tylerwince / flake8-bandit Goto Github PK

View Code? Open in Web Editor NEW

111.0 111.0 27.0 89 KB

Automated security testing using bandit and flake8.

License: MIT License

Python 100.00%

bandit flake8 security security-automation security-tools static-code-analysis vulnerability-detection

flake8-bandit's People

Contributors

Stargazers

Watchers

flake8-bandit's Issues

Support `nosec` comments

Currently if one wants to skip a bandit message for "raw" bandit checks (using the bandit executable) in addition to ones done via flake8-bandit, both the noqa and nosec comments need to be used. For example:

assert True  # noqa: S101 # nosec: B101

The noqa: S101 is required for flake8 to not flag the use of assert, but that's not enough for "raw" bandit. For that the nosec: B101 is needed. But that has no effect on flake8-bandit, so both are needed.

Would be good if the nosec comment was enough for both, maybe flake8-bandit can do something about it?

This plugin fails to parse files with unicode on windows

Reproduction steps:

Use windows
Install flake8-bandit
Create a python file with print('Привет, бандиты!') unicode contents
Try to run flake8 your_file.py

It will fail with something like this:

c:\users\appveyor\appdata\local\pypoetry\cache\virtualenvs\wemake-python-styleguide-py3.6\lib\site-packages\flake8\checker.py:451: in run_check
    return plugin["plugin"](**arguments)
c:\users\appveyor\appdata\local\pypoetry\cache\virtualenvs\wemake-python-styleguide-py3.6\lib\site-packages\flake8_bandit.py:35: in __init__
    self._load_source()
c:\users\appveyor\appdata\local\pypoetry\cache\virtualenvs\wemake-python-styleguide-py3.6\lib\site-packages\flake8_bandit.py:73: in _load_source
    self.source = f.read()
C:\Python36\lib\encodings\cp1252.py:23: in decode
    return codecs.charmap_decode(input,self.errors,decoding_table)[0]
E   UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 14170: character maps to <undefined>

Original issue: wemake-services/wemake-python-styleguide#337
Log: https://ci.appveyor.com/project/wemake-services/wemake-python-styleguide/build/job/185lp386ce91jtsy

Does/Can/Will this plugin support configuration via `pyproject.toml`?

flake8 5 breaks plugin no attribute ConfigFileFinder

File "/home/runner/work/renault-api/renault-api/.nox/pre-commit/lib/python3.10/site-packages/flake8_bandit.py", line 10, in <module>
    from flake8.options.config import ConfigFileFinder

Missing many vulnerabilities that bandit picks up

I noticed that running bandit -r . picks up many possible vulnerabilities which flake8-bandit does not (i.e. B311:random).

I am using:

flake8-bandit==3.8.1
flake8==3.9.1
bandit==1.7.0

S608: false positive

        print(dedent(
            r"""
            The local repository has been prepared. The repository can be updated using:

              univention-repository-update net

            The local host has been modified to use this local repository.  Other hosts
            must be re-configured by setting the Univention Configuration Registry (UCR)
            variable 'repository/online/server' to the FQDN of this host.

              ucr set repository/online/server="%(hostname)s.%(domainname)s"

            The setting is best set in a domain by defining UCR Policies, which
            set this variable on all hosts using this repository server. For example:

              udm policies/repositoryserver create \
                --position "cn=repository,cn=update,cn=policies,%(ldap/base)s" \
                --set name="%(hostname)s repository" \
                --set repositoryServer="%(hostname)s.%(domainname)s"
              udm container/dc modify \
                --dn "%(ldap/base)s" \
                --policy-reference "cn=%(hostname)s repository,cn=repository,cn=update,cn=policies,%(ldap/base)s"
            """ % configRegistry))

is detected false positively as S608.

Crashes with flake8 5

 Traceback (most recent call last):
  File "/home/runner/work/autosuspend/autosuspend/.tox/check/lib/python3.9/site-packages/flake8/plugins/finder.py", line 296, in _load_plugin
    obj = plugin.entry_point.load()
  File "/opt/hostedtoolcache/Python/3.9.13/x64/lib/python3.9/importlib/metadata.py", line 86, in load
    module = import_module(match.group('module'))
  File "/opt/hostedtoolcache/Python/3.9.13/x64/lib/python3.9/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1030, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1007, in _find_and_load
  File "<frozen importlib._bootstrap>", line 986, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 680, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 850, in exec_module
  File "<frozen importlib._bootstrap>", line 228, in _call_with_frames_removed
  File "/home/runner/work/autosuspend/autosuspend/.tox/check/lib/python3.9/site-packages/flake8_bandit.py", line 10, in <module>
    from flake8.options.config import ConfigFileFinder
ImportError: cannot import name 'ConfigFileFinder' from 'flake8.options.config' (/home/runner/work/autosuspend/autosuspend/.tox/check/lib/python3.9/site-packages/flake8/options/config.py)

