def __init__(self, config, agg_type, debug=False, verbose=False,
profile=None, ignore_nosec=False):
'''Get logger, config, AST handler, and result store ready
:param config: config options object
:type config: bandit.core.BanditConfig
:param agg_type: aggregation type
:param debug: Whether to show debug messages or not
:param verbose: Whether to show verbose output
:param profile_name: Optional name of profile to use (from cmd line)
:param ignore_nosec: Whether to ignore #nosec or not
:return:
'''
self.debug = debug
self.verbose = verbose
if not profile:
profile = {}
self.ignore_nosec = ignore_nosec
self.b_conf = config
self.files_list = []
self.excluded_files = []
self.b_ma = b_meta_ast.BanditMetaAst()
self.skipped = []
self.results = []
self.baseline = []
self.agg_type = agg_type
self.metrics = metrics.Metrics()
self.b_ts = b_test_set.BanditTestSet(config, profile)
# set the increment of after how many files to show progress
self.progress = b_constants.progress_increment
self.scores = []
def test_profile_filter_blacklist_none(self):
ts = test_set.BanditTestSet(self.config)
blacklist = ts.get_tests("Import")[0]
self.assertEqual(2, len(blacklist._config["Import"]))
self.assertEqual(2, len(blacklist._config["ImportFrom"]))
self.assertEqual(2, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_none(self):
ts = test_set.BanditTestSet(self.config)
blacklist = ts.get_tests('Import')[0]
self.assertEqual(len(blacklist._config['Import']), 2)
self.assertEqual(len(blacklist._config['ImportFrom']), 2)
self.assertEqual(len(blacklist._config['Call']), 2)
def test_profile_filter_blacklist_include(self):
profile = {'include': ['B001', 'B401']}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests('Import')[0]
self.assertEqual(len(blacklist._config['Import']), 1)
self.assertEqual(len(blacklist._config['ImportFrom']), 1)
self.assertEqual(len(blacklist._config['Call']), 1)
def test_profile_filter_blacklist_include(self):
profile = {"include": ["B001", "B401"]}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests("Import")[0]
self.assertEqual(1, len(blacklist._config["Import"]))
self.assertEqual(1, len(blacklist._config["ImportFrom"]))
self.assertEqual(1, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_all(self):
profile = {'exclude': ['B401', 'B302']}
ts = test_set.BanditTestSet(self.config, profile)
# if there is no blacklist data for a node type then we wont add a
# blacklist test to it, as this would be pointless.
self.assertEqual(len(ts.get_tests('Import')), 0)
self.assertEqual(len(ts.get_tests('ImportFrom')), 0)
self.assertEqual(len(ts.get_tests('Call')), 0)
def test_profile_filter_blacklist_all(self):
profile = {"exclude": ["B401", "B302"]}
ts = test_set.BanditTestSet(self.config, profile)
# if there is no blacklist data for a node type then we wont add a
# blacklist test to it, as this would be pointless.
self.assertEqual(0, len(ts.get_tests("Import")))
self.assertEqual(0, len(ts.get_tests("ImportFrom")))
self.assertEqual(0, len(ts.get_tests("Call")))
def setUp(self):
super().setUp()
# NOTE(tkelsey): bandit is very sensitive to paths, so stitch
# them up here for the testing environment.
#
path = os.path.join(os.getcwd(), "bandit", "plugins")
b_conf = b_config.BanditConfig()
self.b_mgr = b_manager.BanditManager(b_conf, "file")
self.b_mgr.b_conf._settings["plugins_dir"] = path
self.b_mgr.b_ts = b_test_set.BanditTestSet(config=b_conf)
def setUp(self):
super(FunctionalTests, self).setUp()
