Skip to content

Commit

Permalink
Merge branch 'main' into plugin_unit_tests
Browse files Browse the repository at this point in the history
Signed-off-by: Eric Brown <[email protected]>
  • Loading branch information
ericwb committed Mar 13, 2023
2 parents 31da3fe + ff431af commit 7d15f64
Show file tree
Hide file tree
Showing 40 changed files with 2,360 additions and 265 deletions.
16 changes: 9 additions & 7 deletions .github/ISSUE_TEMPLATE/bug-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,8 @@ body:
label: Bandit version
description: Run "bandit --version" if unsure of version number
options:
- 1.7.4 (Default)
- 1.7.5 (Default)
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.1
Expand All @@ -67,12 +68,13 @@ body:
label: Python version
description: Run "bandit --version" if unsure of version number
options:
- 3.10 (Default)
- 3.9
- 3.8
- 3.7
- 3.6
- 3.5
- "3.11 (Default)"
- "3.10"
- "3.9"
- "3.8"
- "3.7"
- "3.6"
- "3.5"
validations:
required: true

Expand Down
7 changes: 7 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
interval:
schedule: "monthly"
2 changes: 1 addition & 1 deletion .github/workflows/pythonpackage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
strategy:
matrix:
python-version: [
["3.7", "37"], ["3.8", "38"], ["3.9", "39"], ["3.10", "310"], ["3.11.0-a - 3.11", "311"]
["3.7", "37"], ["3.8", "38"], ["3.9", "39"], ["3.10", "310"], ["3.11", "311"]
]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
Expand Down
4 changes: 2 additions & 2 deletions README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

======

.. image:: https://github.com/PyCQA/bandit/workflows/Build%20and%20Test%20Bandit/badge.svg
:target: https://github.com/PyCQA/bandit/actions?query=workflow%3A%22Build+and+Test+Bandit%22
.. image:: https://github.com/PyCQA/bandit/actions/workflows/pythonpackage.yml/badge.svg?branch=main
:target: https://github.com/PyCQA/bandit/actions?query=workflow%3A%22Build+and+Test+Bandit%22+branch%3Amain
:alt: Build Status

.. image:: https://readthedocs.org/projects/bandit/badge/?version=latest
Expand Down
2 changes: 1 addition & 1 deletion bandit/blacklists/calls.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
This blacklist data checks for a number of Python calls known to have possible
security implications. The following blacklist tests are run against any
function calls encoutered in the scanned code base, triggered by encoutering
function calls encountered in the scanned code base, triggered by encoutering
ast.Call nodes.
B301: pickle
Expand Down
7 changes: 0 additions & 7 deletions bandit/core/node_visitor.py
Original file line number Diff line number Diff line change
Expand Up @@ -200,13 +200,6 @@ def pre_visit(self, node):
if hasattr(node, "lineno"):
self.context["lineno"] = node.lineno

# explicitly check for empty set to skip all tests for a line
nosec_tests = self.nosec_lines.get(node.lineno)
if nosec_tests is not None and not len(nosec_tests):
LOG.debug("skipped, nosec without test number")
self.metrics.note_nosec()
return False

if hasattr(node, "col_offset"):
self.context["col_offset"] = node.col_offset
if hasattr(node, "end_col_offset"):
Expand Down
17 changes: 10 additions & 7 deletions bandit/core/tester.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,15 @@ def run_tests(self, raw_context, checktype):

# don't skip the test if there was no nosec comment
if nosec_tests_to_skip is not None:
# if the set is empty or the test id is in the set of
# tests to skip, log and increment the skip by test
# count
if not nosec_tests_to_skip or (
result.test_id in nosec_tests_to_skip
):
# If the set is empty then it means that nosec was
# used without test number -> update nosecs counter.
# If the test id is in the set of tests to skip,
# log and increment the skip by test count.
if not nosec_tests_to_skip:
LOG.debug("skipped, nosec without test number")
self.metrics.note_nosec()
continue
elif result.test_id in nosec_tests_to_skip:
LOG.debug(
"skipped, nosec for test %s" % result.test_id
)
Expand Down Expand Up @@ -129,7 +132,7 @@ def _get_nosecs_from_contexts(self, context, test_result=None):
if test_result
else None
)
context_tests = self.nosec_lines.get(context["lineno"], None)
context_tests = utils.get_nosec(self.nosec_lines, context)

# if both are none there were no comments
# this is explicitly different from being empty.
Expand Down
8 changes: 8 additions & 0 deletions bandit/core/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -370,3 +370,11 @@ def check_ast_node(name):
pass

raise TypeError("Error: %s is not a valid node type in AST" % name)


def get_nosec(nosec_lines, context):
for lineno in context["linerange"]:
nosec = nosec_lines.get(lineno, None)
if nosec is not None:
return nosec
return None
2 changes: 0 additions & 2 deletions bandit/formatters/xml.py
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,6 @@
New field `CWE` added to output
"""
# This future import is necessary here due to the xml import below on Python
# 2.7
import logging
import sys
from xml.etree import cElementTree as ET
Expand Down
2 changes: 1 addition & 1 deletion bandit/plugins/exec.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: ./examples/exec.py:2
1 exec("do evil")
2 exec "do evil"
.. seealso::
Expand Down
14 changes: 12 additions & 2 deletions bandit/plugins/injection_sql.py
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,18 @@ def _evaluate_ast(node):
elif hasattr(ast, "JoinedStr") and isinstance(
node._bandit_parent, ast.JoinedStr
):
statement = node.s
wrapper = node._bandit_parent._bandit_parent
substrings = [
child
for child in node._bandit_parent.values
if isinstance(child, ast.Str)
]
# JoinedStr consists of list of Constant and FormattedValue
# instances. Let's perform one test for the whole string
# and abandon all parts except the first one to raise one
# failed test instead of many for the same SQL statement.
if substrings and node == substrings[0]:
statement = "".join([str(child.s) for child in substrings])
wrapper = node._bandit_parent._bandit_parent

if isinstance(wrapper, ast.Call): # wrapped in "execute" call?
names = ["execute", "executemany"]
Expand Down
Loading

0 comments on commit 7d15f64

Please sign in to comment.