Incorrect choice of encoding Cyrillic characters resulting in UnicodeDecodeError

Description

I have:

Windows 10
Clean conda Python 3.6 env

I ran
pip install flake8-bandit

and got
Successfully installed GitPython-2.1.11 PyYAML-3.13 bandit-1.5.1 flake8-3.5.0 flake8-bandit-1.0.2 flake8-polyfill-1.0.2 gitdb2-2.0.4 mccabe-0.6.1 pbr-4.3.0 pycodestyle-2.3.1 pyflakes-1.6.0 six-1.11.0 smmap2-2.0.4 stevedore-1.29.0

I have a Python module with the following contents:

# -*- coding: UTF-8 -*-
"""Module docstring."""
print('hello') # э

I run
flake8 C:\Development\Flake8PluginDev\foo.py

an error is produced.

(BanditDebug) C:\Users\user>flake8 C:\Development\Flake8PluginDev\foo.py
Traceback (most recent call last):
  File "c:\anaconda3\envs\banditdebug\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "c:\anaconda3\envs\banditdebug\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Anaconda3\envs\BanditDebug\Scripts\flake8.exe\__main__.py", line 9, in <module>
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\cli.py", line 16, in main
    app.run(argv)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\application.py", line 396, in run
    self._run(argv)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\application.py", line 384, in _run
    self.run_checks()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\application.py", line 310, in run_checks
    self.file_checker_manager.run()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 321, in run
    self.run_serial()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 305, in run_serial
    checker.run_checks()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 579, in run_checks
    self.run_ast_checks()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 486, in run_ast_checks
    checker = self.run_check(plugin, tree=ast)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 435, in run_check
    return plugin['plugin'](**arguments)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8_bandit.py", line 35, in __init__
    self._load_source()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8_bandit.py", line 73, in _load_source
    self.source = f.read()
  File "c:\anaconda3\envs\banditdebug\lib\encodings\cp1252.py", line 23, in decode
    return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x8d in position 68: character maps to <undefined>

To Reproduce

If I have

# -*- coding: UTF-8 -*-
"""Module docstring."""
print('hello') # й

I run
flake8 C:\Development\Flake8PluginDev\foo.py

and get
C:\Development\Flake8PluginDev\foo.py:3:15: E261 at least two spaces before inline comment

It works fine.

Now if we change the Cyrillic # й comment into either the # э, # я, or # с (with all three characters typed with Russian keyboard layout, mind Russian C) and run
flake8 C:\Development\Flake8PluginDev\foo.py

an error is produced.

It seems as bandit has problems with only three Russian letters эяс because when running the flake8 with the comment containing all Russian letters except эяс, it works fine:

# -*- coding: UTF-8 -*-
"""Module docstring."""
print('hello') # йцукенгшщзхъфывапролджё

Expected behavior
Bandit should handle all Cyrillic characters without throwing UnicodeDecodeError error.

Bandit version

(BanditDebug) C:\Users\user>bandit --version
bandit 1.5.1
  python version = 3.6.6 |Anaconda, Inc.| (default, Jun 28 2018, 11:21:07) [MSC v.1900 32 bit (Intel)]

flake8          3.5.0
flake8-bandit   1.0.2

New release on PyPI

A new release on PyPI would be very welcome, so we can used the fixed flake8-bandit compatible with the newest version of bandit.

[Request] Would it be possible to make a new release to PyPI?

I have noticed that the project currently says it is on version 4.1.0, and there is a tag and GitHub release with the same name, but there hasn't been a release on PyPI since 3.0.0.

There seems to be a release CI setup, but it hasnt really worked from a quick look at the past runs. I will try to see the following days anything needs to be done to fix it (if its even broken).

Making this quick issue to bring it to your attention :)

Unable to find qualified name for module: file.py

Hi,

since version 3.0.0, I get a the error Unable to find qualified name for module: file.py. when I run flake8.

How to reproduce

Directory Structure:

test/
└── file.py

file.py:

import numpy as np

print("Oh no!")

Expected Result:

> flake8 .
./file.py:1:1: F401 'numpy as np' imported but unused

running flake8 . actually works:

Actual Result:

> flake8 file.py
Unable to find qualified name for module: file.py
file.py:1:1: F401 'numpy as np' imported but unuse

Running flake8 file.py does not work. As you can see, flake8 throws Unable to find qualified name for module: file.py.

