search

xmunoz / bugzilla2gitlab

An issue migrator
MIT License
32 stars 19 forks source link

results of bandit run #14

Closed xmunoz closed 6 years ago

xmunoz commented 6 years ago

bugzilla2gitlab has the following security issues

$ bandit -r bugzilla2gitlab/
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.6.4
Run started:2018-04-19 20:42:47.627006

Test results:
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   Location: bugzilla2gitlab/config.py:34
33      with open(os.path.join(path, "defaults.yml")) as f:
34          config = yaml.load(f)
35

--------------------------------------------------
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   Location: bugzilla2gitlab/config.py:53
52      with open(os.path.join(path, "user_mappings.yml")) as f:
53          bugzilla_mapping = yaml.load(f)
54

--------------------------------------------------
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
   Severity: Medium   Confidence: High
   Location: bugzilla2gitlab/config.py:98
97      with open(os.path.join(path, "component_mappings.yml")) as f:
98          component_mappings = yaml.load(f)
99

--------------------------------------------------
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: bugzilla2gitlab/utils.py:2
1   from getpass import getpass
2   from xml.etree import ElementTree
3
4   import dateutil.parser

--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
   Severity: Medium   Confidence: High
   Location: bugzilla2gitlab/utils.py:70
69      bug_xml = _fetch_bug_content(bugzilla_url, bug_id)
70      tree = ElementTree.fromstring(bug_xml)
71

--------------------------------------------------

Code scanned:
    Total lines of code: 474
    Total lines skipped (#nosec): 0

Run metrics:
    Total issues (by severity):
        Undefined: 0.0
        Low: 1.0
        Medium: 4.0
        High: 0.0
    Total issues (by confidence):
        Undefined: 0.0
        Low: 0.0
        Medium: 0.0
        High: 5.0
Files skipped (0):