# NOTE(tkelsey): bandit is very sensitive to paths, so stitch
# them up here for the testing environment.
#
path = os.path.join(os.getcwd(), 'bandit', 'plugins')
b_conf = b_config.BanditConfig()
self.b_mgr = b_manager.BanditManager(b_conf, 'file')
self.b_mgr.b_conf._settings['plugins_dir'] = path
self.b_mgr.b_ts = b_test_set.BanditTestSet(config=b_conf)
def test_django_xss_insecure(self):
"""Test for Django XSS via django.utils.safestring"""
expect = {
'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 28, 'HIGH': 0},
'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 28}
}
self.b_mgr.b_ts = b_test_set.BanditTestSet(
config=self.b_mgr.b_conf,
profile={'exclude': ['B308']}
)
self.check_example('mark_safe_insecure.py', expect)
def __init__(self,
config_file,
agg_type,
debug=False,
verbose=False,
profile_name=None):
'''Get logger, config, AST handler, and result store ready
:param config_file: A file to read config from
:param debug: Whether to show debug messsages or not
:param profile_name: Optional name of profile to use (from cmd line)
:return:
'''
self.debug = debug
self.verbose = verbose
self.logger = logging.getLogger()
self.b_conf = b_config.BanditConfig(self.logger, config_file)
self.files_list = []
self.excluded_files = []
# if the log format string was set in the options, reinitialize
if self.b_conf.get_option('log_format'):
# have to clear old handler
self.logger.handlers = []
log_format = self.b_conf.get_option('log_format')
self.logger = self._init_logger(debug, log_format=log_format)
self.b_ma = b_meta_ast.BanditMetaAst(self.logger)
self.b_rs = b_result_store.BanditResultStore(self.logger, self.b_conf,
agg_type, verbose)
# if the profile name was specified, try to find it in the config
if profile_name:
if profile_name in self.b_conf.config['profiles']:
profile = self.b_conf.config['profiles'][profile_name]
self.logger.debug("read in profile '%s': %s", profile_name,
profile)
else:
self.logger.error(
'unable to find profile (%s) in config file: '
'%s', profile_name, config_file)
sys.exit(2)
else:
profile = None
self.b_ts = b_test_set.BanditTestSet(self.logger,
config=self.b_conf,
profile=profile)
# set the increment of after how many files to show progress
self.progress = self.b_conf.get_setting('progress')
self.scores = []
def test_profile_blacklist_compat(self):
data = [utils.build_conf_dict(
'marshal', 'B302', ['marshal.load', 'marshal.loads'],
('Deserialization with the marshal module is possibly '
'dangerous.'))]
profile = {'include': ['B001'], 'blacklist': {'Call': data}}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests('Call')[0]
self.assertNotIn('Import', blacklist._config)
self.assertNotIn('ImportFrom', blacklist._config)
self.assertEqual(1, len(blacklist._config['Call']))
def __init__(self,
config,
agg_type,
debug=False,
verbose=False,
profile_name=None,
ignore_nosec=False):
'''Get logger, config, AST handler, and result store ready
:param config: config options object
:type config: bandit.core.BanditConfig
:param agg_type: aggregation type
:param debug: Whether to show debug messsages or not
:param verbose: Whether to show verbose output
:param profile_name: Optional name of profile to use (from cmd line)
:param ignore_nosec: Whether to ignore #nosec or not
:return:
'''
self.debug = debug
self.verbose = verbose
self.ignore_nosec = ignore_nosec
self.b_conf = config
self.files_list = []
self.excluded_files = []
self.b_ma = b_meta_ast.BanditMetaAst()
self.skipped = []
self.results = []
self.baseline = []
self.agg_type = agg_type
self.metrics = metrics.Metrics()
# if the profile name was specified, try to find it in the config
if profile_name:
if profile_name in self.b_conf.config['profiles']:
profile = self.b_conf.config['profiles'][profile_name]
logger.debug("read in profile '%s': %s", profile_name, profile)
else:
raise utils.ProfileNotFound(self.b_conf.config_file,
profile_name)
else:
profile = None
self.b_ts = b_test_set.BanditTestSet(config=self.b_conf,
profile=profile)
