Adds two new command line arguments which allow the user to specify
severity level and confidence level with a key-value pair rather than
repeating a flag. This makes it easier to specify those values if using
an alternate interface which invokes Bandit's CLI. The previous
repeatable flags have been retained and existing workflows will not be
affected.

New arguments:

 * --severity-level: Takes a string "all", "low", "medium", or "high" to set the level. This has the same
 effect as the existing -l/--level option. If both options are specified,
 an error will be printed.

 * --confidence-level: Takes a string "all", "low", "medium", or "high" to set the level.
 This has the same effect as the existing -i/--confidence option. If both options are
 specified, an error will be printed.

 * Help text for these parameters clarifies why 'all' and 'low' aren't
 the same although they will almost certainly produce the same set of results.

Co-authored-by: Nathan Stocking <nathan.stocking@microsoft.com>

…QA#701)

* PyCQA#694 Bandit fails when using importlib with named arguments

* add missing tests

* improvement in the tests

Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>

Now that Bandit is Python 3.5+ only, there is no need to install
the mock library. The mock library became part of base Python as
of Python 3.3. See [1]

[1] https://pypi.org/project/mock/

Signed-off-by: Eric Brown <browne@vmware.com>

Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>

This change makes use of the new issue template format.  The new YAML
version of the template allows for dropdowns and other form input metadata.

* document that random.choices() isn't secure either

* add random.choices() to tests

* parse config from toml

* test toml config parsing

* update docs

* FIX pep8 "line too long" in tests

* review

* +extras

* use setup.cfg for extras

* fix setup.cfg

* fix

* Apply suggestions from code review

Co-authored-by: Lionel Bersee <lionel1232@gmail.com>

* Update doc/source/config.rst

Co-authored-by: Lionel Bersee <lionel1232@gmail.com>

* Update doc/source/config.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* actualize TOML config example in docs

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
Co-authored-by: Lionel Bersee <lionel1232@gmail.com>

A recent change within pyyaml 6.0 has enforce use of a Loader argument
to yaml.load [1].

To comply, Bandit will use yaml.load with a Loader always. The plugin
to check for unsafe loaders of yaml module still applies.

[1] yaml/pyyaml#561

Closes PyCQA#744

Signed-off-by: Eric Brown <browne@vmware.com>

Pass the default CLI arg into the helper function so we can discern between a value passed by CLI and a default

Co-authored-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>

In python-3.10 this renders as 'options:', rather than 'optinal
arguments:', breaking the test.

Setup a sponsorship button using Open Collective as the backing fiscal host.

https://opencollective.com/bandit-sast

Use black to auto-format the style so it's always consistent and
pyupgrade will allow us to auto-upgrade to the newest language features.

Python 3.5 hit the end-of-life on Sept 13, 2020. As a result,
Bandit should also drop support for it.

Signed-off-by: Eric Brown <browne@vmware.com>

Python 3.6 hit the end-of-life on Dec 23, 2021. As a result,
Bandit should also drop support for it.

Signed-off-by: Eric Brown <browne@vmware.com>

Co-authored-by: Eric Brown <browne@vmware.com>

The current README.rst has references to configure bandit runs using a custom
.INI-like file. In reality, that file should actually be a YAML file.
Using the INI example provided will result in:

` [main] ERROR bandit.cfg : Error parsing file. `

This patch set updates the configuration so it is of proper YAML format so
the execution will not error out.

Signed-off-by: Tin Lam <tinlam@gmail.com>

Co-authored-by: Luke Hinds <lukehinds@gmail.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Added snmp_security check plugin for various SNMP checks

* Extracted each test into their own files

* Updates for linter

* Fixed style errors and added authNoPriv as a failure

* removed trailing --

* more lint changes

* Update README.rst

* Update snmp_security_check.py

* Update bandit/plugins/snmp_security_check.py

* Update bandit/plugins/snmp_security_check.py

* Update bandit/plugins/snmp_security_check.py

* Update examples/snmp.py

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_weak_cryptography.rst

* Update doc/source/plugins/b508_snmp_weak_cryptography.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_weak_cryptography.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update doc/source/plugins/b508_snmp_insecure_version.rst

* Update b508_snmp_weak_cryptography.rst

* Update snmp_security_check.py

* Update snmp_security_check.py

Co-authored-by: Giblin <jed.giblin@jgiblin-mb.tul.solarwinds.net>
Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

There are still remnants of openstack in the Bandit code base.
Namely there was still a coverage step that relied on a openstack
git repo. Bandit is self contained and no longer only part of the
openstack ecosystem. Therefore it's safe to remove this coverage
step (which wasn't run anyway).

