From b1ede119175bdfd377970d228e299f3617e72f73 Mon Sep 17 00:00:00 2001 From: Giblin Date: Thu, 11 Oct 2018 08:27:58 -0400 Subject: [PATCH 01/23] Added snmp_security check plugin for various SNMP checks --- README.rst | 1 + bandit/plugins/snmp_security_check.py | 68 +++++++++++++++++++ .../plugins/b508_snmp_security_check.rst | 5 ++ examples/snmp.py | 9 +++ setup.cfg | 4 ++ 5 files changed, 87 insertions(+) create mode 100644 bandit/plugins/snmp_security_check.py create mode 100644 doc/source/plugins/b508_snmp_security_check.rst create mode 100644 examples/snmp.py diff --git a/README.rst b/README.rst index ed15d923c..4412d4d6c 100644 --- a/README.rst +++ b/README.rst @@ -233,6 +233,7 @@ Usage:: B505 weak_cryptographic_key B506 yaml_load B507 ssh_no_host_key_verification + B508 snmp_weak_cryptography_used B601 paramiko_calls B602 subprocess_popen_with_shell_equals_true B603 subprocess_without_shell_equals_true diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py new file mode 100644 index 000000000..d00d99e11 --- /dev/null +++ b/bandit/plugins/snmp_security_check.py @@ -0,0 +1,68 @@ +# -*- coding:utf-8 -*- +# +# Copyright (c) 2018 SolarWinds, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +r""" +----------------------------- +B508: snmp_security_check +----------------------------- + +This test is for checking for the usage of insecure SNMP version such as: + v1, v2c and v3 using noAuthNoPriv. + +Using the pysnmp documentation: + http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html + +Please update your code to use more secure versions of SNMP. For example: + +Instead of: + `CommunityData('public', mpModel=0)` + +Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol + `UsmUserData("securityName","authName","privName")` +""" + +import bandit +from bandit.core import test_properties as test + + +@test.checks("Call") +@test.test_id('B508') +def snmp_insecure_version_check(context): + if context.call_function_name_qual == 'CommunityData': + # We called community data. Lets check our args + if context.check_call_arg_value("mpModel", 0) or \ + context.check_call_arg_value("mpModel", 1): + return bandit.Issue( + severity=bandit.MEDIUM, + confidence=bandit.MEDIUM, + text="The use of SNMPv1 and SNMPv2 is insecure. " + "You should use SNMPv3 if able.", + lineno=context.get_lineno_for_call_arg("CommunityData"), + ) + + +@test.checks("Call") +@test.test_id('B508') +def snmp_crypto_check(context): + if context.call_function_name_qual == 'UsmUserData': + if context.call_args_count == 1 or context.call_args_count == 1: + return bandit.Issue( + severity=bandit.MEDIUM, + confidence=bandit.MEDIUM, + text="You should not use SNMPv3 without encryption. " + "noAuthNoPriv is an insecure method of transport.", + lineno=context.get_lineno_for_call_arg("UsmUserData"), + ) diff --git a/doc/source/plugins/b508_snmp_security_check.rst b/doc/source/plugins/b508_snmp_security_check.rst new file mode 100644 index 000000000..8abcca3db --- /dev/null +++ b/doc/source/plugins/b508_snmp_security_check.rst @@ -0,0 +1,5 @@ +----------------------------- +B508: snmp_security_check +----------------------------- + +.. automodule:: bandit.plugins.snmp_security_check diff --git a/examples/snmp.py b/examples/snmp.py new file mode 100644 index 000000000..5a74314c1 --- /dev/null +++ b/examples/snmp.py @@ -0,0 +1,9 @@ +from pysnmp.hlapi import UsmUserData +from pysnmp.hlapi import CommunityData + +# SHOULD FAIL +a = CommunityData('public', mpModel=0) +# SHOULD FAIL +insecure = UsmUserData("securityName") +# SHOULD PASS +less_insecure = UsmUserData("securityName","authName","privName") \ No newline at end of file diff --git a/setup.cfg b/setup.cfg index 4dbd036f0..bec9b9925 100644 --- a/setup.cfg +++ b/setup.cfg @@ -121,6 +121,10 @@ bandit.plugins = # bandit/plugins/ssh_no_host_key_verification.py ssh_no_host_key_verification = bandit.plugins.ssh_no_host_key_verification:ssh_no_host_key_verification + # bandit/plugins/snmp_security_check.py + snmp_insecure_version_check = bandit.plugins.snmp_security_check:snmp_insecure_version_check + snmp_weak_cryptography_used = bandit.plugins.snmp_security_check:snmp_crypto_check + [build_sphinx] all_files = 1 build-dir = doc/build From 6c43605cb847ac6daa0d107bc0162d00940695f5 Mon Sep 17 00:00:00 2001 From: Jed Giblin Date: Thu, 11 Oct 2018 09:22:00 -0400 Subject: [PATCH 02/23] Extracted each test into their own files --- .coveragerc | 3 - README.rst | 3 +- bandit/plugins/snmp_security_check.py | 58 +++++++++++++------ ...eck.rst => b508_snmp_insecure_version.rst} | 5 +- .../plugins/b508_snmp_weak_cryptography.rst | 8 +++ setup.cfg | 4 +- 6 files changed, 55 insertions(+), 26 deletions(-) delete mode 100644 .coveragerc rename doc/source/plugins/{b508_snmp_security_check.rst => b508_snmp_insecure_version.rst} (58%) create mode 100644 doc/source/plugins/b508_snmp_weak_cryptography.rst diff --git a/.coveragerc b/.coveragerc deleted file mode 100644 index 8b87fce8f..000000000 --- a/.coveragerc +++ /dev/null @@ -1,3 +0,0 @@ -[report] -include = bandit/* -omit = bandit/tests/functional/* diff --git a/README.rst b/README.rst index 4412d4d6c..e50d3b356 100644 --- a/README.rst +++ b/README.rst @@ -233,7 +233,8 @@ Usage:: B505 weak_cryptographic_key B506 yaml_load B507 ssh_no_host_key_verification - B508 snmp_weak_cryptography_used + B508 snmp_insecure_version + B509 snmp_weak_cryptography B601 paramiko_calls B602 subprocess_popen_with_shell_equals_true B603 subprocess_without_shell_equals_true diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index d00d99e11..8197f0093 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -14,25 +14,7 @@ # License for the specific language governing permissions and limitations # under the License. -r""" ------------------------------ -B508: snmp_security_check ------------------------------ -This test is for checking for the usage of insecure SNMP version such as: - v1, v2c and v3 using noAuthNoPriv. - -Using the pysnmp documentation: - http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html - -Please update your code to use more secure versions of SNMP. For example: - -Instead of: - `CommunityData('public', mpModel=0)` - -Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol - `UsmUserData("securityName","authName","privName")` -""" import bandit from bandit.core import test_properties as test @@ -41,6 +23,25 @@ @test.checks("Call") @test.test_id('B508') def snmp_insecure_version_check(context): + r""" + ----------------------------- + B508: snmp_insecure_version + ----------------------------- + + This test is for checking for the usage of insecure SNMP version such as: + v1, v2c and v3 using noAuthNoPriv. + + Using the pysnmp documentation: + http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html + + Please update your code to use more secure versions of SNMP. For example: + + Instead of: + `CommunityData('public', mpModel=0)` + + Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol + `UsmUserData("securityName","authName","privName")` + """ if context.call_function_name_qual == 'CommunityData': # We called community data. Lets check our args if context.check_call_arg_value("mpModel", 0) or \ @@ -55,8 +56,27 @@ def snmp_insecure_version_check(context): @test.checks("Call") -@test.test_id('B508') +@test.test_id('B509') def snmp_crypto_check(context): + r""" + ----------------------------- + B509: snmp_weak_cryptography + ----------------------------- + + This test is for checking for the usage of insecure SNMP cryptography such as: + v3 using noAuthNoPriv. + + Using the pysnmp documentation: + http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html + + Please update your code to use more secure versions of SNMP. For example: + + Instead of: + `CommunityData('public', mpModel=0)` + + Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol + `UsmUserData("securityName","authName","privName")` + """ if context.call_function_name_qual == 'UsmUserData': if context.call_args_count == 1 or context.call_args_count == 1: return bandit.Issue( diff --git a/doc/source/plugins/b508_snmp_security_check.rst b/doc/source/plugins/b508_snmp_insecure_version.rst similarity index 58% rename from doc/source/plugins/b508_snmp_security_check.rst rename to doc/source/plugins/b508_snmp_insecure_version.rst index 8abcca3db..5e171ec18 100644 --- a/doc/source/plugins/b508_snmp_security_check.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -1,5 +1,8 @@ ----------------------------- -B508: snmp_security_check +B508: snmp_weak_cryptography ----------------------------- .. automodule:: bandit.plugins.snmp_security_check + +.. autofunction:: snmp_crypto_check + :noindex: \ No newline at end of file diff --git a/doc/source/plugins/b508_snmp_weak_cryptography.rst b/doc/source/plugins/b508_snmp_weak_cryptography.rst new file mode 100644 index 000000000..bd776358a --- /dev/null +++ b/doc/source/plugins/b508_snmp_weak_cryptography.rst @@ -0,0 +1,8 @@ +----------------------------- +B508: snmp_insecure_version +----------------------------- + +.. automodule:: bandit.plugins.snmp_security_check + +.. autofunction:: snmp_insecure_version_check + :noindex: \ No newline at end of file diff --git a/setup.cfg b/setup.cfg index bec9b9925..174f77b34 100644 --- a/setup.cfg +++ b/setup.cfg @@ -122,8 +122,8 @@ bandit.plugins = ssh_no_host_key_verification = bandit.plugins.ssh_no_host_key_verification:ssh_no_host_key_verification # bandit/plugins/snmp_security_check.py - snmp_insecure_version_check = bandit.plugins.snmp_security_check:snmp_insecure_version_check - snmp_weak_cryptography_used = bandit.plugins.snmp_security_check:snmp_crypto_check + snmp_insecure_version = bandit.plugins.snmp_security_check:snmp_insecure_version_check + snmp_weak_cryptography = bandit.plugins.snmp_security_check:snmp_crypto_check [build_sphinx] all_files = 1 From 68e589a86e764e9a6b827fd89d5b67b2eb36e0dc Mon Sep 17 00:00:00 2001 From: Jed Giblin Date: Thu, 11 Oct 2018 09:38:46 -0400 Subject: [PATCH 03/23] Updates for linter --- bandit/plugins/snmp_security_check.py | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 8197f0093..2ac7d9d82 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -13,9 +13,6 @@ # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. - - - import bandit from bandit.core import test_properties as test @@ -23,25 +20,21 @@ @test.checks("Call") @test.test_id('B508') def snmp_insecure_version_check(context): - r""" + """Checking for insecure SNMP versions + ----------------------------- B508: snmp_insecure_version ----------------------------- - This test is for checking for the usage of insecure SNMP version such as: - v1, v2c and v3 using noAuthNoPriv. + This test is for checking for the usage of insecure SNMP version like + v1, v2c Using the pysnmp documentation: http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html - Please update your code to use more secure versions of SNMP. For example: - - Instead of: - `CommunityData('public', mpModel=0)` - - Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol - `UsmUserData("securityName","authName","privName")` + Please update your code to use more secure versions of SNMP. """ + if context.call_function_name_qual == 'CommunityData': # We called community data. Lets check our args if