Merge pull request #42 from codacy/update-bandit

feature: Update bandit to 1.7.0 CY-3611 (Drops Python 2.7)

.circleci/config.yml

@@ -1,8 +1,8 @@
 version: 2.1
 
 orbs:
-  codacy: codacy/base@2.9.1
-  codacy_plugins_test: codacy/[email protected].5
+  codacy: codacy/base@5.1.3
+  codacy_plugins_test: codacy/[email protected].6
 
 workflows:
   version: 2
@@ -22,13 +22,13 @@ workflows:
       - codacy/sbt:
           name: publish_docker_local
           cmd: |
-            docker build -t codacy-bandit-base .
             sbt "set scalafmtUseIvy in ThisBuild := false;
                  scalafmt::test;
                  test:scalafmt::test;
                  sbt:scalafmt::test;
                  set version in Docker := \"latest\";
-                 docker:publishLocal"
+                 universal:stage"
+            docker build -t $CIRCLE_PROJECT_REPONAME .
             docker save --output docker-image.tar $CIRCLE_PROJECT_REPONAME:latest
           persist_to_workspace: true
           requires:

.dockerignore

@@ -0,0 +1,11 @@
+# Ignore everything
+**
+
+# Allow files and directories
+!/requirements.txt
+!/target/universal/stage
+!/docs
+
+# Ignore unnecessary files inside allowed directories
+# This should go after the allowed directories
+**/.DS_Store

.gitattributes

@@ -1,3 +1,3 @@
-src/main/resources/docs/description/* linguist-generated=true
-src/main/resources/docs/patterns.json linguist-generated=true
-src/main/resources/docs/tool-description.md linguist-generated=true
+docs/description/* linguist-generated=true
+docs/patterns.json linguist-generated=true
+docs/tool-description.md linguist-generated=true

Dockerfile

@@ -1,15 +1,13 @@
-FROM alpine:3.11
+FROM alpine:3.13
 
-RUN apk --no-cache add bash wget ca-certificates git && apk add --update --no-cache python python3 openjdk8-jre
-RUN wget "https://bootstrap.pypa.io/get-pip.py"
-RUN python get-pip.py
-RUN python3 get-pip.py
+COPY requirements.txt requirements.txt
+RUN apk add --no-cache --update bash python3 py3-pip openjdk11-jre && \
+    python3 -m pip install --upgrade --ignore-installed --no-cache-dir -r requirements.txt
 
-ADD requirements.txt requirements.txt
-RUN python -m pip install --upgrade --ignore-installed --no-cache-dir -r requirements.txt
-RUN python3 -m pip install --upgrade --ignore-installed --no-cache-dir -r requirements.txt
-
-RUN python -m pip uninstall -y pip
-RUN python3 -m pip uninstall -y pip
-RUN apk del wget ca-certificates git
-RUN rm -rf /tmp/* && rm -rf /var/cache/apk/*
+COPY docs /docs
+RUN adduser --uid 2004 --disabled-password --gecos "" docker
+COPY target/universal/stage/ /workdir/
+RUN chmod +x /workdir/bin/codacy-bandit
+USER docker
+WORKDIR /workdir
+ENTRYPOINT ["bin/codacy-bandit"]

README.md

@@ -12,8 +12,8 @@ See the [codacy-engine-scala-seed](https://github.com/codacy/codacy-engine-scala
 You can create the docker by doing:
 
 ```bash
-docker build -t codacy-bandit-base .
-sbt docker:publishLocal
+sbt universal:stage
+docker build -t codacy-bandit .
 ```
 
 The docker is ran with the following command:

build.sbt

@@ -1,70 +1,19 @@
-import com.typesafe.sbt.packager.docker.{Cmd, ExecCmd}
-
 name := "codacy-bandit"
-scalaVersion := "2.13.1"
+ThisBuild / scalaVersion := "2.13.4"
 
