-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement Proposal: Plugin "assert_used" config skip-snippet #1
base: master
Are you sure you want to change the base?
Commits on Mar 6, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 0afaffa - Browse repository at this point
Copy the full SHA 0afaffaView commit details
Commits on Apr 2, 2021
-
Add string options for severity and confidence (PyCQA#702)
Adds two new command line arguments which allow the user to specify severity level and confidence level with a key-value pair rather than repeating a flag. This makes it easier to specify those values if using an alternate interface which invokes Bandit's CLI. The previous repeatable flags have been retained and existing workflows will not be affected. New arguments: * --severity-level: Takes a string "all", "low", "medium", or "high" to set the level. This has the same effect as the existing -l/--level option. If both options are specified, an error will be printed. * --confidence-level: Takes a string "all", "low", "medium", or "high" to set the level. This has the same effect as the existing -i/--confidence option. If both options are specified, an error will be printed. * Help text for these parameters clarifies why 'all' and 'low' aren't the same although they will almost certainly produce the same set of results. Co-authored-by: Nathan Stocking <nathan.stocking@microsoft.com>
Configuration menu - View commit details
-
Copy full SHA for 1eff509 - Browse repository at this point
Copy the full SHA 1eff509View commit details
Commits on Apr 5, 2021
-
PyCQA#694 Bandit fails when using importlib with named arguments (PyC…
Configuration menu - View commit details
-
Copy full SHA for 193c355 - Browse repository at this point
Copy the full SHA 193c355View commit details
Commits on Apr 12, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 0e23506 - Browse repository at this point
Copy the full SHA 0e23506View commit details
Commits on Jun 15, 2021
-
Mock part of python 3.x (PyCQA#685)
Now that Bandit is Python 3.5+ only, there is no need to install the mock library. The mock library became part of base Python as of Python 3.3. See [1] [1] https://pypi.org/project/mock/ Signed-off-by: Eric Brown <browne@vmware.com> Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5ecc4f5 - Browse repository at this point
Copy the full SHA 5ecc4f5View commit details -
Configuration menu - View commit details
-
Copy full SHA for 9a99388 - Browse repository at this point
Copy the full SHA 9a99388View commit details
Commits on Jun 29, 2021
-
Use new issue template format (PyCQA#717)
This change makes use of the new issue template format. The new YAML version of the template allows for dropdowns and other form input metadata.
Configuration menu - View commit details
-
Copy full SHA for 55b8834 - Browse repository at this point
Copy the full SHA 55b8834View commit details -
Configuration menu - View commit details
-
Copy full SHA for a99b4c7 - Browse repository at this point
Copy the full SHA a99b4c7View commit details -
Configuration menu - View commit details
-
Copy full SHA for c31ab29 - Browse repository at this point
Copy the full SHA c31ab29View commit details -
Configuration menu - View commit details
-
Copy full SHA for 2bd1ffa - Browse repository at this point
Copy the full SHA 2bd1ffaView commit details
Commits on Aug 24, 2021
-
document that random.choices() isn't secure either (PyCQA#728)
* document that random.choices() isn't secure either * add random.choices() to tests
Configuration menu - View commit details
-
Copy full SHA for d4faa78 - Browse repository at this point
Copy the full SHA d4faa78View commit details -
PEP-518 support: configure bandit via pyproject.toml (PyCQA#401)
* parse config from toml * test toml config parsing * update docs * FIX pep8 "line too long" in tests * review * +extras * use setup.cfg for extras * fix setup.cfg * fix * Apply suggestions from code review Co-authored-by: Lionel Bersee <lionel1232@gmail.com> * Update doc/source/config.rst Co-authored-by: Lionel Bersee <lionel1232@gmail.com> * Update doc/source/config.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * actualize TOML config example in docs Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com> Co-authored-by: Lionel Bersee <lionel1232@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 44f5c41 - Browse repository at this point
Copy the full SHA 44f5c41View commit details
Commits on Oct 24, 2021
-
Always use a Loader in yaml.load (PyCQA#745)
A recent change within pyyaml 6.0 has enforce use of a Loader argument to yaml.load [1]. To comply, Bandit will use yaml.load with a Loader always. The plugin to check for unsafe loaders of yaml module still applies. [1] yaml/pyyaml#561 Closes PyCQA#744 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for aac3f16 - Browse repository at this point
Copy the full SHA aac3f16View commit details
Commits on Nov 11, 2021
-
fix reading initial values from .bandit (PyCQA#722)
Pass the default CLI arg into the helper function so we can discern between a value passed by CLI and a default Co-authored-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for a83c53f - Browse repository at this point
Copy the full SHA a83c53fView commit details
Commits on Nov 12, 2021
-
Configuration menu - View commit details
-
Copy full SHA for 3dca782 - Browse repository at this point
Copy the full SHA 3dca782View commit details
Commits on Nov 13, 2021
-
test_help_arg: remove assert on 'optional arguments' (PyCQA#752)
In python-3.10 this renders as 'options:', rather than 'optinal arguments:', breaking the test.
