-
-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Massive reduction in performance after 1.5.0 #438
Comments
Worth noting this is also an issue in 1.5.1 |
I just test rule by rule and the issue is not look related to this. The only point I see that could be caused is the number of rules from 64 to 70 but according to the test I made the degradation time is around 3 or 4 sec, so should be another thing. Here you are the code and the result in ODS file Bandit_time.zip To get this data I clone twice bandit one for 1.4.0 and other for 1.5.0 and on a virtual env with each bandit installed to run the script attached.
I also check the code diffing and I don't see anything that could cause that degradation. |
It might be worth us putting in some debug timers on each plugin call to see if its any in particular that are causing the issue. |
I just run line_profile
Just to resume the issue is on blacklist function:
On 1.5.0:
|
I don't see any possible solution to solve it. For call.py file
For imports.py file
I also test the code with the commit 257b5dd the different is near to None I realy don't know how to fix it. :( Any idea?? |
Tracked down the issue to Python 2 and < Release 1.50
Now trying to find the particular change that caused this. As per #422 B303, B304, B305 are where the more delaying factors are based. For now recommend anyone feeling the impact of this in their gate, change to running bandit under python3. |
@lukehinds unfortunately that's not currently an option in my scenario. The temp fix I've implemented scans a much smaller subset of files, but it's definitely sub-optimal. One thing I noticed was that calls to |
Looks like this is the commit where performance tanks: Commenting out the added blacklisted items brings performance back to being the original speedy self.
After commenting out: sets.append(utils.build_conf_dict(
'md5', 'B303',
['hashlib.md5',
'hashlib.sha1',
'Crypto.Hash.MD2.new',
'Crypto.Hash.MD4.new',
'Crypto.Hash.MD5.new',
# 'Crypto.Hash.SHA.new',
'Cryptodome.Hash.MD2.new',
'Cryptodome.Hash.MD4.new',
'Cryptodome.Hash.MD5.new'],
# 'Cryptodome.Hash.SHA.new',
# 'cryptography.hazmat.primitives.hashes.MD5',
# 'cryptography.hazmat.primitives.hashes.SHA1'],
'Use of insecure MD2, MD4, MD5, or SHA1 hash function.'
))
|
nice find @ghugo I wonder what is the factor that causes the performance variations between python 2&3, something. |
I just check the function fnmatch on python core and it was changed: Changed on the commit: |
In light of @ehooo's findings I suggest we update the README with a recommendation that folks use py3 if utilising the crypto plugins with a link to this issue. That way if they have a super need to run Bandit under py2 and with the crypto plugins, they can pursue the python code linked in comment If no objections I will assign this to me, and close it on the basis of the above readme additions. |
Just wanted to add that there is still a significant reduction in performance with ANY of the tests under B303 enabled, not just the ones added in 85e5667. It seems to get better the more of those I comment out, but is still very slow in general.
B303 Disabled:
Also, my original test was with the same version of python in two different versions of bandit, so it seems somewhat suspicious that this is an issue in python 2.7. |
Hi, I just came around this issue for similar problems, I'm extending the blacklists with more content and noticed that the time skyrocketed, the culprit being indeed the Is there a strong rational for using regex here? Looking at the shipped blacklists, none seem to be using regex patterns. |
A quick test I did was just changing this line: From if name is not None and fnmatch.fnmatch(name, qn): To if name is not None and name == qn: and I went from 14m48.641s to 0m20.871s while removing 1 false positive. Given that it seems like regex matching should be optional and not the default? I will certainly monkey-patch the definition on our end. |
FWIW |
@Plazmaz : I might misunderstood what you just said but |
Ah my bad, I didn't notice it used regex internally. I was looking at https://docs.python.org/3.7/library/fnmatch.html and figured it was just glob matching. |
Yeah, nah :) It explains why it is uber slow. |
I mean, it could precompile those regexes and it would probably help a lot. |
Bandit UX is seriously broken, only <1.6 works predictably. Exclude/ignore of files is currently broken in Bandit: - PyCQA/bandit#693 - PyCQA/bandit#490 - PyCQA/bandit#438 (comment) Reading settings from configuration files is broken: - PyCQA/bandit#753 - PyCQA/bandit#595 Reading from pyproject.toml not yet functional: - Must install "toml" package and use "-c pyproject.toml". - PyCQA/bandit#758 INI file configuration and CLI usage is unclear: - PyCQA/bandit#603 - PyCQA/bandit#467 - PyCQA/bandit#396
Bandit UX is seriously broken, only <1.6 works predictably. Exclude/ignore of files is currently broken in Bandit: - PyCQA/bandit#693 - PyCQA/bandit#490 - PyCQA/bandit#438 (comment) Reading settings from configuration files is broken: - PyCQA/bandit#753 - PyCQA/bandit#595 Reading from pyproject.toml not yet functional: Must install "toml" package and use "-c pyproject.toml". - PyCQA/bandit#758 INI file configuration and CLI usage is unclear: - PyCQA/bandit#603 - PyCQA/bandit#467 - PyCQA/bandit#396
Bandit UX is seriously broken, only <1.6 works predictably. Exclude/ignore of files is currently broken in Bandit: - PyCQA/bandit#693 - PyCQA/bandit#490 - PyCQA/bandit#438 (comment) Reading settings from configuration files is broken: - PyCQA/bandit#753 - PyCQA/bandit#595 Reading from pyproject.toml not yet functional: Must install "toml" package and use "-c pyproject.toml". - PyCQA/bandit#758 INI file configuration and CLI usage is unclear: - PyCQA/bandit#603 - PyCQA/bandit#467 - PyCQA/bandit#396
The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: PyCQA#438 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: PyCQA#438 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: PyCQA#438 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
* Performance improvement in blacklist function The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: #438 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com> * Add test for usage of FTP_TLS This change adds an FTP_TLS call to the examples. A high severity error is no longer reported as a result of the fix in PR #1148 that explicitly now matches blacklist call qualified names rather than using a file glob. However, you will notice that there is one more high severity issue reported in the tests as a result of the import of ftplib.FTP_TLS because the blacklist import is only checking for "ftplib". Fixes: #148 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com> --------- Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Describe the bug
After the 1.5.0 release, there appears to have been a significant reduction in performance. For instance, here is the output of
time bandit -r .
using 1.4.0:And here it is with 1.5.0:
To Reproduce
Steps to reproduce the behavior:
time bandit -r .
within a medium to large-size project on 1.4.0Expected behavior
Performance consistent or comparable with 1.4.0
Bandit version
The text was updated successfully, but these errors were encountered: