-
Notifications
You must be signed in to change notification settings - Fork 239
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for sinks introduced with "from .... import ..." #177
Comments
Yep. It's the same with |
This would definitely be a great feature |
If one looks at Bandit examples of |
I am interested in this, and in general in being able to identify sinks in a better way than currently. I tried bandit 1.5.1 on python 3.7.0 and the following code triggers B604: from subprocess import Popen as pop
pop('/bin/ls', shell=True)
Is there a reason why sinks are defined like this |
I'd be really curious how Bandit does that :D, but unlike most things, e.g.
Mostly due to not tracking namespaces in the case of "blackbox" calls (importing things that aren't from another file in the repo). It's a great idea to do what you suggest though. We sort of do track namespaces with e.g. imports of another file here Lines 557 to 564 in 4b495ad
#182 added that capability, but we haven't merged anything into https://github.com/python-security/pyt/blob/master/pyt/vulnerability_definitions/all_trigger_words.pyt to use it. |
Got it, seems like some of the pre-requisite features required to tackle this are there. |
Close? |
Thanks @amacfie! |
Right now sinks seem to be considered during vulnerability analysis only in case of "module scope imports". E.g. vulnerabilities w.r.t. sink
subprocess.call(
are only detected in case the production code imports module scope wise:In case the production code introduces the sink via module import the vulnerability won't be detected.
The text was updated successfully, but these errors were encountered: