Bandit is a tool designed to find common security issues in Python code.

Overview

Bandit


Build Status Docs Status Latest Version Python Versions Format License

A security linter from PyCQA

Overview

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file, builds an AST from it, and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Installation

Bandit is distributed on PyPI. The best way to install it is with pip:

Create a virtual environment (optional):

virtualenv bandit-env
# Or if you're working with a Python 3 project
python3 -m venv bandit-env
# And activate it:
source bandit-env/bin/activate

Install Bandit:

pip install bandit
# Or if you're working with a Python 3 project
pip3 install bandit

Run Bandit:

bandit -r path/to/your/code

Bandit can also be installed from source. To do so, download the source tarball from PyPI, then install it:

python setup.py install

Usage

Example usage across a code tree:

bandit -r ~/your_repos/project

Example usage across the examples/ directory, showing three lines of context and only reporting on the high-severity issues:

bandit examples/*.py -n 3 -lll

Bandit can be run with profiles. To run Bandit against the examples directory using only the plugins listed in the ShellInjection profile:

bandit examples/*.py -p ShellInjection

Bandit also supports passing lines of code to scan using standard input. To run Bandit with standard input:

cat examples/imports.py | bandit -

Usage:

$ bandit -h
usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
              [-p PROFILE] [-t TESTS] [-s SKIPS] [-l] [-i]
              [-f {csv,custom,html,json,screen,txt,xml,yaml}]
              [--msg-template MSG_TEMPLATE] [-o [OUTPUT_FILE]] [-v] [-d] [-q]
              [--ignore-nosec] [-x EXCLUDED_PATHS] [-b BASELINE]
              [--ini INI_PATH] [--exit-zero] [--version]
              [targets [targets ...]]

Bandit - a Python source code security analyzer

positional arguments:
  targets               source file(s) or directory(s) to be tested

optional arguments:
  -h, --help            show this help message and exit
  -r, --recursive       find and process files in subdirectories
  -a {file,vuln}, --aggregate {file,vuln}
                        aggregate output by vulnerability (default) or by
                        filename
  -n CONTEXT_LINES, --number CONTEXT_LINES
                        maximum number of code lines to output for each issue
  -c CONFIG_FILE, --configfile CONFIG_FILE
                        optional config file to use for selecting plugins and
                        overriding defaults
  -p PROFILE, --profile PROFILE
                        profile to use (defaults to executing all tests)
  -t TESTS, --tests TESTS
                        comma-separated list of test IDs to run
  -s SKIPS, --skip SKIPS
                        comma-separated list of test IDs to skip
  -l, --level           report only issues of a given severity level or higher
                        (-l for LOW, -ll for MEDIUM, -lll for HIGH)
  -i, --confidence      report only issues of a given confidence level or
                        higher (-i for LOW, -ii for MEDIUM, -iii for HIGH)
  -f {csv,custom,html,json,screen,txt,xml,yaml}, --format {csv,custom,html,json,screen,txt,xml,yaml}
                        specify output format
  --msg-template MSG_TEMPLATE
                        specify output message template (only usable with
                        --format custom), see CUSTOM FORMAT section for list
                        of available values
  -o [OUTPUT_FILE], --output [OUTPUT_FILE]
                        write report to filename
  -v, --verbose         output extra information like excluded and included
                        files
  -d, --debug           turn on debug mode
  -q, --quiet, --silent
                        only show output in the case of an error
  --ignore-nosec        do not skip lines with # nosec comments
  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        comma-separated list of paths (glob patterns
                        supported) to exclude from scan (note that these are
                        in addition to the excluded paths provided in the
                        config file) (default:
                        .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
  -b BASELINE, --baseline BASELINE
                        path of a baseline report to compare against (only
                        JSON-formatted files are accepted)
  --ini INI_PATH        path to a .bandit file that supplies command line
                        arguments
  --exit-zero           exit with 0, even with results found
  --version             show program's version number and exit

CUSTOM FORMATTING
-----------------

Available tags:

    {abspath}, {relpath}, {line}, {col}, {test_id},
    {severity}, {msg}, {confidence}, {range}

Example usage:

    Default template:
    bandit -r examples/ --format custom --msg-template \
    "{abspath}:{line}: {test_id}[bandit]: {severity}: {msg}"

    Provides same output as:
    bandit -r examples/ --format custom

    Tags can also be formatted in python string.format() style:
    bandit -r examples/ --format custom --msg-template \
    "{relpath:20.20s}: {line:03}: {test_id:^8}: DEFECT: {msg:>20}"

    See python documentation for more information about formatting style:
    https://docs.python.org/3/library/string.html

The following tests were discovered and loaded:
-----------------------------------------------

  B101  assert_used
  B102  exec_used
  B103  set_bad_file_permissions
  B104  hardcoded_bind_all_interfaces
  B105  hardcoded_password_string
  B106  hardcoded_password_funcarg
  B107  hardcoded_password_default
  B108  hardcoded_tmp_directory
  B110  try_except_pass
  B112  try_except_continue
  B201  flask_debug_true
  B301  pickle
  B302  marshal
  B303  md5
  B304  ciphers
  B305  cipher_modes
  B306  mktemp_q
  B307  eval
  B308  mark_safe
  B309  httpsconnection
  B310  urllib_urlopen
  B311  random
  B312  telnetlib
  B313  xml_bad_cElementTree
  B314  xml_bad_ElementTree
  B315  xml_bad_expatreader
  B316  xml_bad_expatbuilder
  B317  xml_bad_sax
  B318  xml_bad_minidom
  B319  xml_bad_pulldom
  B320  xml_bad_etree
  B321  ftplib
  B323  unverified_context
  B324  hashlib_new_insecure_functions
  B325  tempnam
  B401  import_telnetlib
  B402  import_ftplib
  B403  import_pickle
  B404  import_subprocess
  B405  import_xml_etree
  B406  import_xml_sax
  B407  import_xml_expat
  B408  import_xml_minidom
  B409  import_xml_pulldom
  B410  import_lxml
  B411  import_xmlrpclib
  B412  import_httpoxy
  B413  import_pycrypto
  B501  request_with_no_cert_validation
  B502  ssl_with_bad_version
  B503  ssl_with_bad_defaults
  B504  ssl_with_no_version
  B505  weak_cryptographic_key
  B506  yaml_load
  B507  ssh_no_host_key_verification
  B601  paramiko_calls
  B602  subprocess_popen_with_shell_equals_true
  B603  subprocess_without_shell_equals_true
  B604  any_other_function_with_shell_equals_true
  B605  start_process_with_a_shell
  B606  start_process_with_no_shell
  B607  start_process_with_partial_path
  B608  hardcoded_sql_expressions
  B609  linux_commands_wildcard_injection
  B610  django_extra_used
  B611  django_rawsql_used
  B701  jinja2_autoescape_false
  B702  use_of_mako_templates
  B703  django_mark_safe

Baseline

Bandit allows specifying the path of a baseline report to compare against using the base line argument (i.e. -b BASELINE or --baseline BASELINE).

bandit -b BASELINE

This is useful for ignoring known vulnerabilities that you believe are non-issues (e.g. a cleartext password in a unit test). To generate a baseline report simply run Bandit with the output format set to json (only JSON-formatted files are accepted as a baseline) and output file path specified:

bandit -f json -o PATH_TO_OUTPUT_FILE

Version control integration

Use pre-commit. Once you have it installed, add this to the .pre-commit-config.yaml in your repository (be sure to update rev to point to a real git tag/revision!):

repos:
-   repo: https://github.com/PyCQA/bandit
    rev: '' # Update me!
    hooks:
    - id: bandit

Then run pre-commit install and you're ready to go.

