Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement Proposal: Plugin "assert_used" config skip-snippet #1

Open
wants to merge 107 commits into
base: master
Choose a base branch
from
Open

Enhancement Proposal: Plugin "assert_used" config skip-snippet #1

wants to merge 107 commits into from

Conversation

marianomartinelli
Copy link
Owner

I want to propose a little but hopefully useful change (in my opinion) to the docs about B101: assert_used config plugin.

I struggled a lot trying to understand why the skip config snippet wasn't working at all in my project, and it turns out that, as my tests were in nested directories, a wild card was needed as a prefix for the following rule: 'test_*.py'.

Also, as this plugin's skip rule is mainly used for test files, I believe its worth having a working example for newcomers to bandit.
In most cases, tests won't be on the root directory of the project, that's why I propose this change, as it goes hand by hand with real test-scaffolding scenarios.

Thanks for this amazing project!

marianomartinelli and others added 30 commits March 6, 2021 00:04
@marianomartinelli
Update asserts.py
0afaffa
@nathanstocking
Add string options for severity and confidence (PyCQA#702)
1eff509 
Adds two new command line arguments which allow the user to specify
severity level and confidence level with a key-value pair rather than
repeating a flag. This makes it easier to specify those values if using
an alternate interface which invokes Bandit's CLI. The previous
repeatable flags have been retained and existing workflows will not be
affected.

New arguments:

 * --severity-level: Takes a string "all", "low", "medium", or "high" to set the level. This has the same
 effect as the existing -l/--level option. If both options are specified,
 an error will be printed.

 * --confidence-level: Takes a string "all", "low", "medium", or "high" to set the level.
 This has the same effect as the existing -i/--confidence option. If both options are
 specified, an error will be printed.

 * Help text for these parameters clarifies why 'all' and 'low' aren't
 the same although they will almost certainly produce the same set of results.

Co-authored-by: Nathan Stocking <nathan.stocking@microsoft.com>
@maciejstromich @lukehinds
PyCQA#694 Bandit fails when using importlib with named arguments (PyC…
193c355 
…QA#701)

* PyCQA#694 Bandit fails when using importlib with named arguments

* add missing tests

* improvement in the tests

Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
@RobbeSneyders
Add license to package installation metadata (PyCQA#705)
0e23506
@ericwb @lukehinds
Mock part of python 3.x (PyCQA#685)
5ecc4f5 
Now that Bandit is Python 3.5+ only, there is no need to install
the mock library. The mock library became part of base Python as
of Python 3.3. See [1]

[1] https://pypi.org/project/mock/

Signed-off-by: Eric Brown <browne@vmware.com>

Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
@ericwb
Update README.rst (PyCQA#713)
9a99388
@ericwb
Use new issue template format (PyCQA#717)
55b8834 
This change makes use of the new issue template format.  The new YAML
version of the template allows for dropdowns and other form input metadata.
@ericwb
Fix syntax error in bug report (PyCQA#718)
a99b4c7
@ericwb
Update bug_report.yaml (PyCQA#719)
c31ab29
@ericwb
Fix syntax errors in bug report (PyCQA#720)
2bd1ffa
@taybin
document that random.choices() isn't secure either (PyCQA#728)
d4faa78 
* document that random.choices() isn't secure either

* add random.choices() to tests
@orsinium @ericwb
@lukehinds @LionelB5
PEP-518 support: configure bandit via pyproject.toml (PyCQA#401)
44f5c41 
* parse config from toml

* test toml config parsing

* update docs

* FIX pep8 "line too long" in tests

* review

* +extras

* use setup.cfg for extras

* fix setup.cfg

* fix

* Apply suggestions from code review

Co-authored-by: Lionel Bersee <lionel1232@gmail.com>

* Update doc/source/config.rst

Co-authored-by: Lionel Bersee <lionel1232@gmail.com>

* Update doc/source/config.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* actualize TOML config example in docs

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
Co-authored-by: Lionel Bersee <lionel1232@gmail.com>
@ericwb
Always use a Loader in yaml.load (PyCQA#745)
aac3f16 
A recent change within pyyaml 6.0 has enforce use of a Loader argument
to yaml.load [1].

To comply, Bandit will use yaml.load with a Loader always. The plugin
to check for unsafe loaders of yaml module still applies.

[1] yaml/pyyaml#561

Closes PyCQA#744

Signed-off-by: Eric Brown <browne@vmware.com>
@alipqb @sigmavirus24
fix reading initial values from .bandit (PyCQA#722)
a83c53f 
Pass the default CLI arg into the helper function so we can discern between a value passed by CLI and a default

Co-authored-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
@bagerard
Fix broken reported URL link for B107 (PyCQA#751)
3dca782
@mikelolasagasti
test_help_arg: remove assert on 'optional arguments' (PyCQA#752)
e0a12a9 
In python-3.10 this renders as 'options:', rather than 'optinal
arguments:', breaking the test.
@ericwb
Create FUNDING.yml (PyCQA#774)
78543ff 
Setup a sponsorship button using Open Collective as the backing fiscal host.

https://opencollective.com/bandit-sast
@sigmavirus24
Start using auto-formatters (PyCQA#754)
9fcf66b 
Use black to auto-format the style so it's always consistent and
pyupgrade will allow us to auto-upgrade to the newest language features.
@ericwb
Drop end-of-life Python 3.5 (PyCQA#746)
1327cfa 
Python 3.5 hit the end-of-life on Sept 13, 2020. As a result,
Bandit should also drop support for it.

Signed-off-by: Eric Brown <browne@vmware.com>
@ericwb
Merge branch 'master' into assert-used-doc-enhancement
0096bee
@ericwb
Drop end-of-life Python 3.6 (PyCQA#777)
fb8c32e 
Python 3.6 hit the end-of-life on Dec 23, 2021. As a result,
Bandit should also drop support for it.

Signed-off-by: Eric Brown <browne@vmware.com>
@spagh-eddie @ericwb
Fixup typo (PyCQA#769)
0d05d40 
Co-authored-by: Eric Brown <browne@vmware.com>
@stannum-l @lukehinds @ericwb
Fix README.rst (PyCQA#365)
68f43eb 
The current README.rst has references to configure bandit runs using a custom
.INI-like file. In reality, that file should actually be a YAML file.
Using the INI example provided will result in:

` [main] ERROR bandit.cfg : Error parsing file. `

This patch set updates the configuration so it is of proper YAML format so
the execution will not error out.

Signed-off-by: Tin Lam <tinlam@gmail.com>

Co-authored-by: Luke Hinds <lukehinds@gmail.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
@Jed-Giblin @lukehinds @ericwb
Added snmp_security check plugin for various SNMP checks (PyCQA#403)
ca4475f 
* Added snmp_security check plugin for various SNMP checks

* Extracted each test into their own files

* Updates for linter

* Fixed style errors and added authNoPriv as a failure

* removed trailing --

* more lint changes

* Update README.rst

* Update snmp_security_check.py

* Update bandit/plugins/snmp_security_check.py

* Update bandit/plugins/snmp_security_check.py

* Update bandit/plugins/snmp_security_check.py

* Update examples/snmp.py

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_weak_cryptography.rst

* Update doc/source/plugins/b508_snmp_weak_cryptography.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_weak_cryptography.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update b508_snmp_weak_cryptography.rst

* Update snmp_security_check.py

* Update snmp_security_check.py

Co-authored-by: Giblin <jed.giblin@jgiblin-mb.tul.solarwinds.net>
Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
@ericwb
Remove leftover openstack code (PyCQA#778)
6270185 
There are still remnants of openstack in the Bandit code base.
Namely there was still a coverage step that relied on a openstack
git repo. Bandit is self contained and no longer only part of the
openstack ecosystem. Therefore it's safe to remove this coverage
step (which wasn't run anyway).

