def __init__(self, config, agg_type, debug=False, verbose=False, profile=None, ignore_nosec=False): '''Get logger, config, AST handler, and result store ready :param config: config options object :type config: bandit.core.BanditConfig :param agg_type: aggregation type :param debug: Whether to show debug messages or not :param verbose: Whether to show verbose output :param profile_name: Optional name of profile to use (from cmd line) :param ignore_nosec: Whether to ignore #nosec or not :return: ''' self.debug = debug self.verbose = verbose if not profile: profile = {} self.ignore_nosec = ignore_nosec self.b_conf = config self.files_list = [] self.excluded_files = [] self.b_ma = b_meta_ast.BanditMetaAst() self.skipped = [] self.results = [] self.baseline = [] self.agg_type = agg_type self.metrics = metrics.Metrics() self.b_ts = b_test_set.BanditTestSet(config, profile) # set the increment of after how many files to show progress self.progress = b_constants.progress_increment self.scores = []
def test_profile_filter_blacklist_none(self): ts = test_set.BanditTestSet(self.config) blacklist = ts.get_tests("Import")[0] self.assertEqual(2, len(blacklist._config["Import"])) self.assertEqual(2, len(blacklist._config["ImportFrom"])) self.assertEqual(2, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_none(self): ts = test_set.BanditTestSet(self.config) blacklist = ts.get_tests('Import')[0] self.assertEqual(len(blacklist._config['Import']), 2) self.assertEqual(len(blacklist._config['ImportFrom']), 2) self.assertEqual(len(blacklist._config['Call']), 2)
def test_profile_filter_blacklist_include(self): profile = {'include': ['B001', 'B401']} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests('Import')[0] self.assertEqual(len(blacklist._config['Import']), 1) self.assertEqual(len(blacklist._config['ImportFrom']), 1) self.assertEqual(len(blacklist._config['Call']), 1)
def test_profile_filter_blacklist_include(self): profile = {"include": ["B001", "B401"]} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests("Import")[0] self.assertEqual(1, len(blacklist._config["Import"])) self.assertEqual(1, len(blacklist._config["ImportFrom"])) self.assertEqual(1, len(blacklist._config["Call"]))
def test_profile_filter_blacklist_all(self): profile = {'exclude': ['B401', 'B302']} ts = test_set.BanditTestSet(self.config, profile) # if there is no blacklist data for a node type then we wont add a # blacklist test to it, as this would be pointless. self.assertEqual(len(ts.get_tests('Import')), 0) self.assertEqual(len(ts.get_tests('ImportFrom')), 0) self.assertEqual(len(ts.get_tests('Call')), 0)
def test_profile_filter_blacklist_all(self): profile = {"exclude": ["B401", "B302"]} ts = test_set.BanditTestSet(self.config, profile) # if there is no blacklist data for a node type then we wont add a # blacklist test to it, as this would be pointless. self.assertEqual(0, len(ts.get_tests("Import"))) self.assertEqual(0, len(ts.get_tests("ImportFrom"))) self.assertEqual(0, len(ts.get_tests("Call")))
def setUp(self): super().setUp() # NOTE(tkelsey): bandit is very sensitive to paths, so stitch # them up here for the testing environment. # path = os.path.join(os.getcwd(), "bandit", "plugins") b_conf = b_config.BanditConfig() self.b_mgr = b_manager.BanditManager(b_conf, "file") self.b_mgr.b_conf._settings["plugins_dir"] = path self.b_mgr.b_ts = b_test_set.BanditTestSet(config=b_conf)
def setUp(self): super(FunctionalTests, self).setUp() # NOTE(tkelsey): bandit is very sensitive to paths, so stitch # them up here for the testing environment. # path = os.path.join(os.getcwd(), 'bandit', 'plugins') b_conf = b_config.BanditConfig() self.b_mgr = b_manager.BanditManager(b_conf, 'file') self.b_mgr.b_conf._settings['plugins_dir'] = path self.b_mgr.b_ts = b_test_set.BanditTestSet(config=b_conf)