context.check_call_arg_value("mpModel", 0) or \ @@ -58,12 +51,14 @@ def snmp_insecure_version_check(context): @test.checks("Call") @test.test_id('B509') def snmp_crypto_check(context): - r""" + + """Checking for weak cryptography + ----------------------------- B509: snmp_weak_cryptography ----------------------------- - This test is for checking for the usage of insecure SNMP cryptography such as: + This test is for checking for the usage of insecure SNMP cryptography: v3 using noAuthNoPriv. Using the pysnmp documentation: @@ -77,6 +72,7 @@ def snmp_crypto_check(context): Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol `UsmUserData("securityName","authName","privName")` """ + if context.call_function_name_qual == 'UsmUserData': if context.call_args_count == 1 or context.call_args_count == 1: return bandit.Issue( From 8dd44c5e0deb7fa13d2a62a62d2417b311706498 Mon Sep 17 00:00:00 2001 From: Jed Giblin Date: Wed, 17 Oct 2018 09:27:47 -0400 Subject: [PATCH 04/23] Fixed style errors and added authNoPriv as a failure --- bandit/plugins/snmp_security_check.py | 30 ++++++++++++--------------- examples/snmp.py | 2 ++ 2 files changed, 15 insertions(+), 17 deletions(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 2ac7d9d82..5980a85cd 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -20,11 +20,7 @@ @test.checks("Call") @test.test_id('B508') def snmp_insecure_version_check(context): - """Checking for insecure SNMP versions - - ----------------------------- - B508: snmp_insecure_version - ----------------------------- + """**B508: Checking for insecure SNMP versions** This test is for checking for the usage of insecure SNMP version like v1, v2c @@ -33,15 +29,17 @@ def snmp_insecure_version_check(context): http://snmplabs.com/pysnmp/examples/hlapi/asyncore/sync/manager/cmdgen/snmp-versions.html Please update your code to use more secure versions of SNMP. + + .. versionadded:: 1.5.2 """ if context.call_function_name_qual == 'CommunityData': # We called community data. Lets check our args - if context.check_call_arg_value("mpModel", 0) or \ - context.check_call_arg_value("mpModel", 1): + if (context.check_call_arg_value("mpModel", 0) or + context.check_call_arg_value("mpModel", 1)): return bandit.Issue( severity=bandit.MEDIUM, - confidence=bandit.MEDIUM, + confidence=bandit.HIGH, text="The use of SNMPv1 and SNMPv2 is insecure. " "You should use SNMPv3 if able.", lineno=context.get_lineno_for_call_arg("CommunityData"), @@ -52,11 +50,7 @@ def snmp_insecure_version_check(context): @test.test_id('B509') def snmp_crypto_check(context): - """Checking for weak cryptography - - ----------------------------- - B509: snmp_weak_cryptography - ----------------------------- + """**B509: Checking for weak cryptography** This test is for checking for the usage of insecure SNMP cryptography: v3 using noAuthNoPriv. @@ -70,15 +64,17 @@ def snmp_crypto_check(context): `CommunityData('public', mpModel=0)` Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol - `UsmUserData("securityName","authName","privName")` + `UsmUserData("securityName", "authName", "privName")` + + .. versionadded:: 1.5.2 """ if context.call_function_name_qual == 'UsmUserData': - if context.call_args_count == 1 or context.call_args_count == 1: + if context.call_args_count < 3: return bandit.Issue( severity=bandit.MEDIUM, - confidence=bandit.MEDIUM, + confidence=bandit.HIGH, text="You should not use SNMPv3 without encryption. " - "noAuthNoPriv is an insecure method of transport.", + "noAuthNoPriv & authNoPriv is insecure", lineno=context.get_lineno_for_call_arg("UsmUserData"), ) diff --git a/examples/snmp.py b/examples/snmp.py index 5a74314c1..6f0e0825b 100644 --- a/examples/snmp.py +++ b/examples/snmp.py @@ -5,5 +5,7 @@ a = CommunityData('public', mpModel=0) # SHOULD FAIL insecure = UsmUserData("securityName") +# SHOULD FAIL +auth_no_priv = UsmUserData("securityName","authName") # SHOULD PASS less_insecure = UsmUserData("securityName","authName","privName") \ No newline at end of file From 72aba32bea4994beaae05f9770fe310991daab66 Mon Sep 17 00:00:00 2001 From: Jed Giblin Date: Wed, 17 Oct 2018 09:29:41 -0400 Subject: [PATCH 05/23] removed trailing -- --- doc/source/plugins/b508_snmp_weak_cryptography.