Skip to content

Commit

Permalink
Fix up issues found running Bandit on itself
Browse files Browse the repository at this point in the history
* Used nosec for false various positives
* Switched to usage of defusedxml
* Fixed the empty try-except-pass to have code in the except
  block.

Fixes #1092

Signed-off-by: Eric Brown <[email protected]>
  • Loading branch information
ericwb committed Jan 14, 2024
1 parent a78cafe commit cb7ca4e
Show file tree
Hide file tree
Showing 6 changed files with 9 additions and 8 deletions.
4 changes: 2 additions & 2 deletions bandit/cli/baseline.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
import logging
import os
import shutil
import subprocess
import subprocess # nosec: B404
import sys
import tempfile

Expand Down Expand Up @@ -101,7 +101,7 @@ def main():
bandit_command = ["bandit"] + step["args"]

try:
output = subprocess.check_output(bandit_command)
output = subprocess.check_output(bandit_command) # nosec: B603
except subprocess.CalledProcessError as e:
output = e.output
return_code = e.returncode
Expand Down
3 changes: 1 addition & 2 deletions bandit/core/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ def get_func_name(node):


def get_qual_attr(node, aliases):
prefix = ""
if isinstance(node, ast.Attribute):
try:
val = deepgetattr(node, "value.id")
Expand All @@ -73,7 +72,7 @@ def get_qual_attr(node, aliases):
except Exception:
# NOTE(tkelsey): degrade gracefully when we can't get the fully
# qualified name for an attr, just return its base name.
pass
prefix = ""

return f"{prefix}.{node.attr}"
else:
Expand Down
3 changes: 2 additions & 1 deletion bandit/formatters/xml.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@
"""
import logging
import sys
from xml.etree import ElementTree as ET

from defusedxml import ElementTree as ET

from bandit.core import docs_utils

Expand Down
2 changes: 1 addition & 1 deletion bandit/plugins/general_bind_all_interfaces.py
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
@test.checks("Str")
@test.test_id("B104")
def hardcoded_bind_all_interfaces(context):
if context.string_val == "0.0.0.0":
if context.string_val == "0.0.0.0": # nosec: B104
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.MEDIUM,
Expand Down
4 changes: 2 additions & 2 deletions bandit/plugins/general_hardcoded_tmp.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@

def gen_config(name):
if name == "hardcoded_tmp_directory":
return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]}
return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]} # nosec: B108


@test.takes_config
Expand All @@ -69,7 +69,7 @@ def hardcoded_tmp_directory(context, config):
if config is not None and "tmp_dirs" in config:
tmp_dirs = config["tmp_dirs"]
else:
tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"]
tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"] # nosec: B108

if any(context.string_val.startswith(s) for s in tmp_dirs):
return bandit.Issue(
Expand Down
1 change: 1 addition & 0 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,4 @@ PyYAML>=5.3.1 # MIT
stevedore>=1.20.0 # Apache-2.0
colorama>=0.3.9;platform_system=="Windows" # BSD License (3 clause)
rich # MIT
defusedxml # PSF-2.0

0 comments on commit cb7ca4e

Please sign in to comment.