Additional Informations:
- when I remove flake8-bandit from my environment, the error disappears
- I'm using flake8 4.0.1 and flake8-bandit 3.0.0.

I'm looking forward to your reply.

2.1.2 version tag doesn't exist

Hi,

I've just created a package for Archlinux but it's blocked at the version 2.1.0. I use the Github release system based on tag for downloading an archive of the last tagged version. But it's seems the last version on Pypi is 2.1.2 and you haven't tagged it in your repo.

Could you, please, tag the commit corresponding to the version 2.1.2?

Thank you in advance and in any case thank you for your work.

Bandit 1.7.3 addition of new positional argument ``fdata`` causes ``TypeError``

I've been using the flake8-bandit plugin. But recently, a new positional argument fdata was recently added to the BanditNodeVisitor function in version 1.7.3, causing a TypeError as follows

multiprocessing.pool.RemoteTraceback: 
"""
Traceback (most recent call last):
  File "/mnt/home/liurenmi/software/anaconda3/envs/geneplexus/lib/python3.8/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 687, in _run_checks
    return checker.run_checks()
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 597, in run_checks
    self.run_ast_checks()
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 500, in run_ast_checks
    for (line_number, offset, text, _) in runner:
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8_bandit.py", line 85, in run
    for warn in self._check_source():
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8_bandit.py", line 59, in _check_source
    bnv = BanditNodeVisitor(
TypeError: __init__() missing 1 required positional argument: 'metrics'
"""

Would it be possible to make a patch for this?

Multiple test failures on Python 3.8

FAILED tests/test_bandit.py::test_outputs[binding.py-4-S104 Possible binding to all interfaces.] - UnboundLocalError: local variable 'idx...
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-5-S105 Possible hardcoded password: 'root'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-9-S105 Possible hardcoded password: ''] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-13-S105 Possible hardcoded password: 'ajklawejrkl42348swfgkg'] - assert ...
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-23-S105 Possible hardcoded password: 'blerg'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-24-S105 Possible hardcoded password: 'blerg'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-26-S105 Possible hardcoded password: 'secret'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-27-S105 Possible hardcoded password: 'emails_secret'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-28-S105 Possible hardcoded password: 'd6s$f9g!j8mg7hw?n&2'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-passwords.py-29-S105 Possible hardcoded password: '1234'] - assert False
FAILED tests/test_bandit.py::test_outputs[hardcoded-tmp.py-1-S108 Probable insecure usage of temp file/directory.] - UnboundLocalError: l...
FAILED tests/test_bandit.py::test_outputs[hardcoded-tmp.py-8-S108 Probable insecure usage of temp file/directory.] - UnboundLocalError: l...
FAILED tests/test_bandit.py::test_outputs[hardcoded-tmp.py-11-S108 Probable insecure usage of temp file/directory.] - UnboundLocalError: ...
FAILED tests/test_bandit.py::test_outputs[os-chmod-py3.py-15-S108 Probable insecure usage of temp file/directory.] - assert False
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-4-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-5-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-6-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-7-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-9-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-11-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-12-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-15-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-16-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-17-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-18-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-20-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-21-S608 Possible SQL injection vector through string-based query construction.]
FAILED tests/test_bandit.py::test_outputs[sql_statements.py-35-S608 Possible SQL injection vector through string-based query construction.]

"'ExceptHandler' object has no attribute 'depth'"

With Python 3.7 on Ubuntu 16.04, flake8-bandit will fail on the following test script:

def test():
    try:
        a = A()
        a = A()
    except A:
        pass

with the following output:

"pyflakes" failed during execution due to "'ExceptHandler' object has no attribute 'depth'"
Run flake8 with greater verbosity to see more details

Verbose doesn't help with finding out any additional info:
https://hastebin.com/suxebuxebo.txt

This issue only occurs with flake8-bandit installed, and occurs with all versions after 1.0.2. Pinning to 1.0.2 does not cause the same issue, but this isn't a great resolution.

I have tried reproducing the issue on an arch based environment without luck, as it only seems to occur on Ubuntu 16.04.

Change plugin prefix to not conflict with Bugbear

Bugbear is an official PyCQA plugin for flake8 that's been around for several years.

Your new plugin shadows the letter B and in fact deregisters Bugbear if used in the same configuration.

Please choose a new non-conflicting prefix for your plugin.

For reference, see: PyCQA/flake8-bugbear#37

Pass configuration to bandit

Thanks for putting this together - was just about to start something similar.

