From cb7ca4ea764f0620ffb8812b16ec5185aa3cdb51 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 13 Jan 2024 21:29:10 -0800 Subject: [PATCH] Fix up issues found running Bandit on itself * Used nosec for false various positives * Switched to usage of defusedxml * Fixed the empty try-except-pass to have code in the except block. Fixes #1092 Signed-off-by: Eric Brown --- bandit/cli/baseline.py | 4 ++-- bandit/core/utils.py | 3 +-- bandit/formatters/xml.py | 3 ++- bandit/plugins/general_bind_all_interfaces.py | 2 +- bandit/plugins/general_hardcoded_tmp.py | 4 ++-- requirements.txt | 1 + 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/bandit/cli/baseline.py b/bandit/cli/baseline.py index b9bce8916..0d65185b3 100644 --- a/bandit/cli/baseline.py +++ b/bandit/cli/baseline.py @@ -15,7 +15,7 @@ import logging import os import shutil -import subprocess +import subprocess # nosec: B404 import sys import tempfile @@ -101,7 +101,7 @@ def main(): bandit_command = ["bandit"] + step["args"] try: - output = subprocess.check_output(bandit_command) + output = subprocess.check_output(bandit_command) # nosec: B603 except subprocess.CalledProcessError as e: output = e.output return_code = e.returncode diff --git a/bandit/core/utils.py b/bandit/core/utils.py index 32d9d4965..7fb775305 100644 --- a/bandit/core/utils.py +++ b/bandit/core/utils.py @@ -62,7 +62,6 @@ def get_func_name(node): def get_qual_attr(node, aliases): - prefix = "" if isinstance(node, ast.Attribute): try: val = deepgetattr(node, "value.id") @@ -73,7 +72,7 @@ def get_qual_attr(node, aliases): except Exception: # NOTE(tkelsey): degrade gracefully when we can't get the fully # qualified name for an attr, just return its base name. - pass + prefix = "" return f"{prefix}.{node.attr}" else: diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index 36352f046..7ba53c2ef 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -35,7 +35,8 @@ """ import logging import sys -from xml.etree import ElementTree as ET + +from defusedxml import ElementTree as ET from bandit.core import docs_utils diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index 4659167af..58b840e86 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -43,7 +43,7 @@ @test.checks("Str") @test.test_id("B104") def hardcoded_bind_all_interfaces(context): - if context.string_val == "0.0.0.0": + if context.string_val == "0.0.0.0": # nosec: B104 return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.MEDIUM, diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index 53f8cd137..2855c9c6d 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -59,7 +59,7 @@ def gen_config(name): if name == "hardcoded_tmp_directory": - return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]} + return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]} # nosec: B108 @test.takes_config @@ -69,7 +69,7 @@ def hardcoded_tmp_directory(context, config): if config is not None and "tmp_dirs" in config: tmp_dirs = config["tmp_dirs"] else: - tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"] + tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"] # nosec: B108 if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( diff --git a/requirements.txt b/requirements.txt index 289782022..b9c90d353 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,3 +6,4 @@ PyYAML>=5.3.1 # MIT stevedore>=1.20.0 # Apache-2.0 colorama>=0.3.9;platform_system=="Windows" # BSD License (3 clause) rich # MIT +defusedxml # PSF-2.0