Signed-off-by: Eric Brown <browne@vmware.com>
@mkniewallner @ericwb
Correctly define extras in setup.cfg (PyCQA#755)
25fde24 
* Use `extras` to define extras in `setup.cfg`

* Go back to using `entry_points` in `setup.cfg`

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
@sigmavirus24
Rely on toml conditionally
458b4a1 
We only want to rely on toml when it's present and tell the user how to
resolve things if in fact they want to use toml

Closes PyCQA#779
@ericwb
Update issue template with latest versions (PyCQA#783)
e85f5fd 
When opening an issue, the template only allows
selecting versions 1.7.0 as the max. And python version
is limited to 3.9.
@ericwb
Delete release-drafter.yml (PyCQA#781)
f820372 
GitHub now has an easy-to-use button to automatically add release notes. 
Therefore it's not necessary to use this yaml for an app we experimented with a while back.
@ericwb
Use released version of gh-action-pypi-publish (PyCQA#784)
626c845 
Avoid using master version of gh-action-pypi-publish. Some orgs such as PyCQA don't permit using
a non-released version of an Action.

Fixes Issue PyCQA#782
ericwb and others added 30 commits March 26, 2022 08:33
@ericwb
Fix up B109 and B111 removed plugins docs (PyCQA#864)
def9928 
The B109 and B111 plugins were removed in 1.5.0 and the docs only
referenced them for historical information.

This change fixes the titles to be what they were originally and
adds the complete doc and indicates deprecated and removed in
1.5.0.

Closes PyCQA#367

Signed-off-by: Eric Brown <browne@vmware.com>
@mschfh @ericwb
add check for "requests" calls without timeout (PyCQA#743)
5ff73ff 
* add check for "requests" calls without timeout

* change request_without_timeout confidence to low

* Update bandit/plugins/request_without_timeout.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update bandit/plugins/request_without_timeout.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update doc/source/plugins/b113_request_without_timeout.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update doc/source/plugins/b113_request_without_timeout.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update bandit/plugins/request_without_timeout.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* remove utf-8

* fix confidence in comment

* Apply suggestions from code review

* Update issue.py

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
@ericwb
Fix for build breaks in format job (PyCQA#869)
7c39add 
This change bumps the version of Black in use to fix the errors
seen coming out of the format build step.

See psf/black#2964

Signed-off-by: Eric Brown <browne@vmware.com>
@ericwb
Add license and contributing links to docs (PyCQA#867)
c166855 
* Fix for build breaks in format job

This change bumps the version of Black in use to fix the errors
seen coming out of the format build step.

See psf/black#2964

Signed-off-by: Eric Brown <browne@vmware.com>

* Add license and contributing links to docs

As requested in issue PyCQA#617, include the license in a section of
the main page of the readthedocs site. Also included are links
to the source code repository and the issue tracker.

Closes PyCQA#617

Signed-off-by: Eric Brown <browne@vmware.com>
@ericwb
Remove redundant word Bandit in titles of sections (PyCQA#873)
05707b3 
We don't need the word "Bandit" prefixed to each of these section
titles:
* Bandit Test Plugins
* Bandit Blacklist Plugins
* Bandit Report Formatters

Signed-off-by: Eric Brown <browne@vmware.com>
@ericwb
Add request for feedback via 👍 (PyCQA#871)
b177a3e 
This change encourages users to give a 👍 if they really like a particular feature.
@ericwb
Add a Discord link to the docs (PyCQA#870)
83df96c 
This change adds a Discord link to our docs in the contributing
section so users know where they can reach out for questions
and discussion.

Closes PyCQA#775

Signed-off-by: Eric Brown <browne@vmware.com>
@raj3shp
Adding logging.config.listen() plugin with examples (PyCQA#874)
d2fa394 
* Adding logging.config.listen() plugin with examples

* Minor changes from the review

* Reorder imports

* Formatting changes

* Another formatting change

Co-authored-by: Rajesh Pangare <raj3shp@groundzer0.local>
@ericwb
Removal of ghugo (PyCQA#881)
d343053 
It seems that ghugo is no longer a valid user on GitHub. Also ghugo hasn't been active
in the Bandit community in a long while. Therefore, this change will remove the user.