What do you think about adding the ability to pass configuration (exclude files, recursive, etc.) from the flake configuration?

AttributeError on the tempfile

Investigate this:

multiprocessing.pool.RemoteTraceback: 
"""
Traceback (most recent call last):
  File "/usr/local/Cellar/python3/3.6.3/Frameworks/Python.framework/Versions/3.6/lib/python3.6/multiprocessing/pool.py", line 119, in worker
    result = (True, func(*args, **kwds))
  File "/usr/local/lib/python3.6/site-packages/flake8/checker.py", line 648, in _run_checks
    return checker.run_checks()
  File "/usr/local/lib/python3.6/site-packages/flake8/checker.py", line 579, in run_checks
    self.run_ast_checks()
  File "/usr/local/lib/python3.6/site-packages/flake8/checker.py", line 493, in run_ast_checks
    for (line_number, offset, text, check) in runner:
  File "/Users/tyler/repos/flake8-bandit/flake8_bandit.py", line 56, in run
    for error in self._check_source():
  File "/Users/tyler/repos/flake8-bandit/flake8_bandit.py", line 50, in _check_source
    if self.tempfile:
AttributeError: 'BanditTester' object has no attribute 'tempfile'
"""

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/local/bin/flake8", line 11, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/flake8/main/cli.py", line 16, in main
    app.run(argv)
  File "/usr/local/lib/python3.6/site-packages/flake8/main/application.py", line 396, in run
    self._run(argv)
  File "/usr/local/lib/python3.6/site-packages/flake8/main/application.py", line 384, in _run
    self.run_checks()
  File "/usr/local/lib/python3.6/site-packages/flake8/main/application.py", line 310, in run_checks
    self.file_checker_manager.run()
  File "/usr/local/lib/python3.6/site-packages/flake8/checker.py", line 319, in run
    self.run_parallel()
  File "/usr/local/lib/python3.6/site-packages/flake8/checker.py", line 288, in run_parallel
    for ret in pool_map:
  File "/usr/local/Cellar/python3/3.6.3/Frameworks/Python.framework/Versions/3.6/lib/python3.6/multiprocessing/pool.py", line 735, in next
    raise value
AttributeError: 'BanditTester' object has no attribute 'tempfile'

S601 for sanitized command

I'm getting flagged for S601 on the following code even though I've added sanitization of the command.

from paramiko import SSHClient
from shlex import join as shlex.join
...
class RemoteConnectionClass:
    ...

    def _create_ssh_client_conn(self, dbs_name: str, ssh_client=SSHClient) -> SSHClient:
        """Create, connect, and return ssh client."""
        ssh_client = ssh_client()
        ...
        return ssh_client
    
    def run_cmd(self, cmd: list[str], target_node: str, output_as_list=False,
                 std_out_timeout=DEFAULT_TIMEOUT) -> (str or [str], int):
        ssh_client = self._create_ssh_client_conn(target_node)

        # S601 is flagged for the following line
        std_in, std_out, std_err = ssh_client.exec_command(shlex_join(cmd))

        std_out.channel.settimeout(std_out_timeout)
        exit_code = std_out.channel.recv_exit_status()
        output = std_out.readlines() if output_as_list else std_out.read().decode()
        return output, exit_code

python 3.10.0 on macos Ventura 13.0.1
paramiko 2.9.5

Is there a recognized sanitization, or do I have to comment it with # noqa: S601 because it is already santized ?

Thanks,

Dave

Meaningless error S113

If I have a class with a get method like this, for example:

class Example:
    def get() -> str:
        return "TEST"

And then a test like the following:

import unittest
from unittest import mock

class TestGet(unittest.IsolatedAsyncioTestCase):
    async def test_get(self) -> None:
        with mock.patch("method", return_value=Example.get()):
            self.assertEqual(True, True)

I get error S113 marking the following line with mock.patch("method", return_value=Example.get()):

I understand that this is a meaningless error, so that validation should be improved so that it does not mark things that are not...

ConfigFileFinder is removed from flake8

flake8-bandit/flake8_bandit.py

Line 10 in 4043bc5

from flake8.options.config import ConfigFileFinder

This flake8 commit removed it.

There are a few things from flake8's head that I need, but I'd also like to use flake8-bandit, so this is a bit of a pickle for me

Version 2.0.0 stopped to raise vailations

I am using your plugin as a part of wemake-python-styleguide. And your recent release is not working anymore: wemake-services/wemake-python-styleguide#429

This line should raise S101 but it is not doing so.

Can you please find the issue?

