Skip to content

Commit

Permalink
Fix up issues found running Bandit on itself (#1093)
Browse files Browse the repository at this point in the history
* Used nosec for false various positives.
  1. xml.etree is used only for XML generation not parsing
  2. "0.0.0.0" is used in the plugin itself
  3. Various strings of temp directories are used in the plugin
     itself.
  4. The subprocess call does use user input, but only from
     the command line itself that is running baseline. Although
     maybe this could be argued as an issue though.
* Fixed the empty try-except-pass to have code in the except
  block.

Fixes #948

Signed-off-by: Eric Brown <[email protected]>
  • Loading branch information
ericwb authored Jan 14, 2024
1 parent c2bd6d6 commit 7129108
Show file tree
Hide file tree
Showing 5 changed files with 7 additions and 8 deletions.
4 changes: 2 additions & 2 deletions bandit/cli/baseline.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
import logging
import os
import shutil
import subprocess
import subprocess # nosec: B404
import sys
import tempfile

Expand Down Expand Up @@ -101,7 +101,7 @@ def main():
bandit_command = ["bandit"] + step["args"]

try:
output = subprocess.check_output(bandit_command)
output = subprocess.check_output(bandit_command) # nosec: B603
except subprocess.CalledProcessError as e:
output = e.output
return_code = e.returncode
Expand Down
3 changes: 1 addition & 2 deletions bandit/core/utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,6 @@ def get_func_name(node):


def get_qual_attr(node, aliases):
prefix = ""
if isinstance(node, ast.Attribute):
try:
val = deepgetattr(node, "value.id")
Expand All @@ -73,7 +72,7 @@ def get_qual_attr(node, aliases):
except Exception:
# NOTE(tkelsey): degrade gracefully when we can't get the fully
# qualified name for an attr, just return its base name.
pass
prefix = ""

return f"{prefix}.{node.attr}"
else:
Expand Down
2 changes: 1 addition & 1 deletion bandit/formatters/xml.py
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"""
import logging
import sys
from xml.etree import ElementTree as ET
from xml.etree import ElementTree as ET # nosec: B405

from bandit.core import docs_utils

Expand Down
2 changes: 1 addition & 1 deletion bandit/plugins/general_bind_all_interfaces.py
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@
@test.checks("Str")
@test.test_id("B104")
def hardcoded_bind_all_interfaces(context):
if context.string_val == "0.0.0.0":
if context.string_val == "0.0.0.0": # nosec: B104
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.MEDIUM,
Expand Down
4 changes: 2 additions & 2 deletions bandit/plugins/general_hardcoded_tmp.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@

def gen_config(name):
if name == "hardcoded_tmp_directory":
return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]}
return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]} # nosec: B108


@test.takes_config
Expand All @@ -69,7 +69,7 @@ def hardcoded_tmp_directory(context, config):
if config is not None and "tmp_dirs" in config:
tmp_dirs = config["tmp_dirs"]
else:
tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"]
tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"] # nosec: B108

if any(context.string_val.startswith(s) for s in tmp_dirs):
return bandit.Issue(
Expand Down

0 comments on commit 7129108

Please sign in to comment.