# set the increment of after how many files to show progress
self.progress = b_constants.progress_increment
self.scores = []
def test_django_xss_insecure(self):
"""Test for Django XSS via django.utils.safestring"""
expect = {
"SEVERITY": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 28,
"HIGH": 0
},
"CONFIDENCE": {
"UNDEFINED": 0,
"LOW": 0,
"MEDIUM": 0,
"HIGH": 28
},
}
self.b_mgr.b_ts = b_test_set.BanditTestSet(
config=self.b_mgr.b_conf, profile={"exclude": ["B308"]})
self.check_example("mark_safe_insecure.py", expect)
def test_profile_blacklist_compat(self):
data = [
utils.build_conf_dict(
"marshal",
"B302",
issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
["marshal.load", "marshal.loads"],
("Deserialization with the marshal module is possibly "
"dangerous."),
)
]
profile = {"include": ["B001"], "blacklist": {"Call": data}}
ts = test_set.BanditTestSet(self.config, profile)
blacklist = ts.get_tests("Call")[0]
self.assertNotIn("Import", blacklist._config)
self.assertNotIn("ImportFrom", blacklist._config)
self.assertEqual(1, len(blacklist._config["Call"]))
def __init__(
self,
config,
agg_type,
debug=False,
verbose=False,
quiet=False,
profile=None,
ignore_nosec=False,
):
"""Get logger, config, AST handler, and result store ready
:param config: config options object
:type config: bandit.core.BanditConfig
:param agg_type: aggregation type
:param debug: Whether to show debug messages or not
:param verbose: Whether to show verbose output
:param quiet: Whether to only show output in the case of an error
:param profile_name: Optional name of profile to use (from cmd line)
:param ignore_nosec: Whether to ignore #nosec or not
:return:
"""
self.debug = debug
self.verbose = verbose
self.quiet = quiet
if not profile:
profile = {}
self.ignore_nosec = ignore_nosec
self.b_conf = config
self.files_list = []
self.excluded_files = []
self.b_ma = b_meta_ast.BanditMetaAst()
self.skipped = []
self.results = []
self.baseline = []
self.agg_type = agg_type
self.metrics = metrics.Metrics()
self.b_ts = b_test_set.BanditTestSet(config, profile)
self.scores = []
def test_has_defaults(self):
ts = test_set.BanditTestSet(self.config)
self.assertEqual(1, len(ts.get_tests("Str")))
def test_profile_exclude_id(self):
profile = {"exclude": ["B000"]}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(0, len(ts.get_tests("Str")))
def test_profile_exclude_builtin_blacklist(self):
profile = {'exclude': ['B001']}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(len(ts.get_tests('Import')), 0)
self.assertEqual(len(ts.get_tests('ImportFrom')), 0)
self.assertEqual(len(ts.get_tests('Call')), 0)
def test_profile_has_builtin_blacklist(self):
ts = test_set.BanditTestSet(self.config)
self.assertEqual(len(ts.get_tests('Import')), 1)
self.assertEqual(len(ts.get_tests('ImportFrom')), 1)
self.assertEqual(len(ts.get_tests('Call')), 1)
def test_profile_exclude_none(self):
profile = {'exclude': []} # same as no exclude
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(len(ts.get_tests('Str')), 1)
def test_profile_exclude_id(self):
profile = {'exclude': ['B000']}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(len(ts.get_tests('Str')), 0)
def test_has_defaults(self):
ts = test_set.BanditTestSet(self.config)
self.assertEqual(len(ts.get_tests('Str')), 1)
def test_profile_exclude_none(self):
profile = {"exclude": []} # same as no exclude
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(1, len(ts.get_tests("Str")))
def test_profile_has_builtin_blacklist(self):
ts = test_set.BanditTestSet(self.config)
self.assertEqual(1, len(ts.get_tests("Import")))
self.assertEqual(1, len(ts.get_tests("ImportFrom")))
self.assertEqual(1, len(ts.get_tests("Call")))
def test_profile_exclude_builtin_blacklist(self):
profile = {"exclude": ["B001"]}
ts = test_set.BanditTestSet(self.config, profile)
self.assertEqual(0, len(ts.get_tests("Import")))
self.assertEqual(0, len(ts.get_tests("ImportFrom")))
self.assertEqual(0, len(ts.get_tests("Call")))