Configuration menu - View commit details
-
Copy full SHA for e0a12a9 - Browse repository at this point
Copy the full SHA e0a12a9View commit details
Commits on Jan 21, 2022
-
Create FUNDING.yml (PyCQA#774)
Setup a sponsorship button using Open Collective as the backing fiscal host. https://opencollective.com/bandit-sast
Configuration menu - View commit details
-
Copy full SHA for 78543ff - Browse repository at this point
Copy the full SHA 78543ffView commit details
Commits on Jan 22, 2022
-
Start using auto-formatters (PyCQA#754)
Use black to auto-format the style so it's always consistent and pyupgrade will allow us to auto-upgrade to the newest language features.
Configuration menu - View commit details
-
Copy full SHA for 9fcf66b - Browse repository at this point
Copy the full SHA 9fcf66bView commit details
Commits on Jan 25, 2022
-
Drop end-of-life Python 3.5 (PyCQA#746)
Python 3.5 hit the end-of-life on Sept 13, 2020. As a result, Bandit should also drop support for it. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 1327cfa - Browse repository at this point
Copy the full SHA 1327cfaView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0096bee - Browse repository at this point
Copy the full SHA 0096beeView commit details -
Drop end-of-life Python 3.6 (PyCQA#777)
Python 3.6 hit the end-of-life on Dec 23, 2021. As a result, Bandit should also drop support for it. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for fb8c32e - Browse repository at this point
Copy the full SHA fb8c32eView commit details -
Co-authored-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 0d05d40 - Browse repository at this point
Copy the full SHA 0d05d40View commit details -
The current README.rst has references to configure bandit runs using a custom .INI-like file. In reality, that file should actually be a YAML file. Using the INI example provided will result in: ` [main] ERROR bandit.cfg : Error parsing file. ` This patch set updates the configuration so it is of proper YAML format so the execution will not error out. Signed-off-by: Tin Lam <tinlam@gmail.com> Co-authored-by: Luke Hinds <lukehinds@gmail.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 68f43eb - Browse repository at this point
Copy the full SHA 68f43ebView commit details -
Added snmp_security check plugin for various SNMP checks (PyCQA#403)
* Added snmp_security check plugin for various SNMP checks * Extracted each test into their own files * Updates for linter * Fixed style errors and added authNoPriv as a failure * removed trailing -- * more lint changes * Update README.rst * Update snmp_security_check.py * Update bandit/plugins/snmp_security_check.py * Update bandit/plugins/snmp_security_check.py * Update bandit/plugins/snmp_security_check.py * Update examples/snmp.py * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_weak_cryptography.rst * Update doc/source/plugins/b508_snmp_weak_cryptography.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_weak_cryptography.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update doc/source/plugins/b508_snmp_insecure_version.rst * Update b508_snmp_weak_cryptography.rst * Update snmp_security_check.py * Update snmp_security_check.py Co-authored-by: Giblin <jed.giblin@jgiblin-mb.tul.solarwinds.net> Co-authored-by: Luke Hinds <7058938+lukehinds@users.noreply.github.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for ca4475f - Browse repository at this point
Copy the full SHA ca4475fView commit details -
Remove leftover openstack code (PyCQA#778)
There are still remnants of openstack in the Bandit code base. Namely there was still a coverage step that relied on a openstack git repo. Bandit is self contained and no longer only part of the openstack ecosystem. Therefore it's safe to remove this coverage step (which wasn't run anyway). Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 6270185 - Browse repository at this point
Copy the full SHA 6270185View commit details -
Correctly define extras in
setup.cfg
(PyCQA#755)* Use `extras` to define extras in `setup.cfg` * Go back to using `entry_points` in `setup.cfg` Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 25fde24 - Browse repository at this point
Copy the full SHA 25fde24View commit details
Commits on Jan 27, 2022
-
We only want to rely on toml when it's present and tell the user how to resolve things if in fact they want to use toml Closes PyCQA#779
Configuration menu - View commit details
-
Copy full SHA for 458b4a1 - Browse repository at this point
Copy the full SHA 458b4a1View commit details
Commits on Jan 28, 2022
-
Update issue template with latest versions (PyCQA#783)
When opening an issue, the template only allows selecting versions 1.7.0 as the max. And python version is limited to 3.9.
Configuration menu - View commit details
-
Copy full SHA for e85f5fd - Browse repository at this point
Copy the full SHA e85f5fdView commit details -
Delete release-drafter.yml (PyCQA#781)
GitHub now has an easy-to-use button to automatically add release notes. Therefore it's not necessary to use this yaml for an app we experimented with a while back.