Configuration

An optional config file may be supplied and may include:
  • lists of tests which should or shouldn't be run
  • exclude_dirs - sections of the path, that if matched, will be excluded from scanning (glob patterns supported)
  • overridden plugin settings - may provide different settings for some plugins

Per Project Command Line Args

Projects may include a .bandit file that specifies command line arguments that should be supplied for that project. The currently supported arguments are:

  • targets: comma separated list of target dirs/files to run bandit on
  • exclude: comma separated list of excluded paths
  • skips: comma separated list of tests to skip
  • tests: comma separated list of tests to run

To use this, put a .bandit file in your project's directory. For example:

[bandit]
exclude: /test
[bandit]
tests: B101,B102,B301

Exclusions

In the event that a line of code triggers a Bandit issue, but that the line has been reviewed and the issue is a false positive or acceptable for some other reason, the line can be marked with a # nosec and any results associated with it will not be reported.

For example, although this line may cause Bandit to report a potential security issue, it will not be reported:

self.process = subprocess.Popen('/bin/echo', shell=True)  # nosec

Vulnerability Tests

Vulnerability tests or "plugins" are defined in files in the plugins directory.

Tests are written in Python and are autodiscovered from the plugins directory. Each test can examine one or more type of Python statements. Tests are marked with the types of Python statements they examine (for example: function call, string, import, etc).

Tests are executed by the BanditNodeVisitor object as it visits each node in the AST.

Test results are managed in the Manager and aggregated for output at the completion of a test run through the method output_result from Manager instance.

Writing Tests

To write a test:
  • Identify a vulnerability to build a test for, and create a new file in examples/ that contains one or more cases of that vulnerability.
  • Consider the vulnerability you're testing for, mark the function with one or more of the appropriate decorators: - @checks('Call') - @checks('Import', 'ImportFrom') - @checks('Str')
  • Create a new Python source file to contain your test, you can reference existing tests for examples.
  • The function that you create should take a parameter "context" which is an instance of the context class you can query for information about the current element being examined. You can also get the raw AST node for more advanced use cases. Please see the context.py file for more.
  • Extend your Bandit configuration file as needed to support your new test.
  • Execute Bandit against the test file you defined in examples/ and ensure that it detects the vulnerability. Consider variations on how this vulnerability might present itself and extend the example file and the test function accordingly.

Extending Bandit

Bandit allows users to write and register extensions for checks and formatters. Bandit will load plugins from two entry-points:

  • bandit.formatters
  • bandit.plugins

Formatters need to accept 5 things:

  • manager: an instance of bandit manager
  • fileobj: the output file object, which may be sys.stdout
  • sev_level : Filtering severity level
  • conf_level: Filtering confidence level
  • lines=-1: number of lines to report

Plugins tend to take advantage of the bandit.checks decorator which allows the author to register a check for a particular type of AST node. For example

@bandit.checks('Call')
def prohibit_unsafe_deserialization(context):
    if 'unsafe_load' in context.call_function_name_qual:
        return bandit.Issue(
            severity=bandit.HIGH,
            confidence=bandit.HIGH,
            text="Unsafe deserialization detected."
        )

To register your plugin, you have two options:

  1. If you're using setuptools directly, add something like the following to your setup call:

    # If you have an imaginary bson formatter in the bandit_bson module
    # and a function called `formatter`.
    entry_points={'bandit.formatters': ['bson = bandit_bson:formatter']}
    # Or a check for using mako templates in bandit_mako that
    entry_points={'bandit.plugins': ['mako = bandit_mako']}
    
  2. If you're using pbr, add something like the following to your setup.cfg file:

    [entry_points]
    bandit.formatters =
        bson = bandit_bson:formatter
    bandit.plugins =
        mako = bandit_mako
    

Contributing

Follow our Contributing file: https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md

Reporting Bugs

Bugs should be reported on github. To file a bug against Bandit, visit: https://github.com/PyCQA/bandit/issues

Show Your Style

Security Status

Use our badge in your project's README!

using Markdown:

[![security: bandit](https://img.shields.io/badge/security-bandit-yellow.svg)](https://github.com/PyCQA/bandit)

using RST:

.. image:: https://img.shields.io/badge/security-bandit-yellow.svg
    :target: https://github.com/PyCQA/bandit
    :alt: Security Status

Under Which Version of Python Should I Install Bandit?

The answer to this question depends on the project(s) you will be running Bandit against. If your project is only compatible with Python 3.5, you should install Bandit to run under Python 3.5. If your project is only compatible with Python 3.8, then use 3.8 respectively. If your project supports both, you could run Bandit with both versions but you don't have to.

Bandit uses the ast module from Python's standard library in order to analyze your Python code. The ast module is only able to parse Python code that is valid in the version of the interpreter from which it is imported. In other words, if you try to use Python 2.7's ast module to parse code written for 3.5 that uses, for example, yield from with asyncio, then you'll have syntax errors that will prevent Bandit from working properly. Alternatively, if you are relying on 2.7's octal notation of 0777 then you'll have a syntax error if you run Bandit on 3.x.

References

Bandit docs: https://bandit.readthedocs.io/en/latest/

Python AST module documentation: https://docs.python.org/3/library/ast.html

Green Tree Snakes - the missing Python AST docs: https://greentreesnakes.readthedocs.org/en/latest/

Documentation of the various types of AST nodes that Bandit currently covers or could be extended to cover: https://greentreesnakes.readthedocs.org/en/latest/nodes.html

Comments
  • PEP-518 support: configure bandit via pyproject.toml

    PEP-518 support: configure bandit via pyproject.toml

    Thank you for cool lib.

    Added support for configuring via pyproject.toml (tool.bandit section). Closes #212, because now all projects have moved from setup.cfg to pyproject.toml.

    1. Parse files the end with .toml as toml and get the tool.bandit section.
    2. Tests included (just inherited from YAML config tests).
    3. Documentation updated, config example included into docs too.

    Close #550 as well

    opened by orsinium 28
  • Bandit 1.6.0 no longer respects excluded directories

    Bandit 1.6.0 no longer respects excluded directories

    Describe the bug Prior to the bandit 1.6.0 release, I was using bandit like so:

    bandit -r . -x ./mymodule1/tests/,./mymodule2/tests/
    

    However, with bandit 1.6.0 the ./mymodule1/tests/ and ./mymodule2/tests/ directories are included in the results. I have confirmed that you can exclude individual files still, just not directories.

    To Reproduce Steps to reproduce the behavior:

    1. Create a directory with a vulnerability in it somewhere
    2. Run bandir -r . -x ./your-new-dir/
    3. See vulnerability results that should be excluded

    Expected behavior Bandit should be excluding the directories entirely that are passed as args to the -x flag.

    Bandit version

    bandit 1.6.0
      python version = 3.6.5 (default, Jun 17 2018, 12:13:06) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]
    
    bug 
    opened by mattjegan 25
  • Exclude paths in config file ignored if passing specific files to Bandit CLI

    Exclude paths in config file ignored if passing specific files to Bandit CLI

    UPDATE: please see my below comment for an updated description of the problem.

    Describe the bug When using the pre-commit hook, my excluded paths listed in .bandit are still processed by bandit.

    To Reproduce Steps to reproduce the behavior:

    1. Create a .bandit config file with exclusions. For example:
      [bandit]
      exclude: ./node_modules/*,./tests/*
      
    2. Run bandit via command line (bandit -r .), verify exclusions ignored.
    3. Run bandit on all files via pre-commit hook: pre-commit run --all-files bandit
    4. See that excluded files are processed by bandit

    Expected behavior I expect the excluded paths to be ignored.

    Bandit version

    bandit 1.6.0
      python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]
    
    bug 
    opened by pydolan 18
  • [docs] Mention `exclude_dirs` option available in TOML and YAML

    [docs] Mention `exclude_dirs` option available in TOML and YAML

    As discovered in #488 (latest comments) and reported in #528.

    Also attempts to improve the documentation code by aligning code block indenting replacing simple code blocks (::) with source code markup code blocks in reStructuredText.

    Side Notes

    • Despite the name, exclude_dirs also recognizes single files, not only directories.
    • In the long run it may make sense to consolidate the two options exclude and exclude_dirs.
    opened by bittner 12
  • Drop Python 2 Support

    Drop Python 2 Support

    Python 2 is well beyond EOL now and will soon be removed from github's workflows

    This PR seeks to remove all calls / references and tests that rely on Python 2.

