Improve detection of "nosec" clause #513
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Performance fix (#502)
|
@ehooo , the change looks good to me. Any chance you could squash the 15 commits down into 1? |
|
Hi @lukehinds I'm try to do it but i always break the git :( |
|
sorry for late reply @ehooo See: https://github.com/keylime/keylime/blob/master/CONTRIBUTORS.md#squash-commits You should be able to do this:
Leave the last commit as Another option is make a new pull request and I can close this one (just tag me on the new pull request). |
Add missing custom formatter doc (#406) (#421) * Add missing custom formatter doc (#406) * Add custom.rst to docs source * Fix custom formatter docstring Fix terminal colors not displaying properly on Windows Fix sql injection check for f-strings * [Fix for #427] - added check for f-string sql injection - added test * [flake8] - fix flake8 issues * [review-items] - move sys import - change version -> version_info. This wasn't doing the right thing before. - check for versions below 3.6 first, all versions greater check for f strings * [feedback] - be more sensible about versions Bump PyYAML minimum version to 3.13 (#432) The minimum version for Python 3.7 to work with PyYAML is 3.13. See: yaml/pyyaml#126 Fixes: #409 Signed-off-by: Eric Brown <browne@vmware.com> Remove paramiko invoke_shell and fix example (#377) Paramiko's invoke_shell function does not take a command argument even though the Bandit example implied that. It simply opens a stream for communicating with a shell. Therefore, it should not be flagged as part of the Bandit scan. The current example of paramiko command injection does not properly create an instance of the SSHClient before calling the functions on the client. Instead it's calling the functions statically which is not proper syntax. This patches updates the plugin and example. Bandit, however, is still functioning properly to detect the improper use of exec_command(). Fixes Issue #375 Signed-off-by: Eric Brown <browne@vmware.com> Supporting CSafeLoader in yaml.load plugin (#436) * supporting CSafeLoader in yaml.load plugin * pylint * adding tests Add a readthedocs build status badge Fix DeprecationWarning: invalid escape sequence Signed-off-by: Mickaël Schoentgen <contact@tiger-222.fr> Fix ResourceWarning: unclosed file Signed-off-by: Mickaël Schoentgen <contact@tiger-222.fr> check if ast.JoinedStr exists before using it ast.JoinedStr is new in Python3.6 (it's f-strings), it does not exist in Pythons below that Fix typo in README Fix context class (#449) * fix bugs * improve _context access * change _ast to ast * fix typo Update python documentation links for version 3 counterparts The python 2 links are kept when in make sense. Revert "Update python documentation links for version 3 counterparts" Redo logo on the README The current logo looks a little odd having a graphic with the text underneath. I think it will look a little nicer and cleaner by moving the text to the right side of the graphic. Signed-off-by: Eric Brown <browne@vmware.com> Interpret wildcards in the file exclusion list (#450) This allows to specify wildcards in the excluded files list, which in turns makes it possible to use Bandit in projects where test files are not in a separate repository, but have just a name prefixed with test_ (as is common with Pytest). * bandit.core.manager: reuse _matches_glob_list for exclusion list * fix pep8: remove superfluous blank line * update documentation: -x accepts glob patterns * add failing test showing that exclude file globs are not supported updated readme links for debugger old links were dead Remove pycryptodome blacklist (#470) * Remove pycryptodome from import blacklist pycryptodome appears to be actively maintained, as opposed to pycrypto. Unless there is a noted security issue with not using it, this removes the blanket blacklist on the library. Any insecure hashes/ciphers/etc. that the library provides will still be reported as per other libraries. * [functional-tests] - repurpose blacklist test to verify that pycryptodome is no longer blacklisted * - fix flake8 line too long * [flake8] - misunderstood what flake8 was complaining about. add namespaces for parent attributes (#492) * add namespaces for parent attributes * pylint formatting changes * made bandit_parent a private attr add test for regression and fix directory exclusion without wildcards (#489) * add test for regression and fix directory exclusion without wildcards * fix pep8 errors * add support for directory exclusion without trailing slashes * extend exclusion test for backwards compat with 1.5.1 and add fix * fix pep8 errors * fix styling * fix styling * fix styling Performance fix (#502) * Fix #490 -- Fix performance issue introduced in 1.6.0 The lines were introduced in 7c4b9fa and have two effects. First they cause `get_issue_list` to run twice and before the user receives feedback that bandit started running. Secondly it does not display any output if no issues are found, which is an unintended behavior change. * add namespaces for parent attributes * pylint formatting changes * made bandit_parent a private attr * temporary fix; perf issue only on quiet * update perf issue Replace setattr (#493) * add namespaces for parent attributes * pylint formatting changes * made bandit_parent a private attr * updated setattr and multiple isinstance calls Fix 3.8 errors (#509) * add namespaces for parent attributes * pylint formatting changes * made bandit_parent a private attr * remove _ast * take 38 out of the pipeline failures * add visit_Constant * remove the nonexistant functions * add pytest_cache to the ignore * flake8 errors * add data back to travis Improve nosec search Fix byte issue Fix py3 issue Fix py3 issue Fix pep8 get_url returns different urls calling twice (bug #506) (#507) * Fix bug #506 - Test included * Fix pep8 * Fix pep8 * Fix pep8 * Fix test * fix typos * fix PR comments fix B603 docstring --exit-zero option (#510) * --exit-zero option * add missing readme entries * updated man source page * rephrased the man explanation * used the wording from the help_text fix the documentation file README.rst on Vulnerability Tests and Extending Bandit Cleanup comments after #510 Update test requirements to latest versions * Updated each test requirement to latest * Removed oslotest since this is an openstack thing * Bumped pylint to just 1.9.4 because that's the latest py2 and py3 compatible version Remove obsolete "sudo" keyword. cf. https://blog.travis-ci.com/2018-11-19-required-linux-infrastructure-migration modified: .travis.yml Remove unused bindep.txt file This is another file leftover from the OpenStack ecosystem. No need for it now. Signed-off-by: Eric Brown <browne@vmware.com> Revert "Revert "Update python documentation links for version 3 counterparts"" (#540) * Revert "Revert "Update python documentation links for version 3 counterparts"" This reverts commit 54d75a7. * Update main.py Add several ini options for .bandit file (#508) * Add several ini options for .bandit file If Bandit actually supports an ini file why not use it for (almost) all the available CLI options?! * Typo * Pass flake8 test add type checking (#516) Add more missing ini options Added the following missing ini options: * msg-template - necessary if output is a parameter * verbose * ignore-nosec * baseline Related to PR #508 Signed-off-by: Eric Brown <browne@vmware.com> Add shelve to the pickle blacklists shelve is a stdlib module that wraps pickle in a dict-like interface. Fix readme file on Extending Bandit on list things (#534) * fix the documentation file README.rst and corrects Lists of things on Extending Bandit * fix of the changes Add official support of Python 3.8 Now that Python 3.8 is released and Bandit is fully tested against it, we can officially claim support of it. https://www.python.org/downloads/release/python-380/ Signed-off-by: Eric Brown <browne@vmware.com> update README to add info about badge (#482) Fix docs for B610,B611,B703 (#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (#554) * Add a section explaining "nosec" References #553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes #560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes #543 Signed-off-by: Eric Brown <browne@vmware.com>
It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com>
|
Hi @lukehinds i just create this one #577 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to the issue #490 and the implementation of #383 i make a improvement for the most cases (code without nosec comments) that improve the preformance in around 45%
Bandit 1.6.2 now 11.666704
Bandit with changes 5.396222