Configuration menu - View commit details
-
Copy full SHA for f820372 - Browse repository at this point
Copy the full SHA f820372View commit details
Commits on Jan 29, 2022
-
Use released version of gh-action-pypi-publish (PyCQA#784)
Avoid using master version of gh-action-pypi-publish. Some orgs such as PyCQA don't permit using a non-released version of an Action. Fixes Issue PyCQA#782
Configuration menu - View commit details
-
Copy full SHA for 626c845 - Browse repository at this point
Copy the full SHA 626c845View commit details -
Update publish-to-pypi.yml (PyCQA#785)
A follow on to PyCQA#784. This change also updates the action to publish to PyPI (official) to use a released version of gh-action-pypi-publish instead of master. This change also makes the secret variable stand out a little more with all caps.
Configuration menu - View commit details
-
Copy full SHA for 8f075da - Browse repository at this point
Copy the full SHA 8f075daView commit details -
Delete releasenotes directory (more openstack leftovers) (PyCQA#786)
The releasenotes directory was another mechanism used for OpenStack to generate a release note in an OpenStack specific way. It hasn't been used in Bandit since we have migrated Bandit from Gerrit to GitHub. Therefore, removing the whole directory of these files.
Configuration menu - View commit details
-
Copy full SHA for 02f206b - Browse repository at this point
Copy the full SHA 02f206bView commit details
Commits on Jan 30, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 6c94c85 - Browse repository at this point
Copy the full SHA 6c94c85View commit details -
Including CWE information (PyCQA#613)
* Add CWE mappings to bandit issues and update formatters accordingly. * Integrated Cwe class and url information. * typos * cwemap * linting issues * add cwe to denylist * make linter happy * UNDEF -> NOTSET * Update issue.py * test * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review * Update tests/functional/test_functional.py * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Julian Thome <jthome@gitlab.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 7d6ab4a - Browse repository at this point
Copy the full SHA 7d6ab4aView commit details
Commits on Feb 2, 2022
-
Removal of the CWEMAP dict (PyCQA#789)
There is a lookup dictionary defined that maps bandit check IDs to a CWE. This is mostly unnecessary as the check can specify the exact CWE that applies to it. And this would work better for 3rd party plugins that also wish to set a CWE for their check. Maintaining a map is just another bit of maintenance. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for fafa822 - Browse repository at this point
Copy the full SHA fafa822View commit details
Commits on Feb 4, 2022
-
Fix up warnings in output of tox (PyCQA#793)
This change fixes the use of certain keywords in the setup.cfg file. Substitutes '-' for '_' Fixes: PyCQA#792 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for c405e4e - Browse repository at this point
Copy the full SHA c405e4eView commit details -
Avoid printing metrics as float point numbers (PyCQA#794)
The metrics in the output was displaying counts as floats instead of integers. For example, 15.0 instead of 15. This is due to a divide call using '/' instead of '//' which rounds down the answer. We shouldn't have fractional number results anyway since the counts are always divisible by the rank values. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 4bc8155 - Browse repository at this point
Copy the full SHA 4bc8155View commit details -
Add functional test of snmp_security_check (PyCQA#791)
This change adds a new functional test of the new snmp plugin snmp_security_check. Fixes: PyCQA#790 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 05c7d89 - Browse repository at this point
Copy the full SHA 05c7d89View commit details -
Suport disabling individual tests
This adds support to the `# nosec` comment to specify specific tests to disable. - allow disabling tests by id and by name (e.g. B602,assert_used) - update nosec_lines to be a dict keyed on line number to a set of tests to ignore - use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests) - use None to indicate that there was no nosec comment on the line in question - track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore Resolves PyCQA#211 See also PyCQA#418
Configuration menu - View commit details
-
Copy full SHA for 11fd1a2 - Browse repository at this point
Copy the full SHA 11fd1a2View commit details -
Change up how CWE is formatted (PyCQA#788)
Currently the CWE information is inserted by the various formatters between severity and confidence. This change puts the CWE after the confidence on a separate line for better clarity. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 1c407d4 - Browse repository at this point
Copy the full SHA 1c407d4View commit details
Commits on Feb 7, 2022
-
Check value of usedforsecurity for hashlib (PyCQA#798)
In Python 3.9+ hashlib has a new argument named usedforsecurity to indicate whether the hash is intended to be used for security or not. The default value is True. So a user must explicit set to False to state their non-security use. As a result of this chnage in Python, the severity has been moved up to HIGH if the usedforsecurity is True. But on earlier versions of Python, the severity will remain at MEDIUM since we don't know the intent of usage. https://docs.python.org/3/library/hashlib.html#hashlib.new Closes PyCQA#748 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 6b6b896 - Browse repository at this point
Copy the full SHA 6b6b896View commit details -
Remove redundant Python 3.6 code (PyCQA#802)
Bandit no longer supports Pytyon 3.6 and earlier since those are end-of-life. Therefore there is no longer a need to have any code that conditional checks on versions as early as that. This change cleans up the sql_statements check to only be for Python 3.7 and later. Closes PyCQA#800 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 9131162 - Browse repository at this point
Copy the full SHA 9131162View commit details -
Add new plugin to check use of pyghmi (PyCQA#803)
* Add new plugin to check use of pyghmi This patch set adds a new bandit plugin to check the use of pyghmi. Signed-off-by: Tin Lam <tin@irrational.io> * Fix example and polish te code. Signed-off-by: Tin Lam <tin@irrational.io> * Add new plug-in to check pyghmi This patch set adds a new bandit plugin to check the use of the pyghmi library, as the IPMI is known to be an insecured protocol. Closes: PyCQA#356 Signed-off-by: Tin Lam <tin@irrational.io> Co-authored-by: Tin Lam <tin@irrational.io> Co-authored-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for d1622bf - Browse repository at this point
Copy the full SHA d1622bfView commit details
Commits on Feb 8, 2022
-
Check for hardcoded passwords in class attributes (PyCQA#766)
* Check for hardcoded passwords in class attributes B105:hardcoded_password_string currently throws an error for string literal variables, dictionary keys, and comparisons which look like passwords, but does not create an error for class attributes which look like passwords. For example password = "mypassword" and password == "mypassword" would create an error, but my_object.password = "mypassword", and my_object.password == "mypassword" would not. This behavior is unintuitive. Resolves PyCQA#759 * Add tests for hardcoded passwords in classes * Update general_hardcoded_password.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for a9eaafa - Browse repository at this point
Copy the full SHA a9eaafaView commit details
Commits on Feb 10, 2022
-
Better hashlib check for Python 3.9 (PyCQA#805)
* Better hashlib check for Python 3.9 In Python 3.9 and later, the hashlib function has a new keyword argument usedforsecurity to describe the usage of the hash. In that way, we can better identify the severity of the error. Previously, hashlib.md5 and the like were part of the blacklist check. For Python 3.9, it'll be part of the hashlib plugin so it can do more advanced checking of usedforsecurity. Signed-off-by: Eric Brown <browne@vmware.com> * Update hashlib_insecure_functions.py
Configuration menu - View commit details
-
Copy full SHA for c4372a0 - Browse repository at this point
Copy the full SHA c4372a0View commit details
Commits on Feb 14, 2022
-
Fix references to the default branch name (PyCQA#810)
The primary branch name has been renamed from master to main. As a result of this, some references in the docs must also be renamed so links are preserved. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for dbefd04 - Browse repository at this point
Copy the full SHA dbefd04View commit details -
There's duplicate information in the README regarding where to contribute, where to open bugs, where the documentation lies. This change deletes the dups and also puts the references at the end which is standard for most documents.
Configuration menu - View commit details
-
Copy full SHA for b8ff685 - Browse repository at this point
Copy the full SHA b8ff685View commit details
Commits on Feb 15, 2022
-
Show usage with no arguments (PyCQA#814)
The current behavior is to display an error when no arguments are given that no files were found. This is a non-standard way for a command line. Rather than an error message, no arguments should display the usage of the command itself. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for a3d8b4b - Browse repository at this point
Copy the full SHA a3d8b4bView commit details
Commits on Feb 17, 2022
-
Respect color environment variables if set (PyCQA#813)
According to command line standards [1], a command line should do its best to honor certain environment variables requesting whether color should be part of the standard output. Two such vars include NO_COLOR (if set) and TERM (if set to dumb), when set tell the CLI to disable color. [1] https://clig.dev/#output Partially-fixes PyCQA#678 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 1691b93 - Browse repository at this point
Copy the full SHA 1691b93View commit details
Commits on Feb 18, 2022
-
Cannot seek stdin on pipe (PyCQA#496)
* add namespaces for parent attributes * pylint formatting changes * added _Seeker for running seek on sys.stdin * Update node_visitor.py * Update general_hardcoded_password.py * Update general_hardcoded_password.py * pep8 fixes * added list handling for hard fname swaps * updated manager * maintaining list order * Update manager.py * Update manager.py * Update manager.py * Update issue.py * Update node_visitor.py * Update manager.py * Update issue.py * Update context.py * Update issue.py * Update manager.py * Update node_visitor.py * Update tester.py * Update issue.py * Update manager.py * Update context.py * Update node_visitor.py * Update manager.py Co-authored-by: wxu <wxu@verisign.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 0f4a495 - Browse repository at this point
