Merge branch 'main' into feat/add-httpx-to-B113

.github/FUNDING.yml

@@ -1,2 +1,3 @@
 custom: ["https://psfmember.org/civicrm/contribute/transact/?reset=1&id=42"]
 github: [ericwb]
+tidelift: pypi/bandit

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -44,21 +44,14 @@ body:
       label: Bandit version
       description: Run "bandit --version" if unsure of version number
       options:
-        - 1.7.5 (Default)
+        - 1.7.7 (Default)
+        - 1.7.6
+        - 1.7.5
         - 1.7.4
         - 1.7.3
         - 1.7.2
         - 1.7.1
         - 1.7.0
-        - 1.6.3
-        - 1.6.2
-        - 1.6.1
-        - 1.6.0
-        - 1.5.1
-        - 1.5.0
-        - 1.4.0
-        - 1.3.0
-        - 0.17.0-eol
     validations:
       required: true
 
@@ -68,13 +61,11 @@ body:
       label: Python version
       description: Run "bandit --version" if unsure of version number
       options:
-        - "3.11 (Default)"
+        - "3.12 (Default)"
+        - "3.11"
         - "3.10"
         - "3.9"
         - "3.8"
-        - "3.7"
-        - "3.6"
-        - "3.5"
     validations:
       required: true
 

.github/workflows/build-publish-image.yml

@@ -0,0 +1,67 @@
+name: Build and Publish Bandit Images
+
+on:
+  release:
+    types: [created]
+  schedule:
+    - cron: '0 0 * * 0' # Every Sunday at midnight
+  workflow_dispatch:
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+
+    steps:
+
+    - name: Get latest release tag
+      if: github.event_name != 'release'
+      id: get-latest-tag
+      run: |
+        TAG=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name)
+        echo "Latest tag is $TAG"
+        echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV
+
+    - name: Check out the repo
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      with:
+        ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }}
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3
+
+    - name: Log in to GitHub Container Registry
+      uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
+      with:
+        cosign-release: 'v2.2.2'
+
+    - name: Downcase github.repository value
+      run: |
+        echo "IMAGE_NAME=`echo ${{github.repository}} | tr '[:upper:]' '[:lower:]'`" >>${GITHUB_ENV}
+
+    - name: Build and push Docker image
+      id: build-and-push
+      uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6
+      with:
+        context: .
+        file: ./docker/Dockerfile
+        push: true
+        tags: ghcr.io/${{ env.IMAGE_NAME }}/bandit:latest
+        platforms: linux/amd64, linux/arm64, linux/arm/v7, linux/arm/v8
+
+    - name: Sign the image
+      env:
+        TAGS: ghcr.io/${{ env.IMAGE_NAME }}/bandit:latest
+        DIGEST: ${{ steps.build-and-push.outputs.digest }}
+      run: |
+        echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}

.github/workflows/dependency-review.yml

@@ -11,4 +11,4 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@v4

.github/workflows/publish-to-pypi.yml

@@ -6,12 +6,15 @@ jobs:
   build-n-publish:
     name: Build and publish to PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: 3.8
 
@@ -25,5 +28,3 @@ jobs:
     - name: Publish distribution to PyPI
       if: startsWith(github.ref, 'refs/tags')
       uses: pypa/gh-action-pypi-publish@release/v1
-      with:
-        password: ${{ secrets.PYPI_PASSWORD }}

.github/workflows/publish-to-test-pypi.yml

@@ -6,12 +6,15 @@ jobs:
   build-n-publish:
     name: Build and publish to Test PyPI
     runs-on: ubuntu-latest
+    permissions:
+      # IMPORTANT: this permission is mandatory for trusted publishing
+      id-token: write
     steps:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - name: Set up Python 3.8
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: 3.8
 
@@ -25,5 +28,4 @@ jobs:
     - name: Publish distribution to Test PyPI
       uses: pypa/gh-action-pypi-publish@release/v1
       with:
-        password: ${{ secrets.TEST_PYPI_PASSWORD }}
-        repository_url: https://test.pypi.org/legacy/
+        repository-url: https://test.pypi.org/legacy/