def test_django_xss_insecure(self): """Test for Django XSS via django.utils.safestring""" expect = { 'SEVERITY': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 28, 'HIGH': 0}, 'CONFIDENCE': {'UNDEFINED': 0, 'LOW': 0, 'MEDIUM': 0, 'HIGH': 28} } self.b_mgr.b_ts = b_test_set.BanditTestSet( config=self.b_mgr.b_conf, profile={'exclude': ['B308']} ) self.check_example('mark_safe_insecure.py', expect)
def __init__(self, config_file, agg_type, debug=False, verbose=False, profile_name=None): '''Get logger, config, AST handler, and result store ready :param config_file: A file to read config from :param debug: Whether to show debug messsages or not :param profile_name: Optional name of profile to use (from cmd line) :return: ''' self.debug = debug self.verbose = verbose self.logger = logging.getLogger() self.b_conf = b_config.BanditConfig(self.logger, config_file) self.files_list = [] self.excluded_files = [] # if the log format string was set in the options, reinitialize if self.b_conf.get_option('log_format'): # have to clear old handler self.logger.handlers = [] log_format = self.b_conf.get_option('log_format') self.logger = self._init_logger(debug, log_format=log_format) self.b_ma = b_meta_ast.BanditMetaAst(self.logger) self.b_rs = b_result_store.BanditResultStore(self.logger, self.b_conf, agg_type, verbose) # if the profile name was specified, try to find it in the config if profile_name: if profile_name in self.b_conf.config['profiles']: profile = self.b_conf.config['profiles'][profile_name] self.logger.debug("read in profile '%s': %s", profile_name, profile) else: self.logger.error( 'unable to find profile (%s) in config file: ' '%s', profile_name, config_file) sys.exit(2) else: profile = None self.b_ts = b_test_set.BanditTestSet(self.logger, config=self.b_conf, profile=profile) # set the increment of after how many files to show progress self.progress = self.b_conf.get_setting('progress') self.scores = []
def test_profile_blacklist_compat(self): data = [utils.build_conf_dict( 'marshal', 'B302', ['marshal.load', 'marshal.loads'], ('Deserialization with the marshal module is possibly ' 'dangerous.'))] profile = {'include': ['B001'], 'blacklist': {'Call': data}} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests('Call')[0] self.assertNotIn('Import', blacklist._config) self.assertNotIn('ImportFrom', blacklist._config) self.assertEqual(1, len(blacklist._config['Call']))
def __init__(self, config, agg_type, debug=False, verbose=False, profile_name=None, ignore_nosec=False): '''Get logger, config, AST handler, and result store ready :param config: config options object :type config: bandit.core.BanditConfig :param agg_type: aggregation type :param debug: Whether to show debug messsages or not :param verbose: Whether to show verbose output :param profile_name: Optional name of profile to use (from cmd line) :param ignore_nosec: Whether to ignore #nosec or not :return: ''' self.debug = debug self.verbose = verbose self.ignore_nosec = ignore_nosec self.b_conf = config self.files_list = [] self.excluded_files = [] self.b_ma = b_meta_ast.BanditMetaAst() self.skipped = [] self.results = [] self.baseline = [] self.agg_type = agg_type self.metrics = metrics.Metrics() # if the profile name was specified, try to find it in the config if profile_name: if profile_name in self.b_conf.config['profiles']: profile = self.b_conf.config['profiles'][profile_name] logger.debug("read in profile '%s': %s", profile_name, profile) else: raise utils.ProfileNotFound(self.b_conf.config_file, profile_name) else: profile = None self.b_ts = b_test_set.BanditTestSet(config=self.b_conf, profile=profile) # set the increment of after how many files to show progress self.progress = b_constants.progress_increment self.scores = []