Copy the full SHA 0f4a495View commit details -
Test on operating systems we can support (PyCQA#804)
This adds GitHub Action testing on the various operating systems we can potentially support. At the moment that includes Linux, and macOS. Each OS is put into its own job that way the output is clearer. Closes PyCQA#405 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for e2fa501 - Browse repository at this point
Copy the full SHA e2fa501View commit details
Commits on Feb 20, 2022
-
Fix up some warnings and errors in docs (PyCQA#817)
* Some lines missing code-block * Missing blank lines for spacing Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 78b0bc1 - Browse repository at this point
Copy the full SHA 78b0bc1View commit details -
Fix root doc for readthedocs (PyCQA#818)
The readthedocs is using Sphinx 1.8.6 which still uses the legacy term master_doc for the root toctree. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 4a18a92 - Browse repository at this point
Copy the full SHA 4a18a92View commit details
Commits on Feb 22, 2022
-
Use versioned links to docs (PyCQA#819)
In the report of a Bandit run, there are links to the docs as part of the more information. Today, these links are always to the latest docs. So depending on the version of Bandit you're running, these links could contain inaccurate information for that version. That's why this change makes it so a specific version of Bandit is pinned to refer to a specific version of documentation. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 7fbf9d5 - Browse repository at this point
Copy the full SHA 7fbf9d5View commit details
Commits on Feb 25, 2022
-
Use CWE link in HTML formatter (PyCQA#825)
The CWE link is currently output in plain text. Given this is an HTML outoput formatter, it's only natural to use reference link. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 528c540 - Browse repository at this point
Copy the full SHA 528c540View commit details
Commits on Feb 26, 2022
-
Improve performance of linerange (PyCQA#629)
* Add caching for linerange * fix pep8 * change setattr to . * change list to tuple * added more caching * fix bugs * fix bugs and setattr/getattr * Fix typo in long_set.py and add comment * Update utils.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 8bad6fa - Browse repository at this point
Copy the full SHA 8bad6faView commit details -
Inaccurate message in hashlib check (PyCQA#827)
The hashlib function does not actually check for md2 as the docs and message claims. Besides, md2 is a very old hash not found in any Python 3.x version we support. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 09a6ace - Browse repository at this point
Copy the full SHA 09a6aceView commit details
Commits on Feb 27, 2022
-
Configuration menu - View commit details
-
Copy full SHA for a65ae17 - Browse repository at this point
Copy the full SHA a65ae17View commit details -
Center the bandit logo in readme (PyCQA#823)
Minor nit change to center the logo in the readme for more visual appeal. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for d8c7e3c - Browse repository at this point
Copy the full SHA d8c7e3cView commit details -
Build of artifact fails if raw directive used (PyCQA#831)
A recent change to center the logo made use of the html raw keyword in the README. Apparently this fails when building the Bandit artifact. Checking dist/bandit-1.7.3.dev33-py3-none-any.whl: FAILED `long_description` has syntax errors in markup and would not be rendered on PyPI. line 1: Warning: "raw" directive disabled. warning: `long_description_content_type` missing. defaulting to `text/x-rst`. This change reverts the centering, but keeps the updated link. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 20a0510 - Browse repository at this point
Copy the full SHA 20a0510View commit details
Commits on Feb 28, 2022
-
Fix traceback in hashlib_insecure_functions (PyCQA#834)
This check should not raise an exception if there are no keywords defined for the call. Makes use of dict get() for safety. Closes PyCQA#832 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for fbaf2ce - Browse repository at this point
Copy the full SHA fbaf2ceView commit details -
Add version 1.7.3 to dropdown (PyCQA#833)
Add an option for newly released version 1.7.3 for the user to report a bug on.
Configuration menu - View commit details
-
Copy full SHA for fcde9b5 - Browse repository at this point
Copy the full SHA fcde9b5View commit details
Commits on Mar 4, 2022
-
core/config: Fix ConfigError missing argument if toml is missing (PyC…
…QA#845) Fixes the following error: Traceback (most recent call last): File "bin/bandit", line 8, in <module> sys.exit(main()) File "lib/python3.10/site-packages/bandit/cli/main.py", line 455, in main b_conf = b_config.BanditConfig(config_file=args.config_file) File "lib/python3.10/site-packages/bandit/core/config.py", line 45, in __init__ raise utils.ConfigError( TypeError: ConfigError.__init__() missing 1 required positional argument: 'config_file'
Configuration menu - View commit details
-
Copy full SHA for 71bc67c - Browse repository at this point
Copy the full SHA 71bc67cView commit details -
Add 1.7.4 in issue template (PyCQA#846)
Add an option for version 1.7.4 in the bug report in preparation for a new release of 1.7.4 afterwards.