    • Remove six imports and six.Py2 conditionals
    • Remove Py2 calls from github workflows
    • Merged example files (e.g exec-py2.py|exec-py3.py > exec.py)
    • Removed py2 env from setuptools
    • Removed py2 env from tox

    Resolves: #584

    opened by lukehinds 11
  • Support for pyproject.toml as config file format

    Support for pyproject.toml as config file format

    PEP 518 specifies a config format that can be exploited by dev tools through designated sections, given their pyPI domain. The toml format is very basic and should allow a simple 1 to 1 mapping of the existing config, since it is more on the minimal side. Given the following .bandit file:

    [bandit]
    targets: src
    skips: B101,B110
    

    Its section in a pyproject.toml would look like this:

    [tool.bandit]
    targets = ["src"]
    skips = ["B101", "B110"]
    

    The sole gain of supporting this would be to reduce the amount of additional config files needed for using bandit in a python project that uses PEP 518 in some way from 1 to 0.


    Discussions on other tools regarding the same issue:

    • https://github.com/python/mypy/issues/5205
    • https://github.com/pytest-dev/pytest/issues/1556
    • https://github.com/nedbat/coveragepy/issues/664
    enhancement 
    opened by a-recknagel 11
  • degraded performance in 1.6.0 release

    degraded performance in 1.6.0 release

    Describe the bug

    I have seen a performance decrease in version 1.6.0. I a member of FussyFox and we run thousands of bandit checks a day. I see an increase in timeouts (200s limit) since I upgraded the stack to the 1.6.0 release.

    My best guess, it's this commit 7c4b9fa8b8d980a27c53000eb1961d436da7b223 I will further investigate the issue.

    Screen Shot 2019-05-14 at 17 32 02 The 200-second cap is because the sub process times out. The execution time would be even longer.

    bug 
    opened by codingjoe 11
  • Logo Proposal: Bandit

    Logo Proposal: Bandit

    Hey, I'm graphic designer and my aim is supporting open source projects and make my portfolio better. So, I can contribute on your project with making logo design. I am waiting your feedback! Have a nice day! :)

    Best Regards, Baran Pirincal Visual Communication Designer

    enhancement 
    opened by baranpirincal 11
  • Tests do not load on Python 3.7 with `importlib-metadata` 5.0.0 and `stevedore` 3.5.1

    Tests do not load on Python 3.7 with `importlib-metadata` 5.0.0 and `stevedore` 3.5.1

    Describe the bug

    Jump to workaround

    While the release of stevedore 3.5.1 appears to have resolved the problems reported in #951 and #953 I am seeing a new problem when using the following on Python 3.7:

    $ pip list | grep "bandit\|importlib-metadata\|stevedore"
    bandit               1.7.4
    importlib-metadata   5.0.0
    stevedore            3.5.1
    

    I get the following:

    $ bandit --version
    bandit 1.7.4
      python version = 3.7.15 (default, Oct 14 2022, 02:08:07) [GCC 11.2.0]
    $ bandit -r .
    [main]  INFO    profile include tests: None
    [main]  INFO    profile exclude tests: None
    [main]  INFO    cli include tests: None
    [main]  INFO    cli exclude tests: None
    [main]  INFO    running on Python 3.7.15
    [main]  ERROR   No tests would be run, please check the profile.
    

    In comparison in the same directory:

    $ pip list | grep "bandit\|importlib-metadata\|stevedore"
    bandit               1.7.4
    importlib-metadata   4.13.0
    stevedore            3.5.1
    $ bandit --version
    bandit 1.7.4
      python version = 3.7.15 (default, Oct 14 2022, 02:08:07) [GCC 11.2.0]
    $ bandit -r .
    [main]  INFO    profile include tests: None
    [main]  INFO    profile exclude tests: None
    [main]  INFO    cli include tests: None
    [main]  INFO    cli exclude tests: None
    [main]  INFO    running on Python 3.7.15
    Run started:2022-10-14 18:09:03.392403
    
    Test results:
            No issues identified.
    
    Code scanned:
            Total lines of code: 1949
            Total lines skipped (#nosec): 0
    
    Run metrics:
            Total issues (by severity):
                    Undefined: 0
                    Low: 0
                    Medium: 0
                    High: 0
            Total issues (by confidence):
                    Undefined: 0
                    Low: 0
                    Medium: 0
                    High: 0
    Files skipped (0):
    

    Workaround

    Pinning to importlib-metadata<5 works. If you are using bandit in a pre-commit configuration you can add the following to your hook configuration:

    additional_dependencies:
      - importlib-metadata<5
    

    such that a full hook configuration looks something like:

    - repo: https://github.com/PyCQA/bandit
        rev: 1.7.4
        hooks:
          - id: bandit
            name: bandit
            additional_dependencies:
              - importlib-metadata<5
    

    Reproduction steps

    1. Install `bandit` into a Python 3.7 environment.
    2. Attempt to use `bandit` to check code.
    

    Expected behavior

    bandit would successfully load tests and use them.

    Bandit version

    1.7.4 (Default)

    Python version

    3.7

    Additional context

    No response

    bug 
    opened by mcdonnnj 10
  • Add skip configuration to assert_used

    Add skip configuration to assert_used

    Adding this configuration allows the user to skip the assert_used check against some files. This is useful because asserts are very common in test files when using pytest.

    Specifying this configuration:

    assert_used:
      skips: ['test.py$', '^test']
    

    would skip all asserts against a test file.

    Resolves #346

    Thank you for the awesome project and your time!

    opened by wilbertom 10
  • Rename blacklist to banlist within internal modules and documentation

    Rename blacklist to banlist within internal modules and documentation

    This proposed change replaces the use of the term "blacklist" with a replacement, "banlist".

    The change is mostly an internal refactoring task.

    Some notes:

    • I have added a backward-compatibility check in the configuration loader that will patch all "blacklist" settings to "banlist".
    • If the user already has files that configure using the blacklist keyword, it will continue to work.
    • The documentation would use blocklist and not refer to blacklist at all

    Could the core development team please comment on this proposal?

    I would gladly make amendments, continue and extend the testing to have this change merged as I believe it would benefit the Python community not to use the term blacklist in such an important project as bandit.

    @ericwb @lukehinds @ehooo @viraptor

    opened by tonybaloney 10
  • some SQL injections not detected

    some SQL injections not detected

    Describe the bug

    None of the lines get reported, although each of the foo functions contains an SQL injection

    from django.db import transaction, connections, connection
    
    
    def foo(booking_id: str):
        with transaction.atomic():
            connections['default'].cursor().execute(f'SELECT pg_advisory_xact_lock({booking_id})')
    
    
    def foo2(booking_id: str):
        with transaction.atomic():
            connection.cursor().execute(f'SELECT pg_advisory_xact_lock({booking_id})')
    
    
    def foo3(booking_id: str):
        with connection.cursor() as cursor:
            cursor.execute(f'SELECT pg_advisory_xact_lock({booking_id})')
    
    
    def foo4(booking_id: str):
        with connection.cursor() as cursor:
            cursor.execute(f'SELECT pg_advisory_xact_lock({booking_id}) FROM table')
    
    
    def foo5(col: str):
        with connection.cursor() as cursor:
            cursor.execute(f'select {col} from table')
    
    
    def foo6(col: str):
        q = f'select {col} from table'
    
    
    def foo7(col, booking_id):
        q = f'select {col} from table where id = {booking_id}'
    
    

    Bandit output:

    bandit -r ./injection.py
    [main]	INFO	profile include tests: None
    [main]	INFO	profile exclude tests: None
    [main]	INFO	cli include tests: None
    [main]	INFO	cli exclude tests: None
    [main]	INFO	running on Python 3.9.14
    Run started:2022-12-16 08:57:06.964396
    
    Test results:
    	No issues identified.
    