Signed-off-by: Eric Brown <browne@vmware.com>

* Use `extras` to define extras in `setup.cfg`

* Go back to using `entry_points` in `setup.cfg`

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

We only want to rely on toml when it's present and tell the user how to
resolve things if in fact they want to use toml

Closes PyCQA#779

When opening an issue, the template only allows
selecting versions 1.7.0 as the max. And python version
is limited to 3.9.

GitHub now has an easy-to-use button to automatically add release notes. 
Therefore it's not necessary to use this yaml for an app we experimented with a while back.

Avoid using master version of gh-action-pypi-publish. Some orgs such as PyCQA don't permit using
a non-released version of an Action.

Fixes Issue PyCQA#782

A follow on to PyCQA#784. This change also updates the action to publish to
PyPI (official) to use a released version of gh-action-pypi-publish instead of master.
This change also makes the secret variable stand out a little more with all caps.

The releasenotes directory was another mechanism used for OpenStack to
generate a release note in an OpenStack specific way. It hasn't been used
in Bandit since we have migrated Bandit from Gerrit to GitHub. Therefore,
removing the whole directory of these files.

* Add CWE mappings to bandit issues and update formatters accordingly.

* Integrated Cwe class and url information.

* typos

* cwemap

* linting issues

* add cwe to denylist

* make linter happy

* UNDEF -> NOTSET

* Update issue.py

* test

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

* Update tests/functional/test_functional.py

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Julian Thome <jthome@gitlab.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

There is a lookup dictionary defined that maps bandit check IDs
to a CWE. This is mostly unnecessary as the check can specify
the exact CWE that applies to it. And this would work better for
3rd party plugins that also wish to set a CWE for their check.
Maintaining a map is just another bit of maintenance.

Signed-off-by: Eric Brown <browne@vmware.com>

This change fixes the use of certain keywords in the setup.cfg
file. Substitutes '-' for '_'

Fixes: PyCQA#792

Signed-off-by: Eric Brown <browne@vmware.com>

The metrics in the output was displaying counts as floats instead
of integers. For example, 15.0 instead of 15. This is due to a
divide call using '/' instead of '//' which rounds down the answer.

We shouldn't have fractional number results anyway since the counts
are always divisible by the rank values.

Signed-off-by: Eric Brown <browne@vmware.com>

This change adds a new functional test of the new snmp plugin
snmp_security_check.

Fixes: PyCQA#790

Signed-off-by: Eric Brown <browne@vmware.com>

This adds support to the `# nosec` comment to specify specific tests to disable.

- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418

Currently the CWE information is inserted by the various formatters
between severity and confidence. This change puts the CWE after the
confidence on a separate line for better clarity.

Signed-off-by: Eric Brown <browne@vmware.com>

In Python 3.9+ hashlib has a new argument named usedforsecurity
to indicate whether the hash is intended to be used for security
or not. The default value is True. So a user must explicit set
to False to state their non-security use.

As a result of this chnage in Python, the severity has been
moved up to HIGH if the usedforsecurity is True. But on earlier
versions of Python, the severity will remain at MEDIUM since
we don't know the intent of usage.

https://docs.python.org/3/library/hashlib.html#hashlib.new

Closes PyCQA#748

Signed-off-by: Eric Brown <browne@vmware.com>

Bandit no longer supports Pytyon 3.6 and earlier since those are
end-of-life. Therefore there is no longer a need to have any
code that conditional checks on versions as early as that.

This change cleans up the sql_statements check to only be for
Python 3.7 and later.