def test_django_xss_insecure(self): """Test for Django XSS via django.utils.safestring""" expect = { "SEVERITY": { "UNDEFINED": 0, "LOW": 0, "MEDIUM": 28, "HIGH": 0 }, "CONFIDENCE": { "UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 28 }, } self.b_mgr.b_ts = b_test_set.BanditTestSet( config=self.b_mgr.b_conf, profile={"exclude": ["B308"]}) self.check_example("mark_safe_insecure.py", expect)
def test_profile_blacklist_compat(self): data = [ utils.build_conf_dict( "marshal", "B302", issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA, ["marshal.load", "marshal.loads"], ("Deserialization with the marshal module is possibly " "dangerous."), ) ] profile = {"include": ["B001"], "blacklist": {"Call": data}} ts = test_set.BanditTestSet(self.config, profile) blacklist = ts.get_tests("Call")[0] self.assertNotIn("Import", blacklist._config) self.assertNotIn("ImportFrom", blacklist._config) self.assertEqual(1, len(blacklist._config["Call"]))
def __init__( self, config, agg_type, debug=False, verbose=False, quiet=False, profile=None, ignore_nosec=False, ): """Get logger, config, AST handler, and result store ready :param config: config options object :type config: bandit.core.BanditConfig :param agg_type: aggregation type :param debug: Whether to show debug messages or not :param verbose: Whether to show verbose output :param quiet: Whether to only show output in the case of an error :param profile_name: Optional name of profile to use (from cmd line) :param ignore_nosec: Whether to ignore #nosec or not :return: """ self.debug = debug self.verbose = verbose self.quiet = quiet if not profile: profile = {} self.ignore_nosec = ignore_nosec self.b_conf = config self.files_list = [] self.excluded_files = [] self.b_ma = b_meta_ast.BanditMetaAst() self.skipped = [] self.results = [] self.baseline = [] self.agg_type = agg_type self.metrics = metrics.Metrics() self.b_ts = b_test_set.BanditTestSet(config, profile) self.scores = []
def test_has_defaults(self): ts = test_set.BanditTestSet(self.config) self.assertEqual(1, len(ts.get_tests("Str")))
def test_profile_exclude_id(self): profile = {"exclude": ["B000"]} ts = test_set.BanditTestSet(self.config, profile) self.assertEqual(0, len(ts.get_tests("Str")))
def test_profile_exclude_builtin_blacklist(self): profile = {'exclude': ['B001']} ts = test_set.BanditTestSet(self.config, profile) self.assertEqual(len(ts.get_tests('Import')), 0) self.assertEqual(len(ts.get_tests('ImportFrom')), 0) self.assertEqual(len(ts.get_tests('Call')), 0)
def test_profile_has_builtin_blacklist(self): ts = test_set.BanditTestSet(self.config) self.assertEqual(len(ts.get_tests('Import')), 1) self.assertEqual(len(ts.get_tests('ImportFrom')), 1) self.assertEqual(len(ts.get_tests('Call')), 1)
def test_profile_exclude_none(self): profile = {'exclude': []} # same as no exclude ts = test_set.BanditTestSet(self.config, profile) self.assertEqual(len(ts.get_tests('Str')), 1)
def test_profile_exclude_id(self): profile = {'exclude': ['B000']} ts = test_set.BanditTestSet(self.config, profile) self.assertEqual(len(ts.get_tests('Str')), 0)
def test_has_defaults(self): ts = test_set.BanditTestSet(self.config) self.assertEqual(len(ts.get_tests('Str')), 1)
def test_profile_exclude_none(self): profile = {"exclude": []} # same as no exclude ts = test_set.BanditTestSet(self.config, profile) self.assertEqual(1, len(ts.get_tests("Str")))
def test_profile_has_builtin_blacklist(self): ts = test_set.BanditTestSet(self.config) self.assertEqual(1, len(ts.get_tests("Import"))) self.assertEqual(1, len(ts.get_tests("ImportFrom"))) self.assertEqual(1, len(ts.get_tests("Call")))
def test_profile_exclude_builtin_blacklist(self): profile = {"exclude": ["B001"]} ts = test_set.BanditTestSet(self.config, profile) self.assertEqual(0, len(ts.get_tests("Import"))) self.assertEqual(0, len(ts.get_tests("ImportFrom"))) self.assertEqual(0, len(ts.get_tests("Call")))