    Code scanned:
    	Total lines of code: 20
    	Total lines skipped (#nosec): 0
    
    Run metrics:
    	Total issues (by severity):
    		Undefined: 0
    		Low: 0
    		Medium: 0
    		High: 0
    	Total issues (by confidence):
    		Undefined: 0
    		Low: 0
    		Medium: 0
    		High: 0
    Files skipped (0):
    

    Bandit version: bandit==1.7.4

    Reproduction steps

    1. bandit -r ./injection.py
    

    Expected behavior

    Expected to detect SQL injection in each of the foo* functions

    Bandit version

    1.7.4 (Default)

    Python version

    3.9

    Additional context

    No response

    bug 
    opened by lightsgoout 1
  • Make GitPython dependency optional?

    Make GitPython dependency optional?

    Describe the bug

    CVE-2022-24439 landed today and is specifically related to GitPython. Per https://github.com/gitpython-developers/GitPython/issues/1515, there isn't currently a fix planned. Since bandit requires this, the CVE extends to bandit, too.

    Is there a way that GitPython can be transitioned (either to a different lib or to a dev package, rather than one required by pip)?

    Reproduction steps

    N/A
    

    Expected behavior

    N/A

    Bandit version

    1.7.4 (Default)

    Python version

    3.11 (Default)

    Additional context

    No response

    bug 
    opened by bachya 1
  • Exclusion filter not working correctly with relative paths

    Exclusion filter not working correctly with relative paths

    Describe the bug

    An exclusion filter like -x ./.tox seems to work as desired, but -x .tox doesn't exclude the same directory. I couldn't find any docs on what the exact syntax of exclusion filters should be, so I'd assume both are supported.

    Reproduction steps

    1. Have a large .tox folder at the root level of a project

    2. Run bandit -x ./.tox -ll -f json -o bandit.json -r . and observe that 94 (or some other small number) of things will be scanned

    % bandit -x ./.tox -ll -f json -o bandit.json -r .
    [main]	INFO	profile include tests: None
    [main]	INFO	profile exclude tests: None
    [main]	INFO	cli include tests: None
    [main]	INFO	cli exclude tests: None
    94 [0.. 50.. ]
    [json]	INFO	JSON output written to file: bandit.json
    
    1. Run bandit -x .tox -ll -f json -o bandit.json -r . and observe that 19282 (or some other large number) of things will be scanned
    % bandit -x .tox -ll -f json -o bandit.json -r . 
    [main]	INFO	profile include tests: None
    [main]	INFO	profile exclude tests: None
    [main]	INFO	cli include tests: None
    [main]	INFO	cli exclude tests: None
    19282 [0.. 50.. ^C
    

    Expected behavior

    The two exclusion filters should be equivalent.

    Bandit version

    1.7.4 (Default)

    Python version

    3.9

    Additional context

    The danger of this bug is that files/directories might be unintentionally included/excluded, rendering reports inaccurate.

    bug 
    opened by kenahoo 0
  • Got error: IndexError: list index out of range

    Got error: IndexError: list index out of range

    Describe the bug

    On my tests i found two files (ckeygen.py, ec_key.py) on which i receive error: IndexError: list index out of range ... [main] INFO running on Python 3.9.2 4910 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. 450.. 500.. 550.. 600.. [tester] ERROR Bandit internal error running: weak_cryptographic_key on file ./pylint-env/lib/python3.9/site-packages/authlib/jose/rfc7518/ec_key.py ... ERROR Bandit internal error running: weak_cryptographic_key on file ./pylint-env/lib/python3.9/site-packages/twisted/conch/scripts/ckeygen.py bandit-index-out-error-files.zip Files append to archive.

    Reproduction steps

    1. unpack files
    2. exec bandit -r -v -o bandit.html -f html --exit-zero .
    3. Got error twice
    ...
    

    Expected behavior

    No errors

    Bandit version

    1.7.4 (Default)

    Python version

    3.9

    Additional context

    Same result on Python 3.10.6

    bug 
    opened by goto110 0
  • New `exclude_regex` Filter to Address False Positives on Password Tests

    New `exclude_regex` Filter to Address False Positives on Password Tests

    Is your feature request related to a problem? Please describe. Consistent issues arise on false positives of "token"-matched variable names in tests B105 and B106.

    See: https://github.com/PyCQA/bandit/issues/498, https://github.com/PyCQA/bandit/issues/842, https://github.com/PyCQA/bandit/issues/843, https://github.com/PyCQA/bandit/issues/211

    Describe the solution you'd like It would be useful to have an exclude_regex field available to filter variable names, and not just excludes at the files and tests level.

    Describe alternatives you've considered

    • exclude and exclude_dirs skips entire files/folders and are too permissive
    • skips completely skips entire tests and are too permissive
    • # nosec entries clutter source code when there are excessive false positives

    Additional context Ideally, coupling an exclude_regex with exclude would be ideal granularity.

    Example pyproject.toml to exclude "token" variable name filtering only in files under "tests/" folders for B106:

    [tool.bandit.hardcoded_password_funcarg]
    exclude_dirs = ["tests"]
    exclude_regex = ["token"]
    

    👍?

    enhancement 
    opened by comc 0
Releases(1.7.4)
  • 1.7.4(Mar 4, 2022)

    What's Changed

    • Fix traceback in hashlib_insecure_functions by @ericwb in https://github.com/PyCQA/bandit/pull/834
    • Add version 1.7.3 to dropdown by @ericwb in https://github.com/PyCQA/bandit/pull/833
    • core/config: Fix ConfigError missing argument if toml is missing by @Holzhaus in https://github.com/PyCQA/bandit/pull/845
    • Add 1.7.4 in issue template by @ericwb in https://github.com/PyCQA/bandit/pull/846

    New Contributors

    • @Holzhaus made their first contribution in https://github.com/PyCQA/bandit/pull/845

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.7.3...1.7.4

    Source code(tar.gz)
    Source code(zip)
    bandit-1.7.4-py3-none-any.whl(115.50 KB)
    bandit-1.7.4.tar.gz(483.50 KB)
  • 1.7.3(Feb 27, 2022)

    What's Changed

    • Rely on toml conditionally by @sigmavirus24 in https://github.com/PyCQA/bandit/pull/780
    • Update issue template with latest versions by @ericwb in https://github.com/PyCQA/bandit/pull/783
    • Delete release-drafter.yml by @ericwb in https://github.com/PyCQA/bandit/pull/781
    • Use released version of gh-action-pypi-publish by @ericwb in https://github.com/PyCQA/bandit/pull/784
    • Update publish-to-pypi.yml by @ericwb in https://github.com/PyCQA/bandit/pull/785
    • Delete releasenotes directory (more openstack leftovers) by @ericwb in https://github.com/PyCQA/bandit/pull/786
    • [docs] Add Getting Started chapter (migrate from README) by @bittner in https://github.com/PyCQA/bandit/pull/773
    • Including CWE information by @julianthome in https://github.com/PyCQA/bandit/pull/613
    • Removal of the CWEMAP dict by @ericwb in https://github.com/PyCQA/bandit/pull/789
    • Fix up warnings in output of tox by @ericwb in https://github.com/PyCQA/bandit/pull/793
    • Avoid printing metrics as float point numbers by @ericwb in https://github.com/PyCQA/bandit/pull/794
    • Add functional test of snmp_security_check by @ericwb in https://github.com/PyCQA/bandit/pull/791
    • Disable individual tests by @mikespallino in https://github.com/PyCQA/bandit/pull/597
    • Change up how CWE is formatted by @ericwb in https://github.com/PyCQA/bandit/pull/788
    • Check value of usedforsecurity for hashlib by @ericwb in https://github.com/PyCQA/bandit/pull/798
    • Remove redundant Python 3.6 code by @ericwb in https://github.com/PyCQA/bandit/pull/802
    • Add new plugin to check use of pyghmi by @ericwb in https://github.com/PyCQA/bandit/pull/803
    • Check for hardcoded passwords in class attributes by @noliverio in https://github.com/PyCQA/bandit/pull/766
    • Better hashlib check for Python 3.9 by @ericwb in https://github.com/PyCQA/bandit/pull/805
    • Fix references to the default branch name by @ericwb in https://github.com/PyCQA/bandit/pull/810
    • Cleanup the README by @ericwb in https://github.com/PyCQA/bandit/pull/809
    • Show usage with no arguments by @ericwb in https://github.com/PyCQA/bandit/pull/814
    • Respect color environment variables if set by @ericwb in https://github.com/PyCQA/bandit/pull/813
    • Cannot seek stdin on pipe by @tylerwince in https://github.com/PyCQA/bandit/pull/496
    • Test on operating systems we can support by @ericwb in https://github.com/PyCQA/bandit/pull/804
    • Fix up some warnings and errors in docs by @ericwb in https://github.com/PyCQA/bandit/pull/817
    • Fix root doc for readthedocs by @ericwb in https://github.com/PyCQA/bandit/pull/818
    • Use versioned links to docs by @ericwb in https://github.com/PyCQA/bandit/pull/819
    • Use CWE link in HTML formatter by @ericwb in https://github.com/PyCQA/bandit/pull/825
    • Improve performance of linerange by @Krock21rus in https://github.com/PyCQA/bandit/pull/629
    • Inaccurate message in hashlib check by @ericwb in https://github.com/PyCQA/bandit/pull/827
    • Target Python >= 3.7 in pre-commit hooks by @mkniewallner in https://github.com/PyCQA/bandit/pull/830
    • Center the bandit logo in readme by @ericwb in https://github.com/PyCQA/bandit/pull/823
    • Build of artifact fails if raw directive used by @ericwb in https://github.com/PyCQA/bandit/pull/831