Closes PyCQA#800

Signed-off-by: Eric Brown <browne@vmware.com>

* Add new plugin to check use of pyghmi

This patch set adds a new bandit plugin to check the use of pyghmi.

Signed-off-by: Tin Lam <tin@irrational.io>

* Fix example and polish te code.

Signed-off-by: Tin Lam <tin@irrational.io>

* Add new plug-in to check pyghmi

This patch set adds a new bandit plugin to check the use of the
pyghmi library, as the IPMI is known to be an insecured protocol.

Closes: PyCQA#356
Signed-off-by: Tin Lam <tin@irrational.io>

Co-authored-by: Tin Lam <tin@irrational.io>
Co-authored-by: Eric Brown <browne@vmware.com>

* Check for hardcoded passwords in class attributes

B105:hardcoded_password_string currently throws an error for string
literal variables, dictionary keys, and comparisons which look like
passwords, but does not create an error for class attributes which look
like passwords.

For example password = "mypassword" and password == "mypassword"
would create an error, but my_object.password = "mypassword",
and my_object.password == "mypassword" would not.
This behavior is unintuitive.

Resolves PyCQA#759

* Add tests for hardcoded passwords in classes

* Update general_hardcoded_password.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Better hashlib check for Python 3.9

In Python 3.9 and later, the hashlib function has a new keyword
argument usedforsecurity to describe the usage of the hash. In
that way, we can better identify the severity of the error.

Previously, hashlib.md5 and the like were part of the blacklist
check. For Python 3.9, it'll be part of the hashlib plugin so
it can do more advanced checking of usedforsecurity.

Signed-off-by: Eric Brown <browne@vmware.com>

* Update hashlib_insecure_functions.py

The primary branch name has been renamed from master to main.
As a result of this, some references in the docs must also be
renamed so links are preserved.

Signed-off-by: Eric Brown <browne@vmware.com>

There's duplicate information in the README regarding where to contribute,
where to open bugs, where the documentation lies. This change deletes the
dups and also puts the references at the end which is standard for most
documents.

The current behavior is to display an error when no arguments are
given that no files were found. This is a non-standard way for
a command line.

Rather than an error message, no arguments should display the
usage of the command itself.

Signed-off-by: Eric Brown <browne@vmware.com>

According to command line standards [1], a command line should
do its best to honor certain environment variables requesting
whether color should be part of the standard output. Two such
vars include NO_COLOR (if set) and TERM (if set to dumb), when
set tell the CLI to disable color.

[1] https://clig.dev/#output

Partially-fixes PyCQA#678

Signed-off-by: Eric Brown <browne@vmware.com>

* add namespaces for parent attributes

* pylint formatting changes

* added _Seeker for running seek on sys.stdin

* Update node_visitor.py

* Update general_hardcoded_password.py

* Update general_hardcoded_password.py

* pep8 fixes

* added list handling for hard fname swaps

* updated manager

* maintaining list order

* Update manager.py

* Update manager.py

* Update manager.py

* Update issue.py

* Update node_visitor.py

* Update manager.py

* Update issue.py

* Update context.py

* Update issue.py

* Update manager.py

* Update node_visitor.py

* Update tester.py

* Update issue.py

* Update manager.py

* Update context.py

* Update node_visitor.py

* Update manager.py

Co-authored-by: wxu <wxu@verisign.com>
Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

This adds GitHub Action testing on the various operating systems
we can potentially support. At the moment that includes Linux,
and macOS.

Each OS is put into its own job that way the output is clearer.

Closes PyCQA#405

Signed-off-by: Eric Brown <browne@vmware.com>

* Some lines missing code-block
* Missing blank lines for spacing

Signed-off-by: Eric Brown <browne@vmware.com>

The readthedocs is using Sphinx 1.8.6 which still uses the
legacy term master_doc for the root toctree.

Signed-off-by: Eric Brown <browne@vmware.com>

In the report of a Bandit run, there are links to the docs as
part of the more information. Today, these links are always
to the latest docs. So depending on the version of Bandit you're
running, these links could contain inaccurate information for
that version.

That's why this change makes it so a specific version of Bandit
is pinned to refer to a specific version of documentation.

