useDUO135
BadDefusedxmlUseLinter
enable all "forbid_*" defenses when using "defusedxml" parsingDUO136
BadXmlsecModuleAttributeUseLinter
insecure "xmlsec" attribute useDUO137
BadItsDangerousKwargUseLinter
insecure "itsdangerous" use allowing empty signingDUO138
BadReCatastrophicUseLinter
catastrophic "re" usage - denial-of-service possible
Bandit is another static analysis tool aimed at searching for security issues in Python code. Bandit is a great tool and can easily be used simultaneously with Dlint. However, there are a few advantages Dlint has over Bandit:
- Dlint can identify function calls that are insecure specifically because of
their keyword argument usage. For example,
subprocess
module function calls that use theshell=True
keyword argument:subprocess
security considerations. - Dlint can identify insecure method calls on specific objects. For example,
the
TarFile.extractall
object method can often lead to security vulnerabilities. Dlint tracks variable names of instantiated objects and searches for insecure methods used by these specific objects. - Dlint can identify insecurities arising from the use of wildcard imports. For
example,
from os import *
, which results in insecure use of theos
module, such as asystem
call. - Dlint is built upon the ubiquitous Flake8 project so it's easy to use, provides a fully-featured interface, and is backed by the Python Code Quality Authority. This means things like no more re-inventing the wheel for selecting and ignoring violations, including and excluding specific files, running multiple jobs in parallel, showing results inline in your editor, and much more.
Bandit also provides some advantages over Dlint:
- Bandit can identify SQL injections in your code: B608.
- Bandit can identify security issues resulting from hardcoded information: B104, B105, B106, B107, and B108.
Running multiple security tools over your codebase will provide a more comprehensive analysis and ensure you're coding with confidence.
- Lessons from Building Static Analysis Tools at Google (2018)
- Scaling Static Analyses at Facebook (2019)
- Static Analysis at Scale: An Instagram Story (2019)
- A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World (2010)
- How to Build Static Checking Systems Using Orders of Magnitude Less Code (2016)
- What Developers Want and Need from Program Analysis: An Empirical Study (2016)
Include Dlint in your .travis.yml
configuration file:
language: python
install:
- python -m pip install dlint
script:
- python -m flake8 --select=DUO /path/to/code
Include Dlint in your .circleci/config.yml
configuration file:
version: 2
jobs:
build:
docker:
- image: circleci/python
steps:
- checkout
- run: python -m pip install dlint
- run: python -m flake8 --select=DUO /path/to/code
Include Dlint in your .gitlab-ci.yml
configuration file:
stages:
- test
test:
image: python
before_script:
- python -m pip install dlint
script:
- python -m flake8 --select=DUO /path/to/code
Include Dlint in your Arcanist
linting process via the .arclint
configuration file:
{
"linters": {
"sample": {
"type": "flake8"
}
}
}
Dlint rules will automatically be run via flake8
once it's installed, so the
standard flake8
configuration will work. You can also utilize more granular
control over the linting process:
{
"linters": {
"sample": {
"type": "flake8"
},
"bin": ["python2.7", "python2"],
"flags": ["-m", "flake8", "--select", "DUO"]
}
}
Use the flake8-json
plugin:
$ python -m pip install flake8-json
$ python -m flake8 --format=json --select=DUO ...