    New Contributors

    • @bittner made their first contribution in https://github.com/PyCQA/bandit/pull/773
    • @julianthome made their first contribution in https://github.com/PyCQA/bandit/pull/613
    • @noliverio made their first contribution in https://github.com/PyCQA/bandit/pull/766
    • @Krock21rus made their first contribution in https://github.com/PyCQA/bandit/pull/629

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.7.2...1.7.3

    Source code(tar.gz)
    Source code(zip)
    bandit-1.7.3-py3-none-any.whl(115.47 KB)
    bandit-1.7.3.tar.gz(483.40 KB)
  • 1.7.2(Jan 25, 2022)

    What's Changed

    • Fix broken reported URL link for B107 by @bagerard in https://github.com/PyCQA/bandit/pull/751
    • test_help_arg: remove assert on 'optional arguments' by @mikelolasagasti in https://github.com/PyCQA/bandit/pull/752
    • Create FUNDING.yml by @ericwb in https://github.com/PyCQA/bandit/pull/774
    • Start using auto-formatters by @sigmavirus24 in https://github.com/PyCQA/bandit/pull/754
    • Drop end-of-life Python 3.5 by @ericwb in https://github.com/PyCQA/bandit/pull/746
    • Drop end-of-life Python 3.6 by @ericwb in https://github.com/PyCQA/bandit/pull/777
    • Fixup typo by @spagh-eddie in https://github.com/PyCQA/bandit/pull/769
    • Fix README.rst by @stannum-l in https://github.com/PyCQA/bandit/pull/365
    • Added snmp_security check plugin for various SNMP checks by @Jed-Giblin in https://github.com/PyCQA/bandit/pull/403
    • Remove leftover openstack code by @ericwb in https://github.com/PyCQA/bandit/pull/778
    • Correctly define extras in setup.cfg by @mkniewallner in https://github.com/PyCQA/bandit/pull/755

    New Contributors

    • @bagerard made their first contribution in https://github.com/PyCQA/bandit/pull/751
    • @mikelolasagasti made their first contribution in https://github.com/PyCQA/bandit/pull/752
    • @sigmavirus24 made their first contribution in https://github.com/PyCQA/bandit/pull/754
    • @spagh-eddie made their first contribution in https://github.com/PyCQA/bandit/pull/769
    • @Jed-Giblin made their first contribution in https://github.com/PyCQA/bandit/pull/403
    • @mkniewallner made their first contribution in https://github.com/PyCQA/bandit/pull/755

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.7.1...1.7.2

    Source code(tar.gz)
    Source code(zip)
    bandit-1.7.2-py3-none-any.whl(110.88 KB)
    bandit-1.7.2.tar.gz(485.45 KB)
  • 1.7.1(Jan 25, 2022)

    What's Changed

    • Specify output_file encoding as utf-8 by @Brcrwilliams in https://github.com/PyCQA/bandit/pull/364
    • Specify language_version in .pre-commit-hooks.yaml by @jdufresne in https://github.com/PyCQA/bandit/pull/670
    • Clearer message for subprocess module use by @ericwb in https://github.com/PyCQA/bandit/pull/667
    • Add the column offset to the issue model by @tonybaloney in https://github.com/PyCQA/bandit/pull/618
    • Show column offset on all formatters by @ericwb in https://github.com/PyCQA/bandit/pull/673
    • More complete removal of Python2 code by @ericwb in https://github.com/PyCQA/bandit/pull/674
    • Small syntax and formatting cleanup by @ericwb in https://github.com/PyCQA/bandit/pull/676
    • Updates to address docstring code scan issues, add flake8 configuration by @asears in https://github.com/PyCQA/bandit/pull/671
    • More cleanup of license headers by @ericwb in https://github.com/PyCQA/bandit/pull/679
    • Replace http with https URLs by @ericwb in https://github.com/PyCQA/bandit/pull/680
    • Add default labels to issues by @ericwb in https://github.com/PyCQA/bandit/pull/681
    • Prevent creation of blank issues by @ericwb in https://github.com/PyCQA/bandit/pull/682
    • Include the line number when using HTML output format by @aludwin1 in https://github.com/PyCQA/bandit/pull/683
    • Add support for Python 3.9 by @ericwb in https://github.com/PyCQA/bandit/pull/650
    • Add numeric options for severity and confidence by @nathanstocking in https://github.com/PyCQA/bandit/pull/702
    • #694 Bandit fails when using importlib with named arguments by @maciejstromich in https://github.com/PyCQA/bandit/pull/701
    • Add license to package installation metadata by @RobbeSneyders in https://github.com/PyCQA/bandit/pull/705
    • Mock part of python 3.x by @ericwb in https://github.com/PyCQA/bandit/pull/685
    • Remove statement about Py3 by @ericwb in https://github.com/PyCQA/bandit/pull/713
    • Use new issue template format by @ericwb in https://github.com/PyCQA/bandit/pull/717
    • Fix syntax error in bug report by @ericwb in https://github.com/PyCQA/bandit/pull/718
    • Remove steps in reproduce section by @ericwb in https://github.com/PyCQA/bandit/pull/719
    • Fix syntax errors in bug report by @ericwb in https://github.com/PyCQA/bandit/pull/720
    • document that random.choices() isn't secure either by @taybin in https://github.com/PyCQA/bandit/pull/728
    • PEP-518 support: configure bandit via pyproject.toml by @orsinium in https://github.com/PyCQA/bandit/pull/401
    • Always use a Loader in yaml.load by @ericwb in https://github.com/PyCQA/bandit/pull/745
    • fix reading initial values from .bandit by @alipqb in https://github.com/PyCQA/bandit/pull/722

    New Contributors

    • @Brcrwilliams made their first contribution in https://github.com/PyCQA/bandit/pull/364
    • @jdufresne made their first contribution in https://github.com/PyCQA/bandit/pull/670
    • @tonybaloney made their first contribution in https://github.com/PyCQA/bandit/pull/618
    • @asears made their first contribution in https://github.com/PyCQA/bandit/pull/671
    • @aludwin1 made their first contribution in https://github.com/PyCQA/bandit/pull/683
    • @nathanstocking made their first contribution in https://github.com/PyCQA/bandit/pull/702
    • @RobbeSneyders made their first contribution in https://github.com/PyCQA/bandit/pull/705
    • @taybin made their first contribution in https://github.com/PyCQA/bandit/pull/728
    • @orsinium made their first contribution in https://github.com/PyCQA/bandit/pull/401
    • @alipqb made their first contribution in https://github.com/PyCQA/bandit/pull/722