Bandit 1.7.3 breaks flake8-bandit 2.1.2

The latest release for bandit broke flake8-bandit. I'll file a bug in flake8-bandit as well, but the core issue is with bandit. With the latest version there is an error that is displayed when trying to run flake8-bandit:

docker python:3.9

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/local/lib/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/usr/local/lib/python3.9/site-packages/flake8/__main__.py", line 4, in <module>
    cli.main()
  File "/usr/local/lib/python3.9/site-packages/flake8/main/cli.py", line 22, in main
    app.run(argv)
  File "/usr/local/lib/python3.9/site-packages/flake8/main/application.py", line 360, in run
    self._run(argv)
  File "/usr/local/lib/python3.9/site-packages/flake8/main/application.py", line 348, in _run
    self.run_checks()
  File "/usr/local/lib/python3.9/site-packages/flake8/main/application.py", line 262, in run_checks
    self.file_checker_manager.run()
  File "/usr/local/lib/python3.9/site-packages/flake8/checker.py", line 325, in run
    self.run_serial()
  File "/usr/local/lib/python3.9/site-packages/flake8/checker.py", line 309, in run_serial
    checker.run_checks()
  File "/usr/local/lib/python3.9/site-packages/flake8/checker.py", line 589, in run_checks
    self.run_ast_checks()
  File "/usr/local/lib/python3.9/site-packages/flake8/checker.py", line 496, in run_ast_checks
    for (line_number, offset, text, _) in runner:
  File "/usr/local/lib/python3.9/site-packages/flake8_bandit.py", line 80, in run
    for warn in self._check_source():
  File "/usr/local/lib/python3.9/site-packages/flake8_bandit.py", line 54, in _check_source
    bnv = BanditNodeVisitor(
TypeError: __init__() missing 1 required positional argument: 'metrics'

Workaround

pip install flake8-bandit==2.1.2 bandit==1.7.2

Reproduction steps

docker run -it python:3.9 bash
pip install flake8-bandit==2.1.2
touch test.py
python -m flake8 test.py

The same issue if using python:3.7
Expected behavior
No output with a blank python file

Bandit version

1.7.3 (Default)

Python version

3.9

Link to Bandit issue

PyCQA/bandit#837

Different results in different Python versions (S303 vs. S324)

Hello,

the following code leads to different error codes, depending on the Python version:

import hashlib

h = hashlib.md5()

Python 3.8:

example.py:3:1: S303 Use of insecure MD2, MD4, MD5, or SHA1 hash function.

Python 3.9:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

Python 3.10:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

The installed package versions seems to be equal:

$ python --version
Python 3.8.10

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.8.10 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pkg_resources   0.0.0
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version
Python 3.9.1

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.9.1 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version           
Python 3.10.2

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.10.2 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

Any idea what's going on here? Is it a flake8-bandit issue or a bandit one?

Thanks a lot!

fin swimmer

Add tests

Thoughts:

Pass a multi-line string of the code into the linter via stdin and test
Pass files into the linter via filename and test

flake8-bandit stopping other extension's error codes from being raised

Some weird behaviour when both flake8-noqa and flake8-bandit are installed, with a few of the flake8-noqa codes not being raised:

If I have a blanket noqa on a line with no violations NQA101 does not get flagged.
If I have a noqa with a made up random code (i.e., # noqa: ABC123) then NQA102 does get flagged.
But if I have a noqa with a genuine code (i.e., # noqa: S101 or # noqa: PD001) then NQA102 does not get flagged.

Obviously I have no idea if the issue lies within flake8-bandit or flake8-noqa, but there does seem to be some compatibility issue there.

Running flake8==3.9.2
I am running flake-noqa==1.2.3 (though issue still exists with 1.2.2, 1.2.0, 1.1.0, 1.0.0)
I am running flake8-bandit==3.0.0 (problem doesn't seem to happen with 2.0.0 and does with 2.0.1)
The fact the problem seems to appear with flake8-bandit 2.0.1 would lead me to believe the issue is with flake8-bandit, but the only change in that project from 2.0.0 -> 2.0.1 was some setup.py changes which I wouldn't have thought would cause any issues like this: v2.0.0...v2.0.1

I am also raising an issue in flake8-noqa about this given that I'm not sure which project is actually causing the problem

What is the difference between using bandit directly and your library?

Mind adding a few sentences to the doc about any advantages or differences your library has over using bandit directly?

tylerwince / flake8-bandit Goto Github PK

flake8-bandit's People

Contributors

Stargazers

Watchers

Forkers

flake8-bandit's Issues

Workaround

Reproduction steps

Bandit version

Python version

Link to Bandit issue

Recommend Projects

Recommend Topics

Recommend Org

Jobs