 Unknown owner on line 1: make sure @ghugo exists and has write access to the repository
@ericwb
Remove redundant pip line (PyCQA#884)
cd26ded 
The getting started doc informs the user how to install Bandit via pip. However, it gives
instructions to use pip and pip3. Bandit is only supported on Python 3.x now. Also, it's
less common to use pip3 when using convenience modules like pyenv. Therefore, this
change leaves just the pip line.
@a-takahashi223
Corrected documentation on configuration (PyCQA#868)
a2ac371 
* .bandit is INI file

* Describe how to make Bandit read an INI file

* Remove descriptions about "profile"

"Profile" is deprecated, legacy and undocumented.
Note: decriptions about profile are still in man pages or help messages.

* Revert "Remove descriptions about "profile""

This reverts commit c4b2d52.
@mkniewallner
Test against Python 3.11 (PyCQA#887)
87ecc40
@ericwb
Add myself to sponsor list (PyCQA#885)
9bbb46a 
This change adds myself as a person to sponsor via the GitHub
sponsorship program.
@ericwb
Add Discord link to README (PyCQA#875)
8419fb6 
Alert contributors to where on Discord they can reach out for questions and such
@mportesdev
Update action versions in Actions workflows (PyCQA#890) (PyCQA#893)
80eebd5 
* Update action versions in Actions workflows (PyCQA#890)

* Increase fetch depth of checkout for `pep8` job
@ericwb
Add dependency review action (PyCQA#891)
c6b3db7 
This change adds a new GitHub Action that can check for a dependency that has known vulnerabilities being introduced via the pull request.

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@mportesdev
Close the <b> tag in HTML formatter (PyCQA#896)
cc82cec
@rajaramsrn
Test plugin listing incorrectly pointing b612 to plugin ref of b1022 (P…
0e3f6e7 
…yCQA#897)

Co-authored-by: Raj <rsoundar@espressive.com>
@mportesdev
Make small fixes in docs (PyCQA#899)
7104b33 
* add missing `code-block` RST directives and/or surrounding blank lines
* fix issue ID in `b508_snmp_weak_cryptography.rst` filename
* fix outdated example filename in docstring of `injection_sql.py`
@mportesdev
Specify semver range for Python 3.11 (PyCQA#901)
9705a71 
This change allows GitHub Actions to automatically pick the most recent version of Python 3.11, including pre-releases.
@ericwb
Add another bad example of yaml load (PyCQA#905)
232d52d 
The yaml module supports passing the Loader of choice.
Passing yaml.Loader is considered unsafe. This commit
adds that example and ensures Bandit detects it.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@travisjungroth
Add releases link in "Version control integration" (PyCQA#909)
0f5d2b2
@mportesdev
Update version of dependency-review-action (PyCQA#911)
44c05fc 
New major release of this action:
https://github.com/actions/dependency-review-action/releases/tag/v2.0.0
@ericwb
Avoid redundant message if debug on (PyCQA#913)
e15fe9b 
Only print the message to use "--debug" if debug logging not already
turned on.

Closes PyCQA#883

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb
Remove invalid checking on hashlib (PyCQA#914)
0b56c57 
* hashlib does not support name as the kwargs argument 
* 'string' is not a keyword of kwargs

Fixes PyCQA#865

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@ericwb
Add some missing curve types (PyCQA#920)
5aae21e 
The weak_cryptographic_key plugin is missing some various
elliptical curve types.

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
@SugarP1g @ericwb
add jsonpickle deserialization blacklist (PyCQA#707)
9832461 
* add jsonpickle deserialization blacklist

add jsonpickle deserialization blacklist

* Update calls.py

* Update test_functional.py

* Create jsonpickle.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
@KAUTH
Fix reading the number argument from config file (PyCQA#923)
39cdfab 
* Fix reading the number argument from config file

When passing the "number" option from the INI file we did
not take into account to store its value as an integer
(when that value is not None).

Resolves: PyCQA#922

* Implement a cleaner fix

We use the "or" boolean operation to have a
cleaner implementation of the solution.
@ericwb
Add end_col_offset if available (PyCQA#851)
da58ceb 
Python 3.8 and above include an end_col_offset attribute on nodes
to indicate the end column offset of the node. If available,
Bandit should include end_col_offset for more clarity on the column
range where the issue was found.

Signed-off-by: Eric Brown <browne@vmware.com>
@ericwb
Merge branch 'main' into assert-used-doc-enhancement
715a459
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone