From 6969489ff711a1762bd44d00eaaba75f0c7102f6 Mon Sep 17 00:00:00 2001 From: Mathieu Kniewallner Date: Thu, 28 Sep 2023 04:59:19 +0200 Subject: [PATCH 1/3] fix(plugins/B507): also detect class instances (#1064) `paramiko` supports passing both a class and a class instance for the policy in `set_missing_host_key_policy` (https://github.com/paramiko/paramiko/blob/8e389c77660c5cdae3069b478665427d23012853/paramiko/client.py#L171-L191). This updates B507 to account for both styles. --- bandit/plugins/ssh_no_host_key_verification.py | 16 ++++++++++++---- examples/no_host_key_verification.py | 2 ++ tests/functional/test_functional.py | 4 ++-- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index 2f439032..e8edaf93 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -35,6 +35,8 @@ CWE information added """ +import ast + import bandit from bandit.core import issue from bandit.core import test_properties as test @@ -46,11 +48,17 @@ def ssh_no_host_key_verification(context): if ( context.is_module_imported_like("paramiko") and context.call_function_name == "set_missing_host_key_policy" + and context.node.args ): - if context.call_args and context.call_args[0] in [ - "AutoAddPolicy", - "WarningPolicy", - ]: + policy_argument = context.node.args[0] + + policy_argument_value = None + if isinstance(policy_argument, ast.Attribute): + policy_argument_value = policy_argument.attr + elif isinstance(policy_argument, ast.Call): + policy_argument_value = policy_argument.func.attr + + if policy_argument_value in ["AutoAddPolicy", "WarningPolicy"]: return bandit.Issue( severity=bandit.HIGH, confidence=bandit.MEDIUM, diff --git a/examples/no_host_key_verification.py b/examples/no_host_key_verification.py index ff12b343..2e092fe4 100644 --- a/examples/no_host_key_verification.py +++ b/examples/no_host_key_verification.py @@ -3,3 +3,5 @@ ssh_client = client.SSHClient() ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) ssh_client.set_missing_host_key_policy(client.WarningPolicy) +ssh_client.set_missing_host_key_policy(client.AutoAddPolicy()) +ssh_client.set_missing_host_key_policy(client.WarningPolicy()) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 7835e748..6917462d 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -543,8 +543,8 @@ def test_yaml(self): def test_host_key_verification(self): """Test for ignoring host key verification.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 2, "HIGH": 0}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 4, "HIGH": 0}, } self.check_example("no_host_key_verification.py", expect) From 9a2884efe130cad0897586e58dcb33bdbb6fbd81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20Porte=C5=A1?= Date: Thu, 26 Oct 2023 00:45:16 +0200 Subject: [PATCH 2/3] Use mirror repository for black pre-commit hook (#1070) --- .pre-commit-config.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 92c3c4c1..6edc03a1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -12,8 +12,8 @@ repos: hooks: - id: reorder-python-imports args: [--application-directories, '.:src', --py38-plus] -- repo: https://github.com/psf/black - rev: 23.3.0 +- repo: https://github.com/psf/black-pre-commit-mirror + rev: 23.10.1 hooks: - id: black args: [--line-length=79, --target-version=py38] From 6b2e24722bdcc40ea37c3bc155b6856961763814 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Fri, 10 Nov 2023 10:12:39 -0800 Subject: [PATCH 3/3] Add official support of Python 3.12 (#1068) Python 3.12 was released on Monday Oct 2. Bandit should be built and tested on this version going forward. Signed-off-by: Eric Brown --- .github/ISSUE_TEMPLATE/bug-report.yml | 3 ++- .github/workflows/pythonpackage.yml | 6 +++++- setup.cfg | 1 + 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index 71ac97c9..d79b3b9c 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -68,7 +68,8 @@ body: label: Python version description: Run "bandit --version" if unsure of version number options: - - "3.11 (Default)" + - "3.12 (Default)" + - "3.11" - "3.10" - "3.9" - "3.8" diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml index b73360f5..4c42bf82 100644 --- a/.github/workflows/pythonpackage.yml +++ b/.github/workflows/pythonpackage.yml @@ -47,7 +47,11 @@ jobs: strategy: matrix: python-version: [ - ["3.8", "38"], ["3.9", "39"], ["3.10", "310"], ["3.11", "311"] + ["3.8", "38"], + ["3.9", "39"], + ["3.10", "310"], + ["3.11", "311"], + ["3.12", "312"], ] os: [ubuntu-latest, macos-latest] runs-on: ${{ matrix.os }} diff --git a/setup.cfg b/setup.cfg index 61f87bdd..2cd658aa 100644 --- a/setup.cfg +++ b/setup.cfg @@ -22,6 +22,7 @@ classifier = Programming Language :: Python :: 3.9 Programming Language :: Python :: 3.10 Programming Language :: Python :: 3.11 + Programming Language :: Python :: 3.12 Programming Language :: Python :: 3 :: Only Topic :: Security project_urls =