forked from PyCQA/bandit
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement Proposal: Plugin "assert_used" config skip-snippet #1
Open
marianomartinelli
wants to merge
107
commits into
master
Choose a base branch
from
assert-used-doc-enhancement
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds two new command line arguments which allow the user to specify severity level and confidence level with a key-value pair rather than repeating a flag. This makes it easier to specify those values if using an alternate interface which invokes Bandit's CLI. The previous repeatable flags have been retained and existing workflows will not be affected. New arguments: * --severity-level: Takes a string "all", "low", "medium", or "high" to set the level. This has the same effect as the existing -l/--level option. If both options are specified, an error will be printed. * --confidence-level: Takes a string "all", "low", "medium", or "high" to set the level. This has the same effect as the existing -i/--confidence option. If both options are specified, an error will be printed. * Help text for these parameters clarifies why 'all' and 'low' aren't the same although they will almost certainly produce the same set of results. Co-authored-by: Nathan Stocking <nathan.stocking@microsoft.com>
Now that Bandit is Python 3.5+ only, there is no need to install the mock library. The mock library became part of base Python as of Python 3.3. See [1] [1] https://pypi.org/project/mock/ Signed-off-by: Eric Brown <browne@vmware.com> Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
This change makes use of the new issue template format. The new YAML version of the template allows for dropdowns and other form input metadata.
* document that random.choices() isn't secure either * add random.choices() to tests
* parse config from toml * test toml config parsing * update docs * FIX pep8 "line too long" in tests * review * +extras * use setup.cfg for extras * fix setup.cfg * fix * Apply suggestions from code review Co-authored-by: Lionel Bersee <lionel1232@gmail.com> * Update doc/source/config.rst Co-authored-by: Lionel Bersee <lionel1232@gmail.com> * Update doc/source/config.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * actualize TOML config example in docs Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com> Co-authored-by: Lionel Bersee <lionel1232@gmail.com>
A recent change within pyyaml 6.0 has enforce use of a Loader argument to yaml.load [1]. To comply, Bandit will use yaml.load with a Loader always. The plugin to check for unsafe loaders of yaml module still applies. [1] yaml/pyyaml#561 Closes PyCQA#744 Signed-off-by: Eric Brown <browne@vmware.com>
Pass the default CLI arg into the helper function so we can discern between a value passed by CLI and a default Co-authored-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
In python-3.10 this renders as 'options:', rather than 'optinal arguments:', breaking the test.
Setup a sponsorship button using Open Collective as the backing fiscal host. https://opencollective.com/bandit-sast
Use black to auto-format the style so it's always consistent and pyupgrade will allow us to auto-upgrade to the newest language features.
Python 3.5 hit the end-of-life on Sept 13, 2020. As a result, Bandit should also drop support for it. Signed-off-by: Eric Brown <browne@vmware.com>
Python 3.6 hit the end-of-life on Dec 23, 2021. As a result, Bandit should also drop support for it. Signed-off-by: Eric Brown <browne@vmware.com>
Co-authored-by: Eric Brown <browne@vmware.com>
The current README.rst has references to configure bandit runs using a custom .INI-like file. In reality, that file should actually be a YAML file. Using the INI example provided will result in: ` [main] ERROR bandit.cfg : Error parsing file. ` This patch set updates the configuration so it is of proper YAML format so the execution will not error out. Signed-off-by: Tin Lam <tinlam@gmail.com> Co-authored-by: Luke Hinds <lukehinds@gmail.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
* Added snmp_security check plugin for various SNMP checks * Extracted each test into their own files * Updates for linter * Fixed style errors and added authNoPriv as a failure * removed trailing -- * more lint changes * Update README.rst * Update snmp_security_check.py * Update bandit/plugins/snmp_security_check.py * Update bandit/plugins/snmp_security_check.py * Update bandit/plugins/snmp_security_check.py * Update examples/snmp.py * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_weak_cryptography.rst * Update doc/source/plugins/b508_snmp_weak_cryptography.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_weak_cryptography.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update b508_snmp_weak_cryptography.rst * Update snmp_security_check.py * Update snmp_security_check.py Co-authored-by: Giblin <jed.giblin@jgiblin-mb.tul.solarwinds.net> Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
There are still remnants of openstack in the Bandit code base. Namely there was still a coverage step that relied on a openstack git repo. Bandit is self contained and no longer only part of the openstack ecosystem. Therefore it's safe to remove this coverage step (which wasn't run anyway). Signed-off-by: Eric Brown <browne@vmware.com>
We only want to rely on toml when it's present and tell the user how to resolve things if in fact they want to use toml Closes PyCQA#779
When opening an issue, the template only allows selecting versions 1.7.0 as the max. And python version is limited to 3.9.
GitHub now has an easy-to-use button to automatically add release notes. Therefore it's not necessary to use this yaml for an app we experimented with a while back.