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/source/plugins/b508_snmp_weak_cryptography.rst b/doc/source/plugins/b508_snmp_weak_cryptography.rst index bd776358a..51cea5ec4 100644 --- a/doc/source/plugins/b508_snmp_weak_cryptography.rst +++ b/doc/source/plugins/b508_snmp_weak_cryptography.rst @@ -1,6 +1,6 @@ ------------------------------ +--------------------------- B508: snmp_insecure_version ------------------------------ +--------------------------- .. automodule:: bandit.plugins.snmp_security_check From c5b5458a33ea1e9ea804de0933a4aee96054dd41 Mon Sep 17 00:00:00 2001 From: Jed Giblin Date: Wed, 17 Oct 2018 09:31:00 -0400 Subject: [PATCH 06/23] more lint changes --- doc/source/plugins/b508_snmp_insecure_version.rst | 4 ++-- examples/snmp.py | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/doc/source/plugins/b508_snmp_insecure_version.rst b/doc/source/plugins/b508_snmp_insecure_version.rst index 5e171ec18..4e25b3e6a 100644 --- a/doc/source/plugins/b508_snmp_insecure_version.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -1,6 +1,6 @@ ------------------------------ +---------------------------- B508: snmp_weak_cryptography ------------------------------ +---------------------------- .. automodule:: bandit.plugins.snmp_security_check diff --git a/examples/snmp.py b/examples/snmp.py index 6f0e0825b..65d64212c 100644 --- a/examples/snmp.py +++ b/examples/snmp.py @@ -1,5 +1,4 @@ -from pysnmp.hlapi import UsmUserData -from pysnmp.hlapi import CommunityData +from pysnmp.hlapi import CommunityData, UsmUserData # SHOULD FAIL a = CommunityData('public', mpModel=0) From e2861145b86d1244ce76898dd86807f00ec45142 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:30:13 -0800 Subject: [PATCH 07/23] Update README.rst --- README.rst | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.rst b/README.rst index 5ff4d9504..616808d6a 100644 --- a/README.rst +++ b/README.rst @@ -243,8 +243,6 @@ Usage:: B505 weak_cryptographic_key B506 yaml_load B507 ssh_no_host_key_verification - B508 snmp_insecure_version - B509 snmp_weak_cryptography B601 paramiko_calls B602 subprocess_popen_with_shell_equals_true B603 subprocess_without_shell_equals_true From 8f2e0790a07a5ef027c0ac2c712a2e40d73f6b8b Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:31:55 -0800 Subject: [PATCH 08/23] Update snmp_security_check.py --- bandit/plugins/snmp_security_check.py | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 5980a85cd..50547df57 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -1,18 +1,7 @@ -# -*- coding:utf-8 -*- # # Copyright (c) 2018 SolarWinds, Inc. # -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. You may obtain -# a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. +# SPDX-License-Identifier: Apache-2.0 import bandit from bandit.core import test_properties as test From ebf9e5adacf116d620426b0d0fad5f098e0a972e Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:32:50 -0800 Subject: [PATCH 09/23] Update bandit/plugins/snmp_security_check.py --- bandit/plugins/snmp_security_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 50547df57..af0ecb901 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -19,7 +19,7 @@ def snmp_insecure_version_check(context): Please update your code to use more secure versions of