Configuration menu - View commit details
-
Copy full SHA for 1ed7906 - Browse repository at this point
Copy the full SHA 1ed7906View commit details
Commits on Mar 5, 2022
-
Add an example screen shot of Bandit to README (PyCQA#847)
To help let users know what Bandit looks like in action, this commit includes a screen shot of a terminal having run Bandit to detect a sample issue. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for af06609 - Browse repository at this point
Copy the full SHA af06609View commit details -
Bad link to screen shot (PyCQA#848)
bandit-term.png should be bandit-terminal.png
Configuration menu - View commit details
-
Copy full SHA for 808bac2 - Browse repository at this point
Copy the full SHA 808bac2View commit details
Commits on Mar 6, 2022
-
Use a constant for weak hashes (PyCQA#850)
Small change to have a variable that has the set of weak hashes. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for a65c5b6 - Browse repository at this point
Copy the full SHA a65c5b6View commit details -
Group location line with code output (PyCQA#822)
Currently for the screen and text formatters there is a More Info line in between the Location line and the code snippet lines. This change puts the Location with the code snippet as a more logical grouping of code location information. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 29bc186 - Browse repository at this point
Copy the full SHA 29bc186View commit details -
Fix line range using Python 3.8 end_lineno (PyCQA#821)
Python 3.8 and above have new ast node attributes to identify the end line number and end column offset [1]. Python 3.8 also fixes line numbers for multiline strings [2]. This fixes the issue mentioned in PyCQA#820, but only for Python 3.8+. [1] https://docs.python.org/3.8/library/ast.html#ast.AST.end_lineno [2] https://bugs.python.org/issue31241 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 1c0fc80 - Browse repository at this point
Copy the full SHA 1c0fc80View commit details
Commits on Mar 9, 2022
-
Add classifier to indicate Py3 only (PyCQA#853)
PyPI has a classifier to specifically state that only Python 3.x is supported (as opposed to 2.x). https://pypi.org/pypi?%3Aaction=list_classifiers
Configuration menu - View commit details
-
Copy full SHA for 8379bcc - Browse repository at this point
Copy the full SHA 8379bccView commit details
Commits on Mar 19, 2022
-
Removal of blacklist call B309 httpsconnection (PyCQA#858)
This check existed because of insufficient checking of certificates when using httpsconnection. Since 3.4.3, this has been fixed. And since Bandit supports 3.7+, there is no longer a need to scan for this. Closes PyCQA#857 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 130a467 - Browse repository at this point
Copy the full SHA 130a467View commit details -
Remove blacklist call check for os.tempnam (PyCQA#859)
This removes the check non-existent functions os.tempnam() and os.tmpnam(). This functions were removed in Python 3.0, so Bandit no longer needs to scan for them since our minimum version is 3.7. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for dd423ff - Browse repository at this point
Copy the full SHA dd423ffView commit details
Commits on Mar 20, 2022
-
Indiciate hash type in message (PyCQA#860)
Instead of a message telling the user the possible weak hashlib functions in use, this change indicates to the user the exact hash that is being used. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 4d93e8a - Browse repository at this point
Copy the full SHA 4d93e8aView commit details
Commits on Mar 21, 2022
-
Add the httpx module check for verify (PyCQA#861)
The httpx module functions very similar to requests in that there is a verify argument to indicate whether to verify the certificate of the host it's connecting with. As such, this plugin has been modified to include httpx in addition to requests for cases whether verify=False. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for dd14b8f - Browse repository at this point
Copy the full SHA dd14b8fView commit details
Commits on Mar 23, 2022
-
Add doc for hashlib plugin (PyCQA#862)
The hashlib_insecure_functions module is missing documentation. More than likely this is a result of having checks in blacklist for hashlib and also a plugin. The blacklists have a reserved Id range of 3xx, which is what this plugin is using. Near term, this change publishes a page for B324 hashlib plugin. Longer term, the bandit Id should be migrated out of the 3xx group to something more appropriate. Closes PyCQA#559 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 4d4358b - Browse repository at this point
Copy the full SHA 4d4358bView commit details
Commits on Mar 25, 2022
-
Make use of rich for the progress bar (PyCQA#863)
The module rich has an excellent and versatile implementation of a progress bar for Python code. Bandit has an existing custom progress indicator. This change makes use of rich for a more visually pleasing progress bar and more informational by including metrics. The down side is that this does add another dependency. But I think it can be useful in the future when implementing multi-process processing of source code since rich is well adapted for that. https://github.com/Textualize/rich Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for af9f8dc - Browse repository at this point
Copy the full SHA af9f8dcView commit details -
Replace
toml
withtomli
(PyCQA#829)* Replace `toml` with `tomli` * Only require `tomli` on Python < 3.11 * Update test-requirements.txt Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5a8f105 - Browse repository at this point
Copy the full SHA 5a8f105View commit details
Commits on Mar 26, 2022
-
Fix up B109 and B111 removed plugins docs (PyCQA#864)
The B109 and B111 plugins were removed in 1.5.0 and the docs only referenced them for historical information. This change fixes the titles to be what they were originally and adds the complete doc and indicates deprecated and removed in 1.5.0. Closes PyCQA#367 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for def9928 - Browse repository at this point
Copy the full SHA def9928View commit details
Commits on Mar 28, 2022
-
add check for "requests" calls without timeout (PyCQA#743)
* add check for "requests" calls without timeout * change request_without_timeout confidence to low * Update bandit/plugins/request_without_timeout.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update bandit/plugins/request_without_timeout.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update doc/source/plugins/b113_request_without_timeout.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update doc/source/plugins/b113_request_without_timeout.rst Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Update bandit/plugins/request_without_timeout.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * remove utf-8 * fix confidence in comment * Apply suggestions from code review * Update issue.py * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review * Apply suggestions from code review Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 5ff73ff - Browse repository at this point
Copy the full SHA 5ff73ffView commit details
Commits on Apr 1, 2022
-
Fix for build breaks in format job (PyCQA#869)
This change bumps the version of Black in use to fix the errors seen coming out of the format build step. See psf/black#2964 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 7c39add - Browse repository at this point
Copy the full SHA 7c39addView commit details -
Add license and contributing links to docs (PyCQA#867)
* Fix for build breaks in format job This change bumps the version of Black in use to fix the errors seen coming out of the format build step. See psf/black#2964 Signed-off-by: Eric Brown <browne@vmware.com> * Add license and contributing links to docs As requested in issue PyCQA#617, include the license in a section of the main page of the readthedocs site. Also included are links to the source code repository and the issue tracker. Closes PyCQA#617 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for c166855 - Browse repository at this point
Copy the full SHA c166855View commit details
Commits on Apr 2, 2022
-
Remove redundant word Bandit in titles of sections (PyCQA#873)
We don't need the word "Bandit" prefixed to each of these section titles: * Bandit Test Plugins * Bandit Blacklist Plugins * Bandit Report Formatters Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 05707b3 - Browse repository at this point
Copy the full SHA 05707b3View commit details -
Add request for feedback via 👍 (PyCQA#871)
This change encourages users to give a 👍 if they really like a particular feature.
Configuration menu - View commit details
-
Copy full SHA for b177a3e - Browse repository at this point
Copy the full SHA b177a3eView commit details -
Add a Discord link to the docs (PyCQA#870)
This change adds a Discord link to our docs in the contributing section so users know where they can reach out for questions and discussion. Closes PyCQA#775 Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for 83df96c - Browse repository at this point
Copy the full SHA 83df96cView commit details -
Adding logging.config.listen() plugin with examples (PyCQA#874)
* Adding logging.config.listen() plugin with examples * Minor changes from the review * Reorder imports * Formatting changes * Another formatting change Co-authored-by: Rajesh Pangare <raj3shp@groundzer0.local>
Configuration menu - View commit details
-
Copy full SHA for d2fa394 - Browse repository at this point
Copy the full SHA d2fa394View commit details
Commits on Apr 7, 2022
-
It seems that ghugo is no longer a valid user on GitHub. Also ghugo hasn't been active in the Bandit community in a long while. Therefore, this change will remove the user. Unknown owner on line 1: make sure @ghugo exists and has write access to the repository
Configuration menu - View commit details
-
Copy full SHA for d343053 - Browse repository at this point
Copy the full SHA d343053View commit details
Commits on Apr 18, 2022
-
Remove redundant pip line (PyCQA#884)
The getting started doc informs the user how to install Bandit via pip. However, it gives instructions to use pip and pip3. Bandit is only supported on Python 3.x now. Also, it's less common to use pip3 when using convenience modules like pyenv. Therefore, this change leaves just the pip line.
Configuration menu - View commit details
-
Copy full SHA for cd26ded - Browse repository at this point
Copy the full SHA cd26dedView commit details
Commits on Apr 24, 2022
-
Corrected documentation on configuration (PyCQA#868)
* .bandit is INI file * Describe how to make Bandit read an INI file * Remove descriptions about "profile" "Profile" is deprecated, legacy and undocumented. Note: decriptions about profile are still in man pages or help messages. * Revert "Remove descriptions about "profile"" This reverts commit c4b2d52.
Configuration menu - View commit details
-
Copy full SHA for a2ac371 - Browse repository at this point
Copy the full SHA a2ac371View commit details -
Configuration menu - View commit details
-
Copy full SHA for 87ecc40 - Browse repository at this point
Copy the full SHA 87ecc40View commit details
Commits on Apr 28, 2022
-
Add myself to sponsor list (PyCQA#885)
This change adds myself as a person to sponsor via the GitHub sponsorship program.