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.7.0...1.7.1

    Source code(tar.gz)
    Source code(zip)
    bandit-1.7.1-py3-none-any.whl(110.88 KB)
    bandit-1.7.1.tar.gz(491.28 KB)
  • 1.7.0(Dec 13, 2020)

    What's Changed

    • Use GitHub Action badge for build by @ericwb in https://github.com/PyCQA/bandit/pull/651
    • Remove universal support on the wheel by @ericwb in https://github.com/PyCQA/bandit/pull/655
    • Give some tips on how to resolve B101 in the doc by @xuhdev in https://github.com/PyCQA/bandit/pull/616
    • Remove blacklist call to input() by @ericwb in https://github.com/PyCQA/bandit/pull/662
    • Create CODEOWNERS by @ericwb in https://github.com/PyCQA/bandit/pull/661

    New Contributors

    • @xuhdev made their first contribution in https://github.com/PyCQA/bandit/pull/616

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.6.3...1.7.0

    Source code(tar.gz)
    Source code(zip)
    bandit-1.7.0-py3-none-any.whl(112.52 KB)
    bandit-1.7.0.tar.gz(494.36 KB)
  • 1.6.3(Dec 6, 2020)

    What's Changed

    • Replace setattr by @tylerwince in https://github.com/PyCQA/bandit/pull/493
    • Fix 3.8 errors by @tylerwince in https://github.com/PyCQA/bandit/pull/509
    • get_url returns different urls calling twice (bug #506) by @ehooo in https://github.com/PyCQA/bandit/pull/507
    • fix B603 docstring by @graingert in https://github.com/PyCQA/bandit/pull/524
    • --exit-zero option by @maciejstromich in https://github.com/PyCQA/bandit/pull/510
    • fix the documentation file README.rst by @MrDolev in https://github.com/PyCQA/bandit/pull/533
    • Cleanup comments after #510 by @florczakraf in https://github.com/PyCQA/bandit/pull/532
    • Update test requirements to latest versions by @ericwb in https://github.com/PyCQA/bandit/pull/535
    • Remove obsolete "sudo" keyword. by @jugmac00 in https://github.com/PyCQA/bandit/pull/538
    • Remove unused bindep.txt file by @ericwb in https://github.com/PyCQA/bandit/pull/539
    • Revert "Revert "Update python documentation links for version 3 counterparts"" by @ericwb in https://github.com/PyCQA/bandit/pull/540
    • Add several ini options for .bandit file by @vuolter in https://github.com/PyCQA/bandit/pull/508
    • Add type checking to name node of hashlib_new by @teeann in https://github.com/PyCQA/bandit/pull/516
    • Add more missing ini options by @ericwb in https://github.com/PyCQA/bandit/pull/541
    • Add shelve to the pickle blacklists by @auscompgeek in https://github.com/PyCQA/bandit/pull/542
    • Fix readme file on Extending Bandit on list things by @MrDolev in https://github.com/PyCQA/bandit/pull/534
    • Add official support of Python 3.8 by @ericwb in https://github.com/PyCQA/bandit/pull/547
    • update README to add info about badge by @zachvalenta in https://github.com/PyCQA/bandit/pull/482
    • Fix docs for B610,B611,B703 by @amacfie in https://github.com/PyCQA/bandit/pull/555
    • Use SPDX license identifier instead of bulky headers by @ericwb in https://github.com/PyCQA/bandit/pull/530
    • Add a section explaining "nosec" by @exhuma in https://github.com/PyCQA/bandit/pull/554
    • replace 'then' with 'than' by @pwoolvett in https://github.com/PyCQA/bandit/pull/557
    • Add sha1 to the list of insecure hashes by @ericwb in https://github.com/PyCQA/bandit/pull/561
    • Use GitHub Actions to run CI by @ericwb in https://github.com/PyCQA/bandit/pull/565
    • Ignore common directories by default by @ericwb in https://github.com/PyCQA/bandit/pull/544
    • Add push and pull request to GH Action trigger by @ericwb in https://github.com/PyCQA/bandit/pull/567
    • Add contributing file by @Glyphack in https://github.com/PyCQA/bandit/pull/572
    • Fix contributing typo by @Glyphack in https://github.com/PyCQA/bandit/pull/582
    • [DOC] Support python3 venv creation by @look4regev in https://github.com/PyCQA/bandit/pull/583
    • Cleanup some typos in recent contributor guide by @ericwb in https://github.com/PyCQA/bandit/pull/585
    • Fix colorama not being disabled after being used by @adambenali in https://github.com/PyCQA/bandit/pull/586
    • Fix typo for activating venv by @bavedarnow in https://github.com/PyCQA/bandit/pull/590
    • Bump pyyaml by @dosisod in https://github.com/PyCQA/bandit/pull/588
    • Update CODE_OF_CONDUCT.md by @ericwb in https://github.com/PyCQA/bandit/pull/591
    • Resolve 'NoneType' object has no attribute 'id'Traceback in django_mark_safe by @ehooo in https://github.com/PyCQA/bandit/pull/598
    • [FIX] blacklist: fix typo in import_ftplib by @Yenthe666 in https://github.com/PyCQA/bandit/pull/601
    • Add release notes project URL by @scop in https://github.com/PyCQA/bandit/pull/610
    • Drop Python2 build, test, and install by @ericwb in https://github.com/PyCQA/bandit/pull/615
    • Fix # noqa rendering in docs by @DrGFreeman in https://github.com/PyCQA/bandit/pull/645
    • Don't show progress information on --quiet by @fniessink in https://github.com/PyCQA/bandit/pull/641
    • Add skip configuration to assert_used by @wilbertom in https://github.com/PyCQA/bandit/pull/633
    • GitHub Action to publish to Test PyPI by @ericwb in https://github.com/PyCQA/bandit/pull/652
    • Add workflow to publish to PyPI by @ericwb in https://github.com/PyCQA/bandit/pull/653

    New Contributors

    • @graingert made their first contribution in https://github.com/PyCQA/bandit/pull/524
    • @MrDolev made their first contribution in https://github.com/PyCQA/bandit/pull/533
    • @florczakraf made their first contribution in https://github.com/PyCQA/bandit/pull/532
    • @jugmac00 made their first contribution in https://github.com/PyCQA/bandit/pull/538
    • @vuolter made their first contribution in https://github.com/PyCQA/bandit/pull/508
    • @teeann made their first contribution in https://github.com/PyCQA/bandit/pull/516
    • @auscompgeek made their first contribution in https://github.com/PyCQA/bandit/pull/542
    • @zachvalenta made their first contribution in https://github.com/PyCQA/bandit/pull/482
    • @amacfie made their first contribution in https://github.com/PyCQA/bandit/pull/555
    • @exhuma made their first contribution in https://github.com/PyCQA/bandit/pull/554
    • @pwoolvett made their first contribution in https://github.com/PyCQA/bandit/pull/557
    • @Glyphack made their first contribution in https://github.com/PyCQA/bandit/pull/572
    • @look4regev made their first contribution in https://github.com/PyCQA/bandit/pull/583
    • @adambenali made their first contribution in https://github.com/PyCQA/bandit/pull/586
    • @bavedarnow made their first contribution in https://github.com/PyCQA/bandit/pull/590
    • @dosisod made their first contribution in https://github.com/PyCQA/bandit/pull/588
    • @Yenthe666 made their first contribution in https://github.com/PyCQA/bandit/pull/601
    • @scop made their first contribution in https://github.com/PyCQA/bandit/pull/610
    • @DrGFreeman made their first contribution in https://github.com/PyCQA/bandit/pull/645
    • @fniessink made their first contribution in https://github.com/PyCQA/bandit/pull/641
    • @wilbertom made their first contribution in https://github.com/PyCQA/bandit/pull/633

