Undetected issues B104, B608

[adideutsch]

Describe the bug
Issues B104, B608 were not detected on 1.6.2 and suddenly detected on 1.6.3.

To Reproduce
Steps to reproduce the behavior:

1. Install Python 3.8.4
2. pip install bandit=1.6.2 / pip install bandit=1.6.3
3. bandit -l -r src/ (src contains files with issues B104/B608 recursively)
4. See the difference between running on 1.6.2 and 1.6.3

Expected behavior
Issues detected on both versions.

Bandit version

1.6.2
1.6.3

Additional context
I am using bandit with Python 3.8.6 for a few months now. Running bandit today using the newly released version 1.6.3 (thanks!), I found out about new issues (B104, B608) that were not visible before (job completed successfully).

Initially, I suspected that the CLI tool on version 1.6.2 didn't parse some args properly until the update today (I noticed several new lines on today's run: "Using command line arg for ..." which were missing before). However, I am not really sure that's really the reason - other issues did appear in the past using the exact same test job.

1. Any idea why these issues were identified today all of a sudden? Being unable to pinpoint why exactly this happened, I'm worried there might be other undetected issues in version 1.6.3 as well.
2. If this has happened because of Python 3.8 support issues, how can users be aware that bandit is not fully supported by their current python version?

Implementation suggestion for 2 - modify 'python_requires)' on setup.py to have an upper limit as well, thus making installations fail on supported versions.

Thanks,
Adi

[ericwb]

Can you please share some example code you ran to test 1.6.2 versus 1.6.3? Without that, its hard to state what could be the cause for the difference you're seeing.

[adideutsch]

Do you mean share the lines that failed? Or the lines of code that orchestrates the test?

For the lines that failed:
B104 (Possible binding to all interfaces):
app.run(host="0.0.0.0", port=PORT, ssl_context=CONTEXT)
B608 (Possible SQL injection vector through string-based query construction):
query = (f"SELECT * FROM {table_name} WHERE ….. "

If it’s the second option (orchestration code) I’ll have to look for it later.

[mportesdev]

In version 1.6.2 (commit d25f3fc), BanditNodeVisitor lacks the visit_Constant method (it was added in 3d08246). As a result, the visit_Str method is never called (at least in the case of the sample code above) and string constants are not checked by the tests decorated with @test.checks("Str").

[mportesdev]

Afaik this is caused by deprecation of ast.Str, ast.Bytes and other classes in Python 3.8.

In Python 3.7, bandit version 1.6.2 reports both issues as expected.

[ericwb]

While I can't explain exactly why these two issues are suddenly being found and not before, I can say we have tests for each plugin that are passing. And finding more issues is a good thing in my opinion, assuming they are not false positives. Closing for now, but if you have example snippets of code we can use to further debug, feel free to reopen with that snippet.