search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.52k stars 612 forks source link

Erroneous "no test failure on line" warning from plugin alert nosec? #942

Open fiendish opened 2 years ago

fiendish commented 2 years ago

Describe the bug

It looks like bandit warns about "no test failure on line" for a nosec where there definitely would be a test failure without the nosec.

Reproduction steps

  1. I start with a line that does foo = hashlib.md5(buffer.read()).digest().
  2. bandit -ll rightly complains about the use of MD5 with a B324 error from the hashlib plugin.
  3. I add #nosec B324 like this: foo = hashlib.md5(buffer.read()).digest() # nosec B324
  4. Bandit now says [tester] WARNING nosec encountered (B324), but no failed test on line 85

Seems a bit weird.

Expected behavior

Don't warn at me for this.

Bandit version

1.7.4 (Default)

Python version

3.9

Additional context

No response

hrantzsch commented 2 years ago

I'm facing the same issue using Bandit 1.7.4 with Python 3.10.4. Here's another minimal example for repro:

import os
cmd = "df -h"
os.popen(cmd).read()  # nosec B605

bandit -v test.py says WARNING nosec encountered (B605), but no failed test on line 3 while it will report B605 if I remove the # nosec.

full log

``` [main] INFO profile include tests: None [main] INFO profile exclude tests: None [main] INFO cli include tests: None [main] INFO cli exclude tests: None [main] INFO running on Python 3.10.4 [node_visitor] WARNING Unable to find qualified name for module: test.py [tester] WARNING nosec encountered (B605), but no failed test on line 3 Run started:2022-09-06 09:31:19.271042 Files in scope (1): test.py (score: {SEVERITY: 0, CONFIDENCE: 0}) Files excluded (0): Test results: No issues identified. Code scanned: Total lines of code: 3 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0 Low: 0 Medium: 0 High: 0 Total issues (by confidence): Undefined: 0 Low: 0 Medium: 0 High: 0 Files skipped (0): ```

However, the problem does not occur if I remove .read(). (It continues to claim Total lines skipped (#nosec): 0 though, as long as the B605 is specified.)

creideiki commented 1 year ago

I'm still seeing the same thing with Bandit 1.7.5 on Python 3.11.4. Yet another minimal example:

import os
import subprocess  # nosec B404

subprocess.run([os.getenv("SHELL")], check=False)  # nosec B603

Bandit says:

[tester]        WARNING nosec encountered (B603), but no failed test on line 4

but if I remove the # nosec B603, I get a test failure:

>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html
   Location: bandit.py:4:0
3
4       subprocess.run([os.getenv("SHELL")], check=False)
fiendish commented 6 months ago

However, the problem does not occur if I remove .read(). (It continues to claim Total lines skipped (#nosec): 0 though, as long as the B605 is specified.)

The problem appears to be related to how bandit observes "lines" where multiple function calls occur on the same line?

I get the warning if I do 

return requests.get(url).json()  # nosec B113

or

requests.get(CARRIER_URL) and print("hello") # nosec B113

But I do not get the warning if I do 

foo = requests.get(url)  # nosec B113
return foo.json()