SNMP. - .. versionadded:: 1.5.2 + .. versionadded:: 1.7.2 """ if context.call_function_name_qual == 'CommunityData': From 1f5d8338caa8758c8022dd2225fd8792e26beb46 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:33:18 -0800 Subject: [PATCH 10/23] Update bandit/plugins/snmp_security_check.py --- bandit/plugins/snmp_security_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index af0ecb901..35dbf0a50 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -55,7 +55,7 @@ def snmp_crypto_check(context): Use (Defaults to usmHMACMD5AuthProtocol and usmDESPrivProtocol `UsmUserData("securityName", "authName", "privName")` - .. versionadded:: 1.5.2 + .. versionadded:: 1.7.2 """ if context.call_function_name_qual == 'UsmUserData': From 489deeeb1172157dd20cca2e8162552ed58abb87 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:33:39 -0800 Subject: [PATCH 11/23] Update bandit/plugins/snmp_security_check.py --- bandit/plugins/snmp_security_check.py | 1 - 1 file changed, 1 deletion(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 35dbf0a50..585e8a107 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -38,7 +38,6 @@ def snmp_insecure_version_check(context): @test.checks("Call") @test.test_id('B509') def snmp_crypto_check(context): - """**B509: Checking for weak cryptography** This test is for checking for the usage of insecure SNMP cryptography: From 371601f6e3de22ce0f24f2f0f1676d9a5058c305 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:34:01 -0800 Subject: [PATCH 12/23] Update examples/snmp.py --- examples/snmp.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/snmp.py b/examples/snmp.py index 65d64212c..a24a90b9b 100644 --- a/examples/snmp.py +++ b/examples/snmp.py @@ -7,4 +7,4 @@ # SHOULD FAIL auth_no_priv = UsmUserData("securityName","authName") # SHOULD PASS -less_insecure = UsmUserData("securityName","authName","privName") \ No newline at end of file +less_insecure = UsmUserData("securityName","authName","privName") From 6eb2af90d56ccfbc75aa54335018cb269f3554d2 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:34:42 -0800 Subject: [PATCH 13/23] Update doc/source/plugins/b508_snmp_insecure_version.rst --- doc/source/plugins/b508_snmp_insecure_version.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_insecure_version.rst b/doc/source/plugins/b508_snmp_insecure_version.rst index 4e25b3e6a..5c589b668 100644 --- a/doc/source/plugins/b508_snmp_insecure_version.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -2,7 +2,7 @@ B508: snmp_weak_cryptography ---------------------------- -.. automodule:: bandit.plugins.snmp_security_check +.. currentmodule:: bandit.plugins.snmp_security_check .. autofunction:: snmp_crypto_check :noindex: \ No newline at end of file From 78c34645e2b4f50edea0fdf5d9486fd47a0763ef Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:34:48 -0800 Subject: [PATCH 14/23] Update doc/source/plugins/b508_snmp_weak_cryptography.rst --- doc/source/plugins/b508_snmp_weak_cryptography.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_weak_cryptography.rst b/doc/source/plugins/b508_snmp_weak_cryptography.rst index 51cea5ec4..e3bf6afa3 100644 --- a/doc/source/plugins/b508_snmp_weak_cryptography.rst +++ b/doc/source/plugins/b508_snmp_weak_cryptography.rst @@ -2,7 +2,7 @@ B508: snmp_insecure_version --------------------------- -.. automodule:: bandit.plugins.snmp_security_check +.. currentmodule:: bandit.plugins.snmp_security_check .. autofunction:: snmp_insecure_version_check :noindex: \ No newline at end of file From ae02ab30c9bbaf3ea22a78f343e61a437f251680 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:39:40 -0800 Subject: [PATCH 15/23] Update doc/source/plugins/b508_snmp_weak_cryptography.rst --- doc/source/plugins/b508_snmp_weak_cryptography.