.github/workflows/pythonpackage.yml

@@ -12,7 +12,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
@@ -33,7 +33,7 @@ jobs:
       with:
         fetch-depth: 2
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
@@ -47,7 +47,12 @@ jobs:
     strategy:
       matrix:
         python-version: [
-          ["3.8", "38"], ["3.9", "39"], ["3.10", "310"], ["3.11", "311"]
+          ["3.8", "38"],
+          ["3.9", "39"],
+          ["3.10", "310"],
+          ["3.11", "311"],
+          ["3.12", "312"],
+          ["3.13.0-a - 3.13", "313"],
         ]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
@@ -56,7 +61,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4
     - name: Set up Python ${{ matrix.python-version[0] }}
-      uses: actions/setup-python@v4
+      uses: actions/setup-python@v5
       with:
         python-version: ${{ matrix.python-version[0] }}
     - name: Install dependencies

.pre-commit-config.yaml

@@ -1,24 +1,24 @@
 exclude: ^(examples|tools|doc)
 repos:
 - repo: https://github.com/pre-commit/pre-commit-hooks
-  rev: v4.4.0
+  rev: v4.6.0
   hooks:
   - id: check-yaml
   - id: debug-statements
   - id: end-of-file-fixer
   - id: trailing-whitespace
-- repo: https://github.com/asottile/reorder_python_imports
-  rev: v3.9.0
+- repo: https://github.com/asottile/reorder-python-imports
+  rev: v3.13.0
   hooks:
   - id: reorder-python-imports
     args: [--application-directories, '.:src', --py38-plus]
-- repo: https://github.com/psf/black
-  rev: 23.3.0
+- repo: https://github.com/psf/black-pre-commit-mirror
+  rev: 24.4.2
   hooks:
   - id: black
     args: [--line-length=79, --target-version=py38]
 - repo: https://github.com/asottile/pyupgrade
-  rev: v3.3.2
+  rev: v3.16.0
   hooks:
   - id: pyupgrade
     args: [--py38-plus]

.readthedocs.yaml

@@ -12,3 +12,7 @@ python:
   install:
     - requirements: requirements.txt
     - requirements: doc/requirements.txt
+    - method: pip
+      path: .
+      extra_requirements:
+        - sarif

README.rst

@@ -83,3 +83,63 @@ https://greentreesnakes.readthedocs.org/en/latest/
 Documentation of the various types of AST nodes that Bandit currently covers
 or could be extended to cover:
 https://greentreesnakes.readthedocs.org/en/latest/nodes.html
+
+Container Images
+----------------
+
+Bandit is available as a container image, built within the bandit repository
+using GitHub Actions. The image is available on ghcr.io:
+
+.. code-block:: console
+
+    docker pull ghcr.io/pycqa/bandit/bandit
+
+The image is built for the following architectures:
+
+* amd64
+* arm64
+* armv7
+* armv8
+
+To pull a specific architecture, use the following format:
+
+.. code-block:: console
+
+    docker pull --platform=<architecture> ghcr.io/pycqa/bandit/bandit:latest
+
+Every image is signed with sigstore cosign and it is possible to verify the
+source of origin using the following cosign command:
+
+.. code-block:: console
+
+    cosign verify ghcr.io/pycqa/bandit/bandit:latest \
+      --certificate-identity https://github.com/pycqa/bandit/.github/workflows/build-publish-image.yml@refs/tags/<version> \
+      --certificate-oidc-issuer https://token.actions.githubusercontent.com
+
+Where `<version>` is the release version of Bandit.
+
+Sponsors
+--------
+
+The development of Bandit is made possible by the following sponsors:
+
+.. list-table::
+   :width: 100%
+   :class: borderless
+
+   * - .. image:: https://github.githubassets.com/assets/tidelift-8cea37dea8fc.svg
+          :target: https://tidelift.com/lifter/search/pypi/bandit
+          :alt: Tidelift
+          :width: 88
+
+     - .. image:: https://avatars.githubusercontent.com/u/110237746?s=200&v=4
+          :target: https://stacklok.com/
+          :alt: Stacklok
+          :width: 88
+
+     - .. image:: https://avatars.githubusercontent.com/u/1396951?s=70&v=4
+          :target: https://sentry.io/
+          :alt: Sentry
+          :width: 88
+
+If you also ❤️ Bandit, please consider sponsoring.