Signed-off-by: Eric Brown <browne@vmware.com>

The CWE link is currently output in plain text. Given this is an
HTML outoput formatter, it's only natural to use reference link.

Signed-off-by: Eric Brown <browne@vmware.com>

* Add caching for linerange

* fix pep8

* change setattr to .

* change list to tuple

* added more caching

* fix bugs

* fix bugs and setattr/getattr

* Fix typo in long_set.py and add comment

* Update utils.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

The hashlib function does not actually check for md2 as the docs
and message claims. Besides, md2 is a very old hash not found in
any Python 3.x version we support.

Signed-off-by: Eric Brown <browne@vmware.com>

Minor nit change to center the logo in the readme for more visual
appeal.

Signed-off-by: Eric Brown <browne@vmware.com>

A recent change to center the logo made use of the html raw keyword
in the README. Apparently this fails when building the Bandit artifact.

Checking dist/bandit-1.7.3.dev33-py3-none-any.whl: FAILED
`long_description` has syntax errors in markup and would not be rendered on PyPI.

line 1: Warning: "raw" directive disabled.
warning: `long_description_content_type` missing. defaulting to `text/x-rst`.

This change reverts the centering, but keeps the updated link.

Signed-off-by: Eric Brown <browne@vmware.com>

This check should not raise an exception if there are no keywords
defined for the call. Makes use of dict get() for safety.

Closes PyCQA#832

Signed-off-by: Eric Brown <browne@vmware.com>

Add an option for newly released version 1.7.3 for the user to report a bug on.

…QA#845)

Fixes the following error:

    Traceback (most recent call last):
      File "bin/bandit", line 8, in <module>
        sys.exit(main())
      File "lib/python3.10/site-packages/bandit/cli/main.py", line 455, in main
        b_conf = b_config.BanditConfig(config_file=args.config_file)
      File "lib/python3.10/site-packages/bandit/core/config.py", line 45, in __init__
        raise utils.ConfigError(
    TypeError: ConfigError.__init__() missing 1 required positional argument: 'config_file'

Add an option for version 1.7.4 in the bug report in preparation for a new release of 1.7.4 afterwards.

To help let users know what Bandit looks like in action, this
commit includes a screen shot of a terminal having run Bandit
to detect a sample issue.

Signed-off-by: Eric Brown <browne@vmware.com>

bandit-term.png should be bandit-terminal.png

Small change to have a variable that has the set of weak hashes.

Signed-off-by: Eric Brown <browne@vmware.com>

Currently for the screen and text formatters there is a More Info
line in between the Location line and the code snippet lines.

This change puts the Location with the code snippet as a more
logical grouping of code location information.

Signed-off-by: Eric Brown <browne@vmware.com>

Python 3.8 and above have new ast node attributes to identify the
end line number and end column offset [1].

Python 3.8 also fixes line numbers for multiline strings [2].

This fixes the issue mentioned in PyCQA#820, but only for Python 3.8+.

[1] https://docs.python.org/3.8/library/ast.html#ast.AST.end_lineno
[2] https://bugs.python.org/issue31241

Signed-off-by: Eric Brown <browne@vmware.com>

PyPI has a classifier to specifically state that only Python 3.x is supported (as opposed to 2.x).

https://pypi.org/pypi?%3Aaction=list_classifiers

This check existed because of insufficient checking of certificates
when using httpsconnection. Since 3.4.3, this has been fixed. And
since Bandit supports 3.7+, there is no longer a need to scan for
this.

Closes PyCQA#857

Signed-off-by: Eric Brown <browne@vmware.com>

This removes the check non-existent functions os.tempnam() and
os.tmpnam(). This functions were removed in Python 3.0, so Bandit
no longer needs to scan for them since our minimum version is 3.7.

Signed-off-by: Eric Brown <browne@vmware.com>

Instead of a message telling the user the possible weak hashlib
functions in use, this change indicates to the user the exact
hash that is being used.

Signed-off-by: Eric Brown <browne@vmware.com>

The httpx module functions very similar to requests in that there
is a verify argument to indicate whether to verify the certificate
of the host it's connecting with.