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.6.2...1.6.3

    Source code(tar.gz)
    Source code(zip)
    bandit-1.6.3-py2.py3-none-any.whl(112.46 KB)
    bandit-1.6.3.tar.gz(494.18 KB)
  • 1.6.2(Jul 1, 2019)

  • 1.6.1(Jun 15, 2019)

    What's Changed

    • add namespaces for parent attributes by @tylerwince in https://github.com/PyCQA/bandit/pull/492
    • add test for regression and fix directory exclusion without wildcards by @mattjegan in https://github.com/PyCQA/bandit/pull/489

    New Contributors

    • @mattjegan made their first contribution in https://github.com/PyCQA/bandit/pull/489

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.6.0...1.6.1

    Source code(tar.gz)
    Source code(zip)
    bandit-1.6.1-py2.py3-none-any.whl(119.50 KB)
    bandit-1.6.1.tar.gz(486.80 KB)
  • 1.6.0(May 9, 2019)

    What's Changed

    • Fix custom format argument handling by @evqna in https://github.com/PyCQA/bandit/pull/380
    • Add release drafter template by @evqna in https://github.com/PyCQA/bandit/pull/382
    • Add option -q, --quiet, --silent to hide output by @ericwb in https://github.com/PyCQA/bandit/pull/385
    • No need to skip R0204: redefined-variable-type by @ericwb in https://github.com/PyCQA/bandit/pull/390
    • Allow failures on dev branch of Python 3.8 by @ericwb in https://github.com/PyCQA/bandit/pull/392
    • Fix Pylint warning W0612: use of unused variables by @ericwb in https://github.com/PyCQA/bandit/pull/389
    • Fix B611 doc title by @paulopontesm in https://github.com/PyCQA/bandit/pull/414
    • Add pre-commit config by @KPilnacek in https://github.com/PyCQA/bandit/pull/411
    • Remove unneeded trailing paren in link by @ericwb in https://github.com/PyCQA/bandit/pull/416
    • Fix more info line to be in color also by @ericwb in https://github.com/PyCQA/bandit/pull/408
    • Add missing custom formatter doc (#406) by @nixphix in https://github.com/PyCQA/bandit/pull/421
    • Fix terminal colors not displaying properly on Windows by @GhostofGoes in https://github.com/PyCQA/bandit/pull/424
    • Fix sql injection check for f-strings by @mikespallino in https://github.com/PyCQA/bandit/pull/434
    • Bump PyYAML minimum version to 3.13 by @ericwb in https://github.com/PyCQA/bandit/pull/432
    • Remove paramiko invoke_shell and fix example by @ericwb in https://github.com/PyCQA/bandit/pull/377
    • Supporting CSafeLoader in yaml.load plugin by @domanchi in https://github.com/PyCQA/bandit/pull/436
    • Properly handle nosec strings in code by @ericwb in https://github.com/PyCQA/bandit/pull/388
    • Add a readthedocs build status badge by @lukehinds in https://github.com/PyCQA/bandit/pull/440
    • #394 Describe baseline and it's usage in README by @BillBrower in https://github.com/PyCQA/bandit/pull/415
    • Fix DeprecationWarning: invalid escape sequence by @BoboTiG in https://github.com/PyCQA/bandit/pull/441
    • Fix ResourceWarning: unclosed file by @BoboTiG in https://github.com/PyCQA/bandit/pull/442
    • Password by @ehooo in https://github.com/PyCQA/bandit/pull/387
    • check if ast.JoinedStr exists before using it by @calvinli in https://github.com/PyCQA/bandit/pull/446
    • Fix typo in README by @bitcoinhodler in https://github.com/PyCQA/bandit/pull/451
    • Fix context class by @ehooo in https://github.com/PyCQA/bandit/pull/449
    • Update python documentation links for version 3 counterparts by @sgaist in https://github.com/PyCQA/bandit/pull/456
    • Revert "Update python documentation links for version 3 counterparts" by @ericwb in https://github.com/PyCQA/bandit/pull/461
    • Redo logo on the README by @ericwb in https://github.com/PyCQA/bandit/pull/463
    • Interpret wildcards in the file exclusion list by @thilp in https://github.com/PyCQA/bandit/pull/450
    • updated readme links for werkzeug debugger by @sfc-gh-spandey in https://github.com/PyCQA/bandit/pull/473
    • Remove pycryptodome blacklist by @mikespallino in https://github.com/PyCQA/bandit/pull/470

    New Contributors

    • @paulopontesm made their first contribution in https://github.com/PyCQA/bandit/pull/414
    • @KPilnacek made their first contribution in https://github.com/PyCQA/bandit/pull/411
    • @nixphix made their first contribution in https://github.com/PyCQA/bandit/pull/421
    • @GhostofGoes made their first contribution in https://github.com/PyCQA/bandit/pull/424
    • @domanchi made their first contribution in https://github.com/PyCQA/bandit/pull/436
    • @BillBrower made their first contribution in https://github.com/PyCQA/bandit/pull/415
    • @BoboTiG made their first contribution in https://github.com/PyCQA/bandit/pull/441
    • @calvinli made their first contribution in https://github.com/PyCQA/bandit/pull/446
    • @bitcoinhodler made their first contribution in https://github.com/PyCQA/bandit/pull/451
    • @sgaist made their first contribution in https://github.com/PyCQA/bandit/pull/456
    • @thilp made their first contribution in https://github.com/PyCQA/bandit/pull/450
    • @sfc-gh-spandey made their first contribution in https://github.com/PyCQA/bandit/pull/473

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.5.1...1.6.0

    Source code(tar.gz)
    Source code(zip)
    bandit-1.6.0-py2.py3-none-any.whl(119.40 KB)
    bandit-1.6.0.tar.gz(486.89 KB)
  • 1.5.1(Sep 6, 2018)

    What's Changed

    • Fixed crash on dynamic import traversal by @evqna in https://github.com/PyCQA/bandit/pull/369
    • New plugin to check for ignoring host keys by @rajathagasthya in https://github.com/PyCQA/bandit/pull/374
    • Adding test case for traversal crash by @evqna in https://github.com/PyCQA/bandit/pull/378

    New Contributors

    • @rajathagasthya made their first contribution in https://github.com/PyCQA/bandit/pull/374

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.5.0...1.5.1

    Source code(tar.gz)
    Source code(zip)
    bandit-1.5.1-py2.py3-none-any.whl(118.41 KB)
    bandit-1.5.1.tar.gz(469.58 KB)
  • 1.5.0(Aug 16, 2018)