SECURITY.md

@@ -0,0 +1,9 @@
+# Security Policy
+
+Bandit is a tool designed to find security issues, so every effort is made that Bandit itself is also
+free of those issues. However, if you believe you have found a security vulnerability in this repository
+please open it privately via the [Report a security vulnerability](https://github.com/PyCQA/bandit/security/advisories/new) link in the Issues tab.
+
+**Please do not report security vulnerabilities through public issues, discussions, or pull requests.**
+
+Please also inform the [Tidelift security](https://tidelift.com/security). Tidelift will help coordinate the fix and disclosure.

bandit/__init__.py

@@ -2,10 +2,7 @@
 # Copyright 2014 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
-try:
-    from importlib import metadata
-except ImportError:
-    import importlib_metadata as metadata
+from importlib import metadata
 
 from bandit.core import config  # noqa
 from bandit.core import context  # noqa
@@ -19,4 +16,5 @@
 from bandit.core.issue import *  # noqa
 from bandit.core.test_properties import *  # noqa
 
+__author__ = metadata.metadata("bandit")["Author"]
 __version__ = metadata.version("bandit")

bandit/blacklists/calls.py

@@ -198,6 +198,7 @@
 |      |                     | - random.choices                   |           |
 |      |                     | - random.uniform                   |           |
 |      |                     | - random.triangular                |           |
+|      |                     | - random.randbytes                 |           |
 +------+---------------------+------------------------------------+-----------+
 
 B312: telnetlib
@@ -523,6 +524,7 @@ def gen_blacklist():
                 "random.choices",
                 "random.uniform",
                 "random.triangular",
+                "random.randbytes",
             ],
             "Standard pseudo-random generators are not suitable for "
             "security/cryptographic purposes.",
@@ -535,7 +537,7 @@ def gen_blacklist():
             "telnetlib",
             "B312",
             issue.Cwe.CLEARTEXT_TRANSMISSION,
-            ["telnetlib.*"],
+            ["telnetlib.Telnet"],
             "Telnet-related functions are being called. Telnet is considered "
             "insecure. Use SSH or some other encrypted protocol.",
             "HIGH",
@@ -660,7 +662,7 @@ def gen_blacklist():
             "ftplib",
             "B321",
             issue.Cwe.CLEARTEXT_TRANSMISSION,
-            ["ftplib.*"],
+            ["ftplib.FTP"],
             "FTP-related functions are being called. FTP is considered "
             "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
             "HIGH",

bandit/blacklists/imports.py

@@ -146,8 +146,8 @@
 ----------------------
 
 XMLRPC is particularly dangerous as it is also concerned with communicating
-data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch
-xmlrpclib and mitigate remote XML attacks.
+data over a network. Use defusedxml.xmlrpc.monkey_patch() function to
+monkey-patch xmlrpclib and mitigate remote XML attacks.
 
 +------+---------------------+------------------------------------+-----------+
 | ID   |  Name               |  Imports                           |  Severity |
@@ -376,7 +376,7 @@ def gen_blacklist():
             issue.Cwe.IMPROPER_INPUT_VALIDATION,
             ["xmlrpc"],
             "Using {name} to parse untrusted XML data is known to be "
-            "vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() "
+            "vulnerable to XML attacks. Use defusedxml.xmlrpc.monkey_patch() "
             "function to monkey-patch xmlrpclib and mitigate XML "
             "vulnerabilities.",
             "HIGH",