$ bandit -r bugzilla2gitlab/
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.4
Run started:2018-04-19 20:42:47.627006
Test results:
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Severity: Medium Confidence: High
Location: bugzilla2gitlab/config.py:34
33 with open(os.path.join(path, "defaults.yml")) as f:
34 config = yaml.load(f)
35
--------------------------------------------------
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Severity: Medium Confidence: High
Location: bugzilla2gitlab/config.py:53
52 with open(os.path.join(path, "user_mappings.yml")) as f:
53 bugzilla_mapping = yaml.load(f)
54
--------------------------------------------------
>> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Severity: Medium Confidence: High
Location: bugzilla2gitlab/config.py:98
97 with open(os.path.join(path, "component_mappings.yml")) as f:
98 component_mappings = yaml.load(f)
99
--------------------------------------------------
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Severity: Low Confidence: High
Location: bugzilla2gitlab/utils.py:2
1 from getpass import getpass
2 from xml.etree import ElementTree
3
4 import dateutil.parser
--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
Severity: Medium Confidence: High
Location: bugzilla2gitlab/utils.py:70
69 bug_xml = _fetch_bug_content(bugzilla_url, bug_id)
70 tree = ElementTree.fromstring(bug_xml)
71
--------------------------------------------------
Code scanned:
Total lines of code: 474
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 1.0
Medium: 4.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 5.0
Files skipped (0):
bugzilla2gitlab has the following security issues