Skip to content

Commit

Permalink
Merge branch 'main' into Add-GitLab-CICD-Job
Browse files Browse the repository at this point in the history
  • Loading branch information
@ericwb
ericwb authored Jan 19, 2025
2 parents 30fc343 + e91b911 commit 45d4016
Show file tree
Hide file tree
Showing 60 changed files with 1,202 additions and 428 deletions.
23 changes: 8 additions & 15 deletions .github/ISSUE_TEMPLATE/bug-report.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,22 +44,18 @@ body:
label: Bandit version
description: Run "bandit --version" if unsure of version number
options:
- 1.7.6 (Default)
- 1.8.0 (Default)
- 1.7.10
- 1.7.9
- 1.7.8
- 1.7.7
- 1.7.6
- 1.7.5
- 1.7.4
- 1.7.3
- 1.7.2
- 1.7.1
- 1.7.0
- 1.6.3
- 1.6.2
- 1.6.1
- 1.6.0
- 1.5.1
- 1.5.0
- 1.4.0
- 1.3.0
- 0.17.0-eol
validations:
required: true

Expand All @@ -69,14 +65,11 @@ body:
label: Python version
description: Run "bandit --version" if unsure of version number
options:
- "3.12 (Default)"
- "3.13 (Default)"
- "3.12"
- "3.11"
- "3.10"
- "3.9"
- "3.8"
- "3.7"
- "3.6"
- "3.5"
validations:
required: true

Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/build-publish-image.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,17 +31,17 @@ jobs:
ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3

- name: Log in to GitHub Container Registry
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
with:
cosign-release: 'v2.2.2'

Expand All @@ -51,7 +51,7 @@ jobs:
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6
with:
context: .
file: ./docker/Dockerfile
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish-to-pypi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.8
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.8
python-version: 3.9

- name: Install dependencies
run: pip install wheel
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publish-to-test-pypi.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ jobs:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python 3.8
- name: Set up Python 3.9
uses: actions/setup-python@v5
with:
python-version: 3.8
python-version: 3.9

- name: Install dependencies
run: pip install wheel
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pythonpackage.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
python-version: [3.9]
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -26,7 +26,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
python-version: [3.9]
steps:
- name: Checkout repository
uses: actions/checkout@v4
Expand All @@ -47,11 +47,11 @@ jobs:
strategy:
matrix:
python-version: [
["3.8", "38"],
["3.9", "39"],
["3.10", "310"],
["3.11", "311"],
["3.12", "312"],
["3.13", "313"],
]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
Expand Down
10 changes: 5 additions & 5 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
exclude: ^(examples|tools|doc)
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
rev: v5.0.0
hooks:
- id: check-yaml
- id: debug-statements
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/asottile/reorder_python_imports
rev: v3.9.0
- repo: https://github.com/asottile/reorder-python-imports
rev: v3.14.0
hooks:
- id: reorder-python-imports
args: [--application-directories, '.:src', --py38-plus]
- repo: https://github.com/psf/black-pre-commit-mirror
rev: 23.10.1
rev: 24.10.0
hooks:
- id: black
args: [--line-length=79, --target-version=py38]
- repo: https://github.com/asottile/pyupgrade
rev: v3.3.2
rev: v3.19.1
hooks:
- id: pyupgrade
args: [--py38-plus]
Expand Down
4 changes: 3 additions & 1 deletion .readthedocs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ version: 2
build:
os: ubuntu-22.04
tools:
python: "3.8"
python: "3.9"

sphinx:
configuration: doc/source/conf.py
Expand All @@ -14,3 +14,5 @@ python:
- requirements: doc/requirements.txt
- method: pip
path: .
extra_requirements:
- sarif
4 changes: 2 additions & 2 deletions .stestr.conf
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
[DEFAULT]
test_path=${OS_TEST_PATH:-./tests}
test_path=./tests
top_dir=./
group_regex=.*(test_cert_setup)
parallel_class=True
26 changes: 26 additions & 0 deletions README.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,3 +117,29 @@ source of origin using the following cosign command:
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Where `<version>` is the release version of Bandit.

Sponsors
--------

The development of Bandit is made possible by the following sponsors:

.. list-table::
:width: 100%
:class: borderless

* - .. image:: https://avatars.githubusercontent.com/u/34240465?s=200&v=4
:target: https://opensource.mercedes-benz.com/
:alt: Mercedes-Benz
:width: 88

- .. image:: https://github.githubassets.com/assets/tidelift-8cea37dea8fc.svg
:target: https://tidelift.com/lifter/search/pypi/bandit
:alt: Tidelift
:width: 88

- .. image:: https://avatars.githubusercontent.com/u/110237746?s=200&v=4
:target: https://stacklok.com/
:alt: Stacklok
:width: 88

If you also ❤️ Bandit, please consider sponsoring.
1 change: 1 addition & 0 deletions bandit/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,5 @@
from bandit.core.issue import * # noqa
from bandit.core.test_properties import * # noqa

__author__ = metadata.metadata("bandit")["Author"]
__version__ = metadata.version("bandit")
111 changes: 41 additions & 70 deletions bandit/blacklists/calls.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,12 @@
| | | .ciphers.algorithms.Blowfish | |
| | | - cryptography.hazmat.primitives | |
| | | .ciphers.algorithms.IDEA | |
| | | - cryptography.hazmat.primitives | |
| | | .ciphers.algorithms.CAST5 | |
| | | - cryptography.hazmat.primitives | |
| | | .ciphers.algorithms.SEED | |
| | | - cryptography.hazmat.primitives | |
| | | .ciphers.algorithms.TripleDES | |
+------+---------------------+------------------------------------+-----------+
| B305 | cipher_modes | - cryptography.hazmat.primitives | Medium |
| | | .ciphers.modes.ECB | |
Expand Down Expand Up @@ -213,7 +219,7 @@
| B312 | telnetlib | - telnetlib.\* | High |
+------+---------------------+------------------------------------+-----------+
B313 - B320: XML
B313 - B319: XML
----------------
Most of this is based off of Christian Heimes' work on defusedxml:
Expand Down Expand Up @@ -250,6 +256,15 @@
| B319 | xml_bad_pulldom | - xml.dom.pulldom.parse | Medium |
| | | - xml.dom.pulldom.parseString | |
+------+---------------------+------------------------------------+-----------+
B320: xml_bad_etree
-------------------
The check for this call has been removed.
+------+---------------------+------------------------------------+-----------+
| ID | Name | Calls | Severity |
+======+=====================+====================================+===========+
| B320 | xml_bad_etree | - lxml.etree.parse | Medium |
| | | - lxml.etree.fromstring | |
| | | - lxml.etree.RestrictedElement | |
Expand Down Expand Up @@ -321,8 +336,6 @@
+------+---------------------+------------------------------------+-----------+
"""
import sys

from bandit.blacklists import utils
from bandit.core import issue

Expand Down Expand Up @@ -373,52 +386,26 @@ def gen_blacklist():
)
)

if sys.version_info >= (3, 9):
sets.append(
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
)
else:
sets.append(
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"hashlib.md4",
"hashlib.md5",
"hashlib.sha",
"hashlib.sha1",
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
sets.append(
utils.build_conf_dict(
"md5",
"B303",
issue.Cwe.BROKEN_CRYPTO,
[
"Crypto.Hash.MD2.new",
"Crypto.Hash.MD4.new",
"Crypto.Hash.MD5.new",
"Crypto.Hash.SHA.new",
"Cryptodome.Hash.MD2.new",
"Cryptodome.Hash.MD4.new",
"Cryptodome.Hash.MD5.new",
"Cryptodome.Hash.SHA.new",
"cryptography.hazmat.primitives.hashes.MD5",
"cryptography.hazmat.primitives.hashes.SHA1",
],
"Use of insecure MD2, MD4, MD5, or SHA1 hash function.",
)
)

sets.append(
utils.build_conf_dict(
Expand All @@ -438,7 +425,10 @@ def gen_blacklist():
"Cryptodome.Cipher.XOR.new",
"cryptography.hazmat.primitives.ciphers.algorithms.ARC4",
"cryptography.hazmat.primitives.ciphers.algorithms.Blowfish",
"cryptography.hazmat.primitives.ciphers.algorithms.CAST5",
"cryptography.hazmat.primitives.ciphers.algorithms.IDEA",
"cryptography.hazmat.primitives.ciphers.algorithms.SEED",
"cryptography.hazmat.primitives.ciphers.algorithms.TripleDES",
],
"Use of insecure cipher {name}. Replace with a known secure"
" cipher such as AES.",
Expand Down Expand Up @@ -537,7 +527,7 @@ def gen_blacklist():
"telnetlib",
"B312",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["telnetlib.*"],
["telnetlib.Telnet"],
"Telnet-related functions are being called. Telnet is considered "
"insecure. Use SSH or some other encrypted protocol.",
"HIGH",
Expand Down Expand Up @@ -634,26 +624,7 @@ def gen_blacklist():
)
)

sets.append(
utils.build_conf_dict(
"xml_bad_etree",
"B320",
issue.Cwe.IMPROPER_INPUT_VALIDATION,
[
"lxml.etree.parse",
"lxml.etree.fromstring",
"lxml.etree.RestrictedElement",
"lxml.etree.GlobalParserTLS",
"lxml.etree.getDefaultParser",
"lxml.etree.check_docinfo",
],
(
"Using {name} to parse untrusted XML data is known to be "
"vulnerable to XML attacks. Replace {name} with its "
"defusedxml equivalent function."
),
)
)
# skipped B320 as the check for a call to lxml.etree has been removed

# end of XML tests

Expand All @@ -662,7 +633,7 @@ def gen_blacklist():
"ftplib",
"B321",
issue.Cwe.CLEARTEXT_TRANSMISSION,
["ftplib.*"],
["ftplib.FTP"],
"FTP-related functions are being called. FTP is considered "
"insecure. Use SSH/SFTP/SCP or some other encrypted protocol.",
"HIGH",
Expand Down
Loading

0 comments on commit 45d4016

Please sign in to comment.