Avoid using master version of gh-action-pypi-publish. Some orgs such as PyCQA don't permit using a non-released version of an Action. Fixes Issue PyCQA#782
The B109 and B111 plugins were removed in 1.5.0 and the docs only referenced them for historical information. This change fixes the titles to be what they were originally and adds the complete doc and indicates deprecated and removed in 1.5.0. Closes PyCQA#367 Signed-off-by: Eric Brown <browne@vmware.com>
* add check for "requests" calls without timeout * change request_without_timeout confidence to low * Update bandit/plugins/request_without_timeout.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update bandit/plugins/request_without_timeout.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update doc/source/plugins/b113_request_without_timeout.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update doc/source/plugins/b113_request_without_timeout.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update bandit/plugins/request_without_timeout.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * remove utf-8 * fix confidence in comment * Apply suggestions from code review * Update issue.py * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
This change bumps the version of Black in use to fix the errors seen coming out of the format build step. See psf/black#2964 Signed-off-by: Eric Brown <browne@vmware.com>
* Fix for build breaks in format job This change bumps the version of Black in use to fix the errors seen coming out of the format build step. See psf/black#2964 Signed-off-by: Eric Brown <browne@vmware.com> * Add license and contributing links to docs As requested in issue PyCQA#617, include the license in a section of the main page of the readthedocs site. Also included are links to the source code repository and the issue tracker. Closes PyCQA#617 Signed-off-by: Eric Brown <browne@vmware.com>
We don't need the word "Bandit" prefixed to each of these section titles: * Bandit Test Plugins * Bandit Blacklist Plugins * Bandit Report Formatters Signed-off-by: Eric Brown <browne@vmware.com>
This change encourages users to give a 👍 if they really like a particular feature.
This change adds a Discord link to our docs in the contributing section so users know where they can reach out for questions and discussion. Closes PyCQA#775 Signed-off-by: Eric Brown <browne@vmware.com>
* Adding logging.config.listen() plugin with examples * Minor changes from the review * Reorder imports * Formatting changes * Another formatting change Co-authored-by: Rajesh Pangare <raj3shp@groundzer0.local>
It seems that ghugo is no longer a valid user on GitHub. Also ghugo hasn't been active in the Bandit community in a long while. Therefore, this change will remove the user. Unknown owner on line 1: make sure @ghugo exists and has write access to the repository
The getting started doc informs the user how to install Bandit via pip. However, it gives instructions to use pip and pip3. Bandit is only supported on Python 3.x now. Also, it's less common to use pip3 when using convenience modules like pyenv. Therefore, this change leaves just the pip line.
* .bandit is INI file * Describe how to make Bandit read an INI file * Remove descriptions about "profile" "Profile" is deprecated, legacy and undocumented. Note: decriptions about profile are still in man pages or help messages. * Revert "Remove descriptions about "profile"" This reverts commit c4b2d52.
This change adds myself as a person to sponsor via the GitHub sponsorship program.
Alert contributors to where on Discord they can reach out for questions and such
This change adds a new GitHub Action that can check for a dependency that has known vulnerabilities being introduced via the pull request. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
…yCQA#897) Co-authored-by: Raj <rsoundar@espressive.com>
* add missing `code-block` RST directives and/or surrounding blank lines * fix issue ID in `b508_snmp_weak_cryptography.rst` filename * fix outdated example filename in docstring of `injection_sql.py`
This change allows GitHub Actions to automatically pick the most recent version of Python 3.11, including pre-releases.
The yaml module supports passing the Loader of choice. Passing yaml.Loader is considered unsafe. This commit adds that example and ensures Bandit detects it. Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
New major release of this action: https://github.com/actions/dependency-review-action/releases/tag/v2.0.0
Only print the message to use "--debug" if debug logging not already turned on. Closes PyCQA#883 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
* hashlib does not support name as the kwargs argument * 'string' is not a keyword of kwargs Fixes PyCQA#865 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The weak_cryptographic_key plugin is missing some various elliptical curve types. Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
* add jsonpickle deserialization blacklist add jsonpickle deserialization blacklist * Update calls.py * Update test_functional.py * Create jsonpickle.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
* Fix reading the number argument from config file When passing the "number" option from the INI file we did not take into account to store its value as an integer (when that value is not None). Resolves: PyCQA#922 * Implement a cleaner fix We use the "or" boolean operation to have a cleaner implementation of the solution.
Python 3.8 and above include an end_col_offset attribute on nodes to indicate the end column offset of the node. If available, Bandit should include end_col_offset for more clarity on the column range where the issue was found. Signed-off-by: Eric Brown <browne@vmware.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I want to propose a little but hopefully useful change (in my opinion) to the docs about
B101: assert_used
config plugin.I struggled a lot trying to understand why the skip config snippet wasn't working at all in my project, and it turns out that, as my tests were in nested directories, a wild card was needed as a prefix for the following rule:
'test_*.py'
.Also, as this plugin's
skip
rule is mainly used for test files, I believe its worth having a working example for newcomers to bandit.In most cases, tests won't be on the root directory of the project, that's why I propose this change, as it goes hand by hand with real test-scaffolding scenarios.
Thanks for this amazing project!