    What's Changed

    • Travis ci file by @lukehinds in https://github.com/PyCQA/bandit/pull/282
    • Changes OpenStack specifics to PyCQA by @lukehinds in https://github.com/PyCQA/bandit/pull/1
    • Migrate to new PyPI website by @ericwb in https://github.com/PyCQA/bandit/pull/2
    • Create a code of conduct by @ericwb in https://github.com/PyCQA/bandit/pull/283
    • Remove the unused integration tests by @ericwb in https://github.com/PyCQA/bandit/pull/285
    • Create an issue template for the project by @ericwb in https://github.com/PyCQA/bandit/pull/284
    • Add a build status badge to the README by @ericwb in https://github.com/PyCQA/bandit/pull/289
    • Show support for Python 3.6 by @ericwb in https://github.com/PyCQA/bandit/pull/288
    • Remove integration test playbooks by @ericwb in https://github.com/PyCQA/bandit/pull/290
    • Update issue templates to new GitHub format by @ericwb in https://github.com/PyCQA/bandit/pull/301
    • Logo design: Bandit by @baranpirincal in https://github.com/PyCQA/bandit/pull/302
    • Add a smaller logo that works with the README rst by @ericwb in https://github.com/PyCQA/bandit/pull/304
    • Update the doc links, remove openstack by @ericwb in https://github.com/PyCQA/bandit/pull/305
    • Add missing B413 import_pycrypto in README by @ericwb in https://github.com/PyCQA/bandit/pull/308
    • Add PyCryptodome to import blacklists by @warthog9 in https://github.com/PyCQA/bandit/pull/307
    • Django sql injection by @ehooo in https://github.com/PyCQA/bandit/pull/292
    • Use bandit.readthedocs.io in setup.cfg by @ericwb in https://github.com/PyCQA/bandit/pull/312
    • Add detection for Django XSS by @ehooo in https://github.com/PyCQA/bandit/pull/295
    • Add missing documentation link for B703 by @ericwb in https://github.com/PyCQA/bandit/pull/314
    • Remove OpenStack-specific plugins by @nickthetait in https://github.com/PyCQA/bandit/pull/316
    • Improve shell by @ehooo in https://github.com/PyCQA/bandit/pull/298
    • Fast fix for yaml import by @ehooo in https://github.com/PyCQA/bandit/pull/303
    • Django sql injection by @ehooo in https://github.com/PyCQA/bandit/pull/310
    • Enable travis to run pylint and pep8 tox env by @ericwb in https://github.com/PyCQA/bandit/pull/325
    • Add development status classifier by @ericwb in https://github.com/PyCQA/bandit/pull/321
    • Remove openstack specific utils.exec checks by @ericwb in https://github.com/PyCQA/bandit/pull/328
    • add os.tempnam() / os.tmpnam() to blacklist by @chair6 in https://github.com/PyCQA/bandit/pull/330
    • Add Python 3.7 support by @ericwb in https://github.com/PyCQA/bandit/pull/327
    • Add subprocess.run to B602 by @ericwb in https://github.com/PyCQA/bandit/pull/334
    • Repair some broken see also links in the doc by @ericwb in https://github.com/PyCQA/bandit/pull/336
    • Use html.escape() instead of cgi.escape() by @ericwb in https://github.com/PyCQA/bandit/pull/339
    • Re-enable functional tests as part of CI by @ericwb in https://github.com/PyCQA/bandit/pull/348
    • Add more_info URL to XML output by @stannum-l in https://github.com/PyCQA/bandit/pull/354
    • Report dill usage by @calve in https://github.com/PyCQA/bandit/pull/347
    • Add experimental Python 3.8-dev to test with by @ericwb in https://github.com/PyCQA/bandit/pull/337
    • Add emojis to issue types by @ericwb in https://github.com/PyCQA/bandit/pull/358
    • Add more_info URL to text output by @stannum-l in https://github.com/PyCQA/bandit/pull/359
    • Add more_info URL to screen formatter by @stannum-l in https://github.com/PyCQA/bandit/pull/360
    • Add support to run bandit as python -m bandit by @rtfpessoa in https://github.com/PyCQA/bandit/pull/363
    • Add more_info URL to csv formatter by @stannum-l in https://github.com/PyCQA/bandit/pull/361
    • Add external documentation references by @evqna in https://github.com/PyCQA/bandit/pull/368
    • Change ver 1.4.1 references to 1.5.0 by @ericwb in https://github.com/PyCQA/bandit/pull/370

    New Contributors

    • @baranpirincal made their first contribution in https://github.com/PyCQA/bandit/pull/302
    • @warthog9 made their first contribution in https://github.com/PyCQA/bandit/pull/307
    • @nickthetait made their first contribution in https://github.com/PyCQA/bandit/pull/316
    • @chair6 made their first contribution in https://github.com/PyCQA/bandit/pull/330
    • @calve made their first contribution in https://github.com/PyCQA/bandit/pull/347
    • @rtfpessoa made their first contribution in https://github.com/PyCQA/bandit/pull/363

    Full Changelog: https://github.com/PyCQA/bandit/compare/1.4.0...1.5.0

    Source code(tar.gz)
    Source code(zip)
    bandit-1.5.0-py2.py3-none-any.whl(117.03 KB)
    bandit-1.5.0.tar.gz(468.65 KB)
Owner
Python Code Quality Authority
Organization for code quality tools (and plugins) for the Python programming language
Python Code Quality Authority
"Video Moment Retrieval from Text Queries via Single Frame Annotation" in SIGIR 2022.

ViGA: Video moment retrieval via Glance Annotation This is the official repository of the paper "Video Moment Retrieval from Text Queries via Single F

Ran Cui 38 Dec 31, 2022
nuclei scanner for proxyshell ( CVE-2021-34473 )

Proxyshell-Scanner nuclei scanner for Proxyshell RCE (CVE-2021-34423,CVE-2021-34473,CVE-2021-31207) discovered by orange tsai in Pwn2Own, which affect

PikaChu 29 Dec 16, 2022
Big-Papa Integrates Javascript and python for remote cookie stealing which then can be used for session hijacking

Big-Papa is a remote cookie stealer which can then be used for session hijacking and Bypassing 2 Factor Authentication

77 Jan 03, 2023
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 231 Nov 12, 2022
集成crawlergo、xray、dirsearch、nmap等工具的src漏洞挖掘工具,使用docker封装运行;

tools下有几个工具,所以项目文件比较大,如果下载总是中断的话建议拆开下载各个项目然后直接拷贝dockefile和recon.py即可 0x01 hscan介绍 hscan是什么 hscan是一款旨在使用一条命令替代渗透前的多条扫描命令,通过集成crawlergo扫描和xray扫描、dirsear

102 Jan 04, 2023
EMBArk - The firmware security scanning environment

Embark is being developed to provide the firmware security analyzer emba as a containerized service and to ease accessibility to emba regardless of system and operating system.

emba 175 Dec 14, 2022
PyFUD - Fully Undetectable payload generator for metasploit

PyFUD fully Undetectable payload generator for metasploit Usage: pyfud.py --host

3 Mar 25, 2022
A tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine or expire obfuscated scripts.

PyArmor Homepage (中文版网站) Documentation(中文版) PyArmor is a command line tool used to obfuscate python scripts, bind obfuscated scripts to fixed machine

Dashingsoft 1.9k Dec 30, 2022
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
Gefilte Fish GMail filter creator

Gefilte Fish: GMail filter maker Gefilte Fish automates the creation of GMail filters. Use it like this: from gefilte import GefilteFish,

Ned Batchelder 31 Sep 28, 2022
Vulnerability Scanner & Auto Exploiter You can use this tool to check the security by finding the vulnerability in your website or you can use this tool to Get Shells

About create a target list or select one target, scans then exploits, done! Vulnnr is a Vulnerability Scanner & Auto Exploiter You can use this tool t

Nano 108 Dec 04, 2021
Cam-Hacker: Ip Cameras hack with python

Cam-Hacker Hack Cameras Mode Of Execution: apt-get install python3 apt-get insta

Error 4 You 9 Dec 17, 2022
Malware-analysis-writeups - Some of my Malware Analysis writeups

About This repo contains some malware analysis writeups i've created over time m

Itay Migdal 14 Jun 22, 2022
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

27 Sep 23, 2022
PoC for CVE-2021-26855 -Just a checker-

CVE-2021-26855 PoC for CVE-2021-26855 -Just a checker- Usage python3 CVE-2021-26855.py -u https://mail.example.com -c example.burpcollaborator.net # C

Abdullah AlZahrani 17 Dec 22, 2022
Repository for a project of the course EP2520 Building Networked Systems Security

EP2520_ACME_Project Repository for a project of the course EP2520 Building Networked Systems Security in Royal Institute of Technology (KTH), Stockhol

1 Dec 11, 2021
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
Hammer-DDos - Hammer DDos With Python

Hammer-DDos $ apt update $ apt upgrade $ apt install python $ apt install git $

1 Jan 24, 2022
Python tool for dumping flash via uboot reliably

Reliable Uboot Flash Dumper is a Python tool for dumping flash via uboot reliably. If you've ever had to dump flash via uboot and a serial connection and became frustrated about doing it several time

SecurityJon 25 May 10, 2022
Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts.

🕷️ Scarecrow 🕷️ Scarecrow is a tool written in Python3 allowing you to protect your Python3 scripts. It looks for processes with specific names to v

Billy 33 Sep 28, 2022