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_weak_cryptography.rst b/doc/source/plugins/b508_snmp_weak_cryptography.rst index e3bf6afa3..165480d6d 100644 --- a/doc/source/plugins/b508_snmp_weak_cryptography.rst +++ b/doc/source/plugins/b508_snmp_weak_cryptography.rst @@ -4,5 +4,5 @@ B508: snmp_insecure_version .. currentmodule:: bandit.plugins.snmp_security_check -.. autofunction:: snmp_insecure_version_check +.. autofunction:: snmp_crypto_check :noindex: \ No newline at end of file From 2ebf402e0ff3841e98114fb44d9a2e44f7ecee2f Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:39:50 -0800 Subject: [PATCH 16/23] Update doc/source/plugins/b508_snmp_insecure_version.rst --- doc/source/plugins/b508_snmp_insecure_version.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_insecure_version.rst b/doc/source/plugins/b508_snmp_insecure_version.rst index 5c589b668..e1f13e00c 100644 --- a/doc/source/plugins/b508_snmp_insecure_version.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -1,5 +1,5 @@ ---------------------------- -B508: snmp_weak_cryptography +B508: snmp_insecure_version ---------------------------- .. currentmodule:: bandit.plugins.snmp_security_check From b053aae90b2a74a7360363565a1624dbb924d2c6 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:40:01 -0800 Subject: [PATCH 17/23] Update doc/source/plugins/b508_snmp_insecure_version.rst --- doc/source/plugins/b508_snmp_insecure_version.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_insecure_version.rst b/doc/source/plugins/b508_snmp_insecure_version.rst index e1f13e00c..655d8e7ce 100644 --- a/doc/source/plugins/b508_snmp_insecure_version.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -4,5 +4,5 @@ B508: snmp_insecure_version .. currentmodule:: bandit.plugins.snmp_security_check -.. autofunction:: snmp_crypto_check +.. autofunction:: snmp_insecure_version_check :noindex: \ No newline at end of file From 28c6238f97a93811ccb30b1ce15e69310dbfcfdb Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:40:08 -0800 Subject: [PATCH 18/23] Update doc/source/plugins/b508_snmp_weak_cryptography.rst --- doc/source/plugins/b508_snmp_weak_cryptography.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_weak_cryptography.rst b/doc/source/plugins/b508_snmp_weak_cryptography.rst index 165480d6d..9e50867a3 100644 --- a/doc/source/plugins/b508_snmp_weak_cryptography.rst +++ b/doc/source/plugins/b508_snmp_weak_cryptography.rst @@ -1,5 +1,5 @@ --------------------------- -B508: snmp_insecure_version +B509: snmp_weak_cryptography --------------------------- .. currentmodule:: bandit.plugins.snmp_security_check From 178b344faca817182d6fd089e1ebaa6e82ab3db2 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:41:33 -0800 Subject: [PATCH 19/23] Update doc/source/plugins/b508_snmp_insecure_version.rst --- doc/source/plugins/b508_snmp_insecure_version.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_insecure_version.rst b/doc/source/plugins/b508_snmp_insecure_version.rst index 655d8e7ce..7221a7c8d 100644 --- a/doc/source/plugins/b508_snmp_insecure_version.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -1,6 +1,6 @@ ---------------------------- B508: snmp_insecure_version ----------------------------- +--------------------------- .. currentmodule:: bandit.plugins.snmp_security_check From 83b849bc624af466e55170a376fa6ce2cd7ba355 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:41:38 -0800 Subject: [PATCH 20/23] Update doc/source/plugins/b508_snmp_insecure_version.rst --- doc/source/plugins/b508_snmp_insecure_version.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/plugins/b508_snmp_insecure_version.rst b/doc/source/plugins/b508_snmp_insecure_version.rst index 7221a7c8d..e3bf6afa3 100644 --- a/doc/source/plugins/b508_snmp_insecure_version.rst +++ b/doc/source/plugins/b508_snmp_insecure_version.rst @@ -1,4 +1,4 @@ ----------------------------- +--------------------------- B508: snmp_insecure_version --------------------------- From a05f45550765cda3d8a8c7c6f7adc7fb0af6261e Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:42:20 -0800 Subject: [PATCH 21/23] Update b508_snmp_weak_cryptography.rst --- doc/source/plugins/b508_snmp_weak_cryptography.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/source/plugins/b508_snmp_weak_cryptography.rst b/doc/source/plugins/b508_snmp_weak_cryptography.rst index 9e50867a3..2c838d474 100644 --- a/doc/source/plugins/b508_snmp_weak_cryptography.rst +++ b/doc/source/plugins/b508_snmp_weak_cryptography.rst @@ -1,8 +1,8 @@ ---------------------------- +---------------------------- B509: snmp_weak_cryptography ---------------------------- +---------------------------- .. currentmodule:: bandit.plugins.snmp_security_check .. autofunction:: snmp_crypto_check - :noindex: \ No newline at end of file + :noindex: From 6eca8310dbdd74e004824283fd08edfaa76ba06e Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:47:28 -0800 Subject: [PATCH 22/23] Update snmp_security_check.py --- bandit/plugins/snmp_security_check.py | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 585e8a107..3135b48c0 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -7,7 +7,7 @@ @test.checks("Call") -@test.test_id('B508') +@test.test_id("B508") def snmp_insecure_version_check(context): """**B508: Checking for insecure SNMP versions** @@ -22,21 +22,22 @@ def snmp_insecure_version_check(context): .. versionadded:: 1.7.2 """ - if context.call_function_name_qual == 'CommunityData': + if context.call_function_name_qual == "CommunityData": # We called community data. Lets check our args - if (context.check_call_arg_value("mpModel", 0) or - context.check_call_arg_value("mpModel", 1)): + if (context.check_call_arg_value( + "mpModel", 0 + ) or context.check_call_arg_value("mpModel", 1)): return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.HIGH, text="The use of SNMPv1 and SNMPv2 is insecure. " - "You should use SNMPv3 if able.", + "You should use SNMPv3 if able.", lineno=context.get_lineno_for_call_arg("CommunityData"), ) @test.checks("Call") -@test.test_id('B509') +@test.test_id("B509") def snmp_crypto_check(context): """**B509: Checking for weak cryptography** @@ -57,12 +58,12 @@ def snmp_crypto_check(context): .. versionadded:: 1.7.2 """ - if context.call_function_name_qual == 'UsmUserData': + if context.call_function_name_qual == "UsmUserData": if context.call_args_count < 3: return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.HIGH, text="You should not use SNMPv3 without encryption. " - "noAuthNoPriv & authNoPriv is insecure", + "noAuthNoPriv & authNoPriv is insecure", lineno=context.get_lineno_for_call_arg("UsmUserData"), ) From b530a438878909d486b57ad82004a7031ecb8832 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Mon, 24 Jan 2022 21:49:27 -0800 Subject: [PATCH 23/23] Update snmp_security_check.py --- bandit/plugins/snmp_security_check.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bandit/plugins/snmp_security_check.py b/bandit/plugins/snmp_security_check.py index 3135b48c0..02308bd81 100644 --- a/bandit/plugins/snmp_security_check.py +++ b/bandit/plugins/snmp_security_check.py @@ -24,9 +24,9 @@ def snmp_insecure_version_check(context): if context.call_function_name_qual == "CommunityData": # We called community data. Lets check our args - if (context.check_call_arg_value( + if context.check_call_arg_value( "mpModel", 0 - ) or context.check_call_arg_value("mpModel", 1)): + ) or context.check_call_arg_value("mpModel", 1): return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.HIGH,