As such, this plugin has been modified to include httpx in addition
to requests for cases whether verify=False.

Signed-off-by: Eric Brown <browne@vmware.com>

The hashlib_insecure_functions module is missing documentation. More
than likely this is a result of having checks in blacklist for hashlib
and also a plugin. The blacklists have a reserved Id range of 3xx, which
is what this plugin is using.

Near term, this change publishes a page for B324 hashlib plugin. Longer
term, the bandit Id should be migrated out of the 3xx group to something
more appropriate.

Closes PyCQA#559

Signed-off-by: Eric Brown <browne@vmware.com>

The module rich has an excellent and versatile implementation of a
progress bar for Python code. Bandit has an existing custom progress
indicator.

This change makes use of rich for a more visually pleasing progress
bar and more informational by including metrics.

The down side is that this does add another dependency. But I
think it can be useful in the future when implementing multi-process
processing of source code since rich is well adapted for that.

https://github.com/Textualize/rich

Signed-off-by: Eric Brown <browne@vmware.com>

* Replace `toml` with `tomli`

* Only require `tomli` on Python < 3.11

* Update test-requirements.txt

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

The B109 and B111 plugins were removed in 1.5.0 and the docs only
referenced them for historical information.

This change fixes the titles to be what they were originally and
adds the complete doc and indicates deprecated and removed in
1.5.0.

Closes PyCQA#367

Signed-off-by: Eric Brown <browne@vmware.com>

* add check for "requests" calls without timeout

* change request_without_timeout confidence to low

* Update bandit/plugins/request_without_timeout.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update bandit/plugins/request_without_timeout.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update doc/source/plugins/b113_request_without_timeout.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update doc/source/plugins/b113_request_without_timeout.rst

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* Update bandit/plugins/request_without_timeout.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

* remove utf-8

* fix confidence in comment

* Apply suggestions from code review

* Update issue.py

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

* Apply suggestions from code review

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

This change bumps the version of Black in use to fix the errors
seen coming out of the format build step.

See psf/black#2964

Signed-off-by: Eric Brown <browne@vmware.com>

* Fix for build breaks in format job

This change bumps the version of Black in use to fix the errors
seen coming out of the format build step.

See psf/black#2964

Signed-off-by: Eric Brown <browne@vmware.com>

* Add license and contributing links to docs

As requested in issue PyCQA#617, include the license in a section of
the main page of the readthedocs site. Also included are links
to the source code repository and the issue tracker.

Closes PyCQA#617

Signed-off-by: Eric Brown <browne@vmware.com>

We don't need the word "Bandit" prefixed to each of these section
titles:
* Bandit Test Plugins
* Bandit Blacklist Plugins
* Bandit Report Formatters

Signed-off-by: Eric Brown <browne@vmware.com>

This change encourages users to give a 👍 if they really like a particular feature.

This change adds a Discord link to our docs in the contributing
section so users know where they can reach out for questions
and discussion.

Closes PyCQA#775

Signed-off-by: Eric Brown <browne@vmware.com>

* Adding logging.config.listen() plugin with examples

* Minor changes from the review

* Reorder imports

* Formatting changes

* Another formatting change

Co-authored-by: Rajesh Pangare <raj3shp@groundzer0.local>

It seems that ghugo is no longer a valid user on GitHub. Also ghugo hasn't been active
in the Bandit community in a long while. Therefore, this change will remove the user.

 Unknown owner on line 1: make sure @ghugo exists and has write access to the repository

The getting started doc informs the user how to install Bandit via pip. However, it gives
instructions to use pip and pip3. Bandit is only supported on Python 3.x now. Also, it's
less common to use pip3 when using convenience modules like pyenv. Therefore, this
change leaves just the pip line.

* .bandit is INI file

* Describe how to make Bandit read an INI file

* Remove descriptions about "profile"

"Profile" is deprecated, legacy and undocumented.
Note: decriptions about profile are still in man pages or help messages.

* Revert "Remove descriptions about "profile""

This reverts commit c4b2d52.

This change adds myself as a person to sponsor via the GitHub
sponsorship program.

Alert contributors to where on Discord they can reach out for questions and such