-val engineSeed = "com.codacy" %% "codacy-engine-scala-seed" % "5.0.1"
+val engineSeed = "com.codacy" %% "codacy-engine-scala-seed" % "5.0.3"
 
 libraryDependencies += engineSeed
 
 lazy val `doc-generator` = project
   .settings(
-    libraryDependencies ++=
-      engineSeed +: Seq(
-        "org.scala-lang.modules" %% "scala-xml" % "1.2.0",
-        "org.ccil.cowan.tagsoup" % "tagsoup" % "1.2.1",
-        "com.github.pathikrit" %% "better-files" % "3.8.0"
-      ),
-    scalaVersion := "2.13.1",
-    Compile / fork := true,
-    scalacOptions += "-Xlint:-stars-align"
+    libraryDependencies ++= Seq(
+      engineSeed,
+      "org.scala-lang.modules" %% "scala-xml" % "1.2.0",
+      "org.ccil.cowan.tagsoup" % "tagsoup" % "1.2.1",
+      "com.github.pathikrit" %% "better-files" % "3.8.0"
+    ),
+    Compile / fork := true
   )
 
 enablePlugins(JavaAppPackaging)
-
-enablePlugins(DockerPlugin)
-
-mappings.in(Universal) ++= resourceDirectory
-  .in(Compile)
-  .map { resourceDir: File =>
-    val src = resourceDir / "docs"
-    val dest = "/docs"
-
-    for {
-      path <- src.allPaths.get if !path.isDirectory
-    } yield path -> path.toString.replaceFirst(src.toString, dest)
-  }
-  .value ++
-  baseDirectory
-    .in(Compile)
-    .map { baseDirectory: File =>
-      val toolScriptsDir = baseDirectory / "tool-scripts"
-      for {
-        path <- toolScriptsDir.allPaths.get if !path.isDirectory
-      } yield path -> path.toString.replaceFirst(toolScriptsDir.toString, "")
-    }
-    .value
-
-val dockerUser = "docker"
-val dockerGroup = "docker"
-
-daemonUser in Docker := dockerUser
-
-daemonGroup in Docker := dockerGroup
-
-dockerBaseImage := "codacy-bandit-base"
-
-mainClass in Compile := Some("codacy.Engine")
-
-dockerCommands := {
-  dockerCommands.value.flatMap {
-    case cmd @ Cmd("ADD", _) =>
-      List(
-        Cmd("RUN", s"adduser -u 2004 -D $dockerUser"),
-        cmd,
-        Cmd("RUN", "mv /opt/docker/docs /docs"),
-        ExecCmd("RUN", Seq("chown", "-R", s"$dockerUser:$dockerGroup", "/docs"): _*)
-      )
-    case other => List(other)
-  }
-}

doc-generator/src/main/scala/docs/GenerateDocs.scala

@@ -8,7 +8,7 @@ import play.api.libs.json.Json
 import com.codacy.plugins.api._
 
 object GenerateDocs {
-  val docsRoot = ".." / "src" / "main" / "resources" / "docs"
+  val docsRoot = ".." / "docs"
   val descriptionsRoot = docsRoot / "description"
   val descriptionsJsonFile = docsRoot / "description" / "description.json"
   val patternsJsonFile = docsRoot / "patterns.json"

doc-generator/src/main/scala/docs/transformers/BlacklistDocTransformer.scala

@@ -1,12 +1,13 @@
 package docs.transformers
 
-import docs.transformers.utils.{HtmlLoader, HtmlToMarkdownConverter}
-
-import scala.xml.Node
 import better.files._
 import com.codacy.plugins.api.results.Pattern
 import com.codacy.plugins.api.results.Result.Level
 import docs.{DefaultPatterns, SecuritySubcategories}
+import docs.transformers.utils.{HtmlLoader, HtmlToMarkdownConverter}
+
+import scala.annotation.nowarn
+import scala.xml.Node
 
 object BlacklistDocTransformer extends IPatternDocTransformer {
   val patternIdIntervalRegex = "(b[\\d]{3}-b[\\d]{3}).*".r
@@ -30,6 +31,7 @@ object BlacklistDocTransformer extends IPatternDocTransformer {
     * Example:
     * <div class="section" id="b304-b305-ciphers-and-modes">
     */
+  @nowarn
   private def patternIds(body: Node): Seq[String] = (body \@ "id") match {
     case patternIdIntervalRegex(c) =>
       val Array(firstPatternIdStr, lastPatternIdStr) = c.replace("b", "").split("-")

