Closed holmboe closed 9 months ago
(bandit) ➜ subgit git:(master) ✗ bandit subgit/ -r
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.10.12
Run started:2024-01-04 21:49:26.530119
Test results:
No issues identified.
Code scanned:
Total lines of code: 1162
Total lines skipped (#nosec): 8
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files skipped (0):
@Grokzen could you go a little bit further on this to add more context? Add a comment in the ticket on what the Bandit result was before the exclusions were added.
Perhaps even use the more explicit #nosec Xnnn
in the code? See https://bandit.readthedocs.io/en/latest/config.html#exclusions for examples.
This is the bandit log before the exclusions was added in
Run started:2024-01-11 10:04:16.004581
Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b404-import-subprocess
Location: subgit/core.py:11:0
10 from pathlib import Path
11 from subprocess import PIPE, Popen
12
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
Location: subgit/core.py:34:14
33 stderr=None,
34 shell=True,
35 )
36 output, stderr = process.communicate()
37
38 return output, stderr
39
40
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b404-import-subprocess
Location: subgit/inspect/git_inspect.py:6:0
5 import logging
6 import subprocess
7
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
Location: subgit/inspect/git_inspect.py:37:12
36 ],
37 shell=False,
38 capture_output=True,
39 )
40 except FileNotFoundError:
41 return False
42
43 return True
44
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b607_start_process_with_partial_path.html
Location: subgit/inspect/git_inspect.py:54:14
53
54 out = subprocess.run([
55 "gh", "repo", "list",
56 f"{owner}",
57 "--json", "id,name,defaultBranchRef,sshUrl,isArchived",
58 "-L", "100"
59 ],
60 shell=False,
61 capture_output=True,
62 )
63 data = json.loads(out.stdout)
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
Location: subgit/inspect/git_inspect.py:60:14
59 ],
60 shell=False,
61 capture_output=True,
62 )
63 data = json.loads(out.stdout)
64 repos = {}
65 mapped_data = {
66 repo["name"].lower():
67 repo for repo in data
68 if repo["isArchived"] == self.is_archived
69 }
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b607_start_process_with_partial_path.html
Location: subgit/inspect/git_inspect.py:111:14
110
111 out = subprocess.run(
112 [
113 "gitlab",
114 "-o", "json",
115 "project", "list",
116 "--membership", "yes",
117 "--all",
118 ],
119 shell=False,
120 capture_output=True,
121 )
122 repos = {}
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
Location: subgit/inspect/git_inspect.py:119:14
118 ],
119 shell=False,
120 capture_output=True,
121 )
122 repos = {}
123 data = json.loads(out.stdout)
124 mapped_data = {
125 repo["name"].lower():
126 repo for repo in data
127 if repo["namespace"]["name"] == owner and repo["archived"] == self.is_archived
128 }
129 sorted_names = sorted([
130 repo["name"].lower()
--------------------------------------------------
Code scanned:
Total lines of code: 1162
Total lines skipped (#nosec): 0
Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 7
Medium: 0
High: 1
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 8
Files skipped (0):
Run bandit checks and add appropriate exclusions to the source code.