Configuration menu - View commit details
-
Copy full SHA for 9bbb46a - Browse repository at this point
Copy the full SHA 9bbb46aView commit details
Commits on May 1, 2022
-
Add Discord link to README (PyCQA#875)
Alert contributors to where on Discord they can reach out for questions and such
Configuration menu - View commit details
-
Copy full SHA for 8419fb6 - Browse repository at this point
Copy the full SHA 8419fb6View commit details
Commits on May 4, 2022
-
Update action versions in Actions workflows (PyCQA#890) (PyCQA#893)
* Update action versions in Actions workflows (PyCQA#890) * Increase fetch depth of checkout for `pep8` job
Configuration menu - View commit details
-
Copy full SHA for 80eebd5 - Browse repository at this point
Copy the full SHA 80eebd5View commit details -
Add dependency review action (PyCQA#891)
This change adds a new GitHub Action that can check for a dependency that has known vulnerabilities being introduced via the pull request. https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Configuration menu - View commit details
-
Copy full SHA for c6b3db7 - Browse repository at this point
Copy the full SHA c6b3db7View commit details
Commits on May 9, 2022
-
Configuration menu - View commit details
-
Copy full SHA for cc82cec - Browse repository at this point
Copy the full SHA cc82cecView commit details -
Test plugin listing incorrectly pointing b612 to plugin ref of b1022 (P…
…yCQA#897) Co-authored-by: Raj <rsoundar@espressive.com>
Configuration menu - View commit details
-
Copy full SHA for 0e3f6e7 - Browse repository at this point
Copy the full SHA 0e3f6e7View commit details
Commits on May 15, 2022
-
Make small fixes in docs (PyCQA#899)
* add missing `code-block` RST directives and/or surrounding blank lines * fix issue ID in `b508_snmp_weak_cryptography.rst` filename * fix outdated example filename in docstring of `injection_sql.py`
Configuration menu - View commit details
-
Copy full SHA for 7104b33 - Browse repository at this point
Copy the full SHA 7104b33View commit details
Commits on May 18, 2022
-
Specify semver range for Python 3.11 (PyCQA#901)
This change allows GitHub Actions to automatically pick the most recent version of Python 3.11, including pre-releases.
Configuration menu - View commit details
-
Copy full SHA for 9705a71 - Browse repository at this point
Copy the full SHA 9705a71View commit details
Commits on May 24, 2022
-
Add another bad example of yaml load (PyCQA#905)
The yaml module supports passing the Loader of choice. Passing yaml.Loader is considered unsafe. This commit adds that example and ensures Bandit detects it. Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Configuration menu - View commit details
-
Copy full SHA for 232d52d - Browse repository at this point
Copy the full SHA 232d52dView commit details
Commits on Jun 13, 2022
-
Configuration menu - View commit details
-
Copy full SHA for 0f5d2b2 - Browse repository at this point
Copy the full SHA 0f5d2b2View commit details
Commits on Jun 17, 2022
-
Update version of dependency-review-action (PyCQA#911)
New major release of this action: https://github.com/actions/dependency-review-action/releases/tag/v2.0.0
Configuration menu - View commit details
-
Copy full SHA for 44c05fc - Browse repository at this point
Copy the full SHA 44c05fcView commit details
Commits on Jun 25, 2022
-
Avoid redundant message if debug on (PyCQA#913)
Only print the message to use "--debug" if debug logging not already turned on. Closes PyCQA#883 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Configuration menu - View commit details
-
Copy full SHA for e15fe9b - Browse repository at this point
Copy the full SHA e15fe9bView commit details
Commits on Jun 27, 2022
-
Remove invalid checking on hashlib (PyCQA#914)
* hashlib does not support name as the kwargs argument * 'string' is not a keyword of kwargs Fixes PyCQA#865 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Configuration menu - View commit details
-
Copy full SHA for 0b56c57 - Browse repository at this point
Copy the full SHA 0b56c57View commit details
Commits on Jul 3, 2022
-
Add some missing curve types (PyCQA#920)
The weak_cryptographic_key plugin is missing some various elliptical curve types. Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Configuration menu - View commit details
-
Copy full SHA for 5aae21e - Browse repository at this point
Copy the full SHA 5aae21eView commit details
Commits on Jul 7, 2022
-
add jsonpickle deserialization blacklist (PyCQA#707)
* add jsonpickle deserialization blacklist add jsonpickle deserialization blacklist * Update calls.py * Update test_functional.py * Create jsonpickle.py Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 9832461 - Browse repository at this point
Copy the full SHA 9832461View commit details -
Fix reading the number argument from config file (PyCQA#923)
* Fix reading the number argument from config file When passing the "number" option from the INI file we did not take into account to store its value as an integer (when that value is not None). Resolves: PyCQA#922 * Implement a cleaner fix We use the "or" boolean operation to have a cleaner implementation of the solution.
Configuration menu - View commit details
-
Copy full SHA for 39cdfab - Browse repository at this point
Copy the full SHA 39cdfabView commit details
Commits on Jul 8, 2022
-
Add end_col_offset if available (PyCQA#851)
Python 3.8 and above include an end_col_offset attribute on nodes to indicate the end column offset of the node. If available, Bandit should include end_col_offset for more clarity on the column range where the issue was found. Signed-off-by: Eric Brown <browne@vmware.com>
Configuration menu - View commit details
-
Copy full SHA for da58ceb - Browse repository at this point
Copy the full SHA da58cebView commit details -
Configuration menu - View commit details
-
Copy full SHA for 715a459 - Browse repository at this point
Copy the full SHA 715a459View commit details