docs/multiple-tests/without-config/src/B104.py

@@ -0,0 +1,8 @@
+##Patterns: B104
+
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+##Warn: B104
+s.bind(('0.0.0.0', 31137))
+s.bind(('192.168.0.1', 8080))

docs/multiple-tests/without-config/src/B304.py

@@ -0,0 +1,73 @@
+##Patterns: B304
+
+from Crypto.Cipher import ARC2
+from Crypto.Cipher import ARC4
+from Crypto.Cipher import Blowfish
+from Crypto.Cipher import DES
+from Crypto.Cipher import XOR
+from Crypto.Hash import SHA
+from Crypto import Random
+from Crypto.Util import Counter
+from cryptography.hazmat.primitives.ciphers import Cipher
+from cryptography.hazmat.primitives.ciphers import algorithms
+from cryptography.hazmat.primitives.ciphers import modes
+from cryptography.hazmat.backends import default_backend
+from struct import pack
+import socket
+
+key = b'Sixteen byte key'
+iv = Random.new().read(ARC2.block_size)
+##Warn: B304
+cipher = ARC2.new(key, ARC2.MODE_CFB, iv)
+msg = iv + cipher.encrypt(b'Attack at dawn')
+
+key = b'Very long and confidential key'
+nonce = Random.new().read(16)
+tempkey = SHA.new(key+nonce).digest()
+##Warn: B304
+cipher = ARC4.new(tempkey)
+msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL')
+
+bs = Blowfish.block_size
+key = b'An arbitrarily long key'
+iv = Random.new().read(bs)
+##Warn: B304
+cipher = Blowfish.new(key, Blowfish.MODE_CBC, iv)
+plaintext = b'docendo discimus '
+plen = bs - divmod(len(plaintext),bs)[1]
+padding = [plen]*plen
+padding = pack('b'*plen, *padding)
+msg = iv + cipher.encrypt(plaintext + padding)
+
+key = b'-8B key-'
+nonce = Random.new().read(DES.block_size/2)
+ctr = Counter.new(DES.block_size*8/2, prefix=nonce)
+##Warn: B304
+cipher = DES.new(key, DES.MODE_CTR, counter=ctr)
+plaintext = b'We are no longer the knights who say ni!'
+msg = nonce + cipher.encrypt(plaintext)
+
+key = b'Super secret key'
+##Warn: B304
+cipher = XOR.new(key)
+plaintext = b'Encrypt me'
+msg = cipher.encrypt(plaintext)
+
+##Warn: B304
+cipher = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+##Warn: B304
+cipher = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+##Warn: B304
+cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind(('0.0.0.0', 31137))
+s.bind(('192.168.0.1', 8080))

docs/tests/B104.py

@@ -0,0 +1,8 @@
+##Patterns: B104
+
+import socket
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+##Warn: B104
+s.bind(('0.0.0.0', 31137))
+s.bind(('192.168.0.1', 8080))

docs/tests/B304.py

@@ -0,0 +1,73 @@
+##Patterns: B304
+
+from Crypto.Cipher import ARC2
+from Crypto.Cipher import ARC4
+from Crypto.Cipher import Blowfish
+from Crypto.Cipher import DES
+from Crypto.Cipher import XOR
+from Crypto.Hash import SHA
+from Crypto import Random
+from Crypto.Util import Counter
+from cryptography.hazmat.primitives.ciphers import Cipher
+from cryptography.hazmat.primitives.ciphers import algorithms
+from cryptography.hazmat.primitives.ciphers import modes
+from cryptography.hazmat.backends import default_backend
+from struct import pack
+import socket
+
+key = b'Sixteen byte key'
+iv = Random.new().read(ARC2.block_size)
+##Warn: B304
+cipher = ARC2.new(key, ARC2.MODE_CFB, iv)
+msg = iv + cipher.encrypt(b'Attack at dawn')
+
+key = b'Very long and confidential key'
+nonce = Random.new().read(16)
+tempkey = SHA.new(key+nonce).digest()
+##Warn: B304
+cipher = ARC4.new(tempkey)
+msg = nonce + cipher.encrypt(b'Open the pod bay doors, HAL')
+
+bs = Blowfish.block_size
+key = b'An arbitrarily long key'
+iv = Random.new().read(bs)
+##Warn: B304
+cipher = Blowfish.new(key, Blowfish.MODE_CBC, iv)
+plaintext = b'docendo discimus '
+plen = bs - divmod(len(plaintext),bs)[1]
+padding = [plen]*plen
+padding = pack('b'*plen, *padding)
+msg = iv + cipher.encrypt(plaintext + padding)
+
+key = b'-8B key-'
+nonce = Random.new().read(DES.block_size/2)
+ctr = Counter.new(DES.block_size*8/2, prefix=nonce)
+##Warn: B304
+cipher = DES.new(key, DES.MODE_CTR, counter=ctr)
+plaintext = b'We are no longer the knights who say ni!'
+msg = nonce + cipher.encrypt(plaintext)
+
+key = b'Super secret key'
+##Warn: B304
+cipher = XOR.new(key)
+plaintext = b'Encrypt me'
+msg = cipher.encrypt(plaintext)
+
+##Warn: B304
+cipher = Cipher(algorithms.ARC4(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+##Warn: B304
+cipher = Cipher(algorithms.Blowfish(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+##Warn: B304
+cipher = Cipher(algorithms.IDEA(key), mode=None, backend=default_backend())
+encryptor = cipher.encryptor()
+ct = encryptor.update(b"a secret message")
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.bind(('0.0.0.0', 31137))
+s.bind(('192.168.0.1', 8080))

project/build.properties

@@ -1 +1 @@
-sbt.version=1.3.3
+sbt.version=1.4.6

project/plugins.sbt

@@ -1,3 +1 @@
-resolvers += Resolver.jcenterRepo
-
-addSbtPlugin("com.codacy" % "codacy-sbt-plugin" % "17.1.2")
+addSbtPlugin("com.codacy" % "codacy-sbt-plugin" % "20.1.1")

requirements.txt

@@ -1 +1 @@
-bandit==1.6.2
+bandit==1.7.0

scripts/generateDocs.sh

@@ -13,6 +13,6 @@ done)
 
 BASE_DIR="bandit"
 
-docker run -v $(pwd):/src -w /src python bash scripts/generatePythonDocs.sh $VERSION $BASE_DIR
+docker run -v "$PWD":/src -w /src python:3.8 bash scripts/generatePythonDocs.sh "$VERSION" "$BASE_DIR"
 
-sbt "doc-generator/run $VERSION $(pwd)/$BASE_DIR"
+sbt "doc-generator/run $VERSION $PWD/$BASE_DIR"

scripts/generatePythonDocs.sh

@@ -6,8 +6,8 @@ BASE_DIR=$2
 rm -rf "$BASE_DIR"
 
 git clone -b "$VERSION" --single-branch --depth 1 "https://github.com/PyCQA/bandit.git" $BASE_DIR
-easy_install virtualenv
+pip3 install virtualenv
 virtualenv "./$BASE_DIR/venv"
-./"$BASE_DIR"/venv/bin/pip install -U -r "$BASE_DIR/requirements.txt"
-./"$BASE_DIR"/venv/bin/pip install -r "$BASE_DIR/doc/requirements.txt"
+./"$BASE_DIR"/venv/bin/pip3 install -U -r "$BASE_DIR/requirements.txt"
+./"$BASE_DIR"/venv/bin/pip3 install -r "$BASE_DIR/doc/requirements.txt"
 ./"$BASE_DIR"/venv/bin/sphinx-build "$BASE_DIR/doc/source/" "$BASE_DIR/doc/build/" -b html -a -D html_add_permalinks=