From 30cada51620d274b8191393d12ae04e2807c9a37 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 29 Apr 2024 18:36:09 -0700 Subject: [PATCH 01/28] [pre-commit.ci] pre-commit autoupdate (#1135) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/psf/black-pre-commit-mirror: 24.4.0 → 24.4.2](https://github.com/psf/black-pre-commit-mirror/compare/24.4.0...24.4.2) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d838ef8b9..70086d9b4 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -13,7 +13,7 @@ repos: - id: reorder-python-imports args: [--application-directories, '.:src', --py38-plus] - repo: https://github.com/psf/black-pre-commit-mirror - rev: 24.4.0 + rev: 24.4.2 hooks: - id: black args: [--line-length=79, --target-version=py38] From 8b659fb9b72ed7f6ae5d2a0c60e941af71b859cd Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sat, 4 May 2024 07:29:53 -0700 Subject: [PATCH 02/28] Add a sponsor section to README (#1137) * Add a sponsor section to README This change adds a sponsor section listing out the current sponsors with links to their respective websites. * Update README.rst --- README.rst | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.rst b/README.rst index fbc6e161d..861f09db1 100644 --- a/README.rst +++ b/README.rst @@ -117,3 +117,29 @@ source of origin using the following cosign command: --certificate-oidc-issuer https://token.actions.githubusercontent.com Where `` is the release version of Bandit. + +Sponsors +-------- + +The development of Bandit is made possible by the following sponsors: + +.. list-table:: + :width: 100% + :class: borderless + + * - .. image:: https://github.githubassets.com/assets/tidelift-8cea37dea8fc.svg + :target: https://tidelift.com/lifter/search/pypi/bandit + :alt: Tidelift + :width: 88 + + - .. image:: https://avatars.githubusercontent.com/u/110237746?s=200&v=4 + :target: https://stacklok.com/ + :alt: Stacklok + :width: 88 + + - .. image:: https://avatars.githubusercontent.com/u/1396951?s=70&v=4 + :target: https://sentry.io/ + :alt: Sentry + :width: 88 + +If you also ❤️ Bandit, please consider sponsoring. From 3fa1e257a864b03d621b8de1425ff69dda7d1736 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Fri, 10 May 2024 03:10:38 -0700 Subject: [PATCH 03/28] Ensure sarif extra is included as part of doc build (#1139) The doc build nowadays runs via the readthedocs.yaml file. So the requirements for building those docs need to include sarif in order to correctly build the sarif formatter doc. Fixes: #1138 Signed-off-by: Eric Brown --- .readthedocs.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.readthedocs.yaml b/.readthedocs.yaml index 4afff4aba..6588cd197 100644 --- a/.readthedocs.yaml +++ b/.readthedocs.yaml @@ -14,3 +14,5 @@ python: - requirements: doc/requirements.txt - method: pip path: . + extra_requirements: + - sarif From 313cae756a351ca3e7b6a183fe87a92b9d56ea22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 3 Jun 2024 09:01:23 -0700 Subject: [PATCH 04/28] Bump docker/login-action from 3.1.0 to 3.2.0 (#1142) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/e92390c5fb421da1463c202d546fed0ec5c39f20...0d4c9c5ea7693da7b068278f7b52bda2a190a446) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 462bd46aa..34463fac9 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -34,7 +34,7 @@ jobs: uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 + uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 with: registry: ghcr.io username: ${{ github.actor }} From 2dd4cb53c25045cc8544681efd1ebe4adcf63dca Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 3 Jun 2024 19:43:58 -0500 Subject: [PATCH 05/28] [pre-commit.ci] pre-commit autoupdate (#1143) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/asottile/reorder-python-imports: v3.12.0 → v3.13.0](https://github.com/asottile/reorder-python-imports/compare/v3.12.0...v3.13.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 70086d9b4..9838e0271 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,7 +8,7 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/asottile/reorder-python-imports - rev: v3.12.0 + rev: v3.13.0 hooks: - id: reorder-python-imports args: [--application-directories, '.:src', --py38-plus] From ad56c78f1e2f7d56fb3f75e8c2d78da85292d0e0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Mon, 10 Jun 2024 16:36:29 -0700 Subject: [PATCH 06/28] [pre-commit.ci] pre-commit autoupdate (#1145) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/asottile/pyupgrade: v3.15.2 → v3.16.0](https://github.com/asottile/pyupgrade/compare/v3.15.2...v3.16.0) Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com> --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 9838e0271..8ecd3b911 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -18,7 +18,7 @@ repos: - id: black args: [--line-length=79, --target-version=py38] - repo: https://github.com/asottile/pyupgrade - rev: v3.15.2 + rev: v3.16.0 hooks: - id: pyupgrade args: [--py38-plus] From 049eba08c90c86404d16ed71e5f109dfddf459cd Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Wed, 12 Jun 2024 14:51:40 -0700 Subject: [PATCH 07/28] Guard against empty call argument list (#1146) Although probably uncommon, it is possible to pass an empty list to one of subprocess functions. If this is done, the injection_shell plugin raises an IndexError while checking the contents of the list argument given. The fix is to simply check for a non-empty list. Test case was also added. Fixes: #1141 Signed-off-by: Eric Brown --- bandit/plugins/injection_shell.py | 2 +- examples/subprocess_shell.py | 1 + tests/functional/test_functional.py | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 5bd9c9654..229368340 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -683,7 +683,7 @@ def start_process_with_partial_path(context, config): ): node = context.node.args[0] # some calls take an arg list, check the first part - if isinstance(node, ast.List): + if isinstance(node, ast.List) and node.elts: node = node.elts[0] # make sure the param is a string literal and not a var name diff --git a/examples/subprocess_shell.py b/examples/subprocess_shell.py index d8076d534..38944d5fa 100644 --- a/examples/subprocess_shell.py +++ b/examples/subprocess_shell.py @@ -25,6 +25,7 @@ def __len__(self): subprocess.check_output(['/bin/ls', '-l']) subprocess.check_output('/bin/ls -l', shell=True) +subprocess.check_output([], stdout=None) subprocess.getoutput('/bin/ls -l') subprocess.getstatusoutput('/bin/ls -l') diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 85db6ab5c..fd96796f8 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -492,8 +492,8 @@ def test_ssl_insecure_version(self): def test_subprocess_shell(self): """Test for `subprocess.Popen` with `shell=True`.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 23, "MEDIUM": 1, "HIGH": 11}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 0, "HIGH": 34}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 24, "MEDIUM": 1, "HIGH": 11}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 0, "HIGH": 35}, } self.check_example("subprocess_shell.py", expect) From f1a397e848540c6a51318a53c6ace14d8d05a145 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 12 Jun 2024 15:04:04 -0700 Subject: [PATCH 08/28] Bump docker/build-push-action from 5.3.0 to 5.4.0 (#1144) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.3.0 to 5.4.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/2cdde995de11925a030ce8070c3d77a52ffcf1c0...ca052bb54ab0790a636c9b5f226502c73d547a25) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 34463fac9..f69c1625a 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . file: ./docker/Dockerfile From 691f465b4bac758ea1d6dfa9b57d3881a12954fd Mon Sep 17 00:00:00 2001 From: bersbersbers <12128514+bersbersbers@users.noreply.github.com> Date: Thu, 13 Jun 2024 00:17:21 +0200 Subject: [PATCH 09/28] Support `configfile` in `.bandit` file (#1052) * Support `(--)config` in `.bandit` file * Use `configfile` instead of `config` --------- Co-authored-by: Eric Brown --- bandit/cli/main.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/bandit/cli/main.py b/bandit/cli/main.py index 119380b28..0cb0f8d5f 100644 --- a/bandit/cli/main.py +++ b/bandit/cli/main.py @@ -450,16 +450,17 @@ def main(): args.confidence = 4 # Other strings will be blocked by argparse - try: - b_conf = b_config.BanditConfig(config_file=args.config_file) - except utils.ConfigError as e: - LOG.error(e) - sys.exit(2) - # Handle .bandit files in projects to pass cmdline args from file ini_options = _get_options_from_ini(args.ini_path, args.targets) if ini_options: # prefer command line, then ini file + args.config_file = _log_option_source( + parser.get_default("configfile"), + args.config_file, + ini_options.get("configfile"), + "config file", + ) + args.excluded_paths = _log_option_source( parser.get_default("excluded_paths"), args.excluded_paths, @@ -592,6 +593,12 @@ def main(): "path of a baseline report", ) + try: + b_conf = b_config.BanditConfig(config_file=args.config_file) + except utils.ConfigError as e: + LOG.error(e) + sys.exit(2) + if not args.targets: parser.print_usage() sys.exit(2) From 9e47a909b5d2c501b724a53f4b45eec31e0c7ab5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 17 Jun 2024 09:02:23 -0700 Subject: [PATCH 10/28] Bump docker/build-push-action from 5.4.0 to 6.0.0 (#1147) * Bump docker/build-push-action from 5.4.0 to 6.0.0 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5.4.0 to 6.0.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/ca052bb54ab0790a636c9b5f226502c73d547a25...c382f710d39a5bb4e430307530a720f50c2d3318) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update .github/workflows/build-publish-image.yml --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Brown --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index f69c1625a..bbe2d77a0 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 + uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6 with: context: . file: ./docker/Dockerfile From 2b4195580353e75837c692c8df57e699bc06d455 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 23 Jun 2024 07:48:49 -0700 Subject: [PATCH 11/28] Suggested small refactors in assignments (#1150) This change makes use of augmented assignment statements as suggested by issue #760. Fixes: #760` Signed-off-by: Eric Brown --- bandit/core/context.py | 2 +- bandit/formatters/xml.py | 2 +- bandit/plugins/injection_wildcard.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bandit/core/context.py b/bandit/core/context.py index 76b50923a..8a2d4fbbc 100644 --- a/bandit/core/context.py +++ b/bandit/core/context.py @@ -193,7 +193,7 @@ def _get_literal_value(self, literal): elif isinstance(literal, ast.Tuple): return_tuple = tuple() for ti in literal.elts: - return_tuple = return_tuple + (self._get_literal_value(ti),) + return_tuple += (self._get_literal_value(ti),) literal_value = return_tuple elif isinstance(literal, ast.Set): diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index 6e196d92f..d2b2067ff 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -65,7 +65,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): "Test ID: %s Severity: %s Confidence: %s\nCWE: %s\n%s\n" "Location %s:%s" ) - text = text % ( + text %= ( issue.test_id, issue.severity, issue.confidence, diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index 94d03b30a..46f6b5b6c 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -124,7 +124,7 @@ def linux_commands_wildcard_injection(context, config): argument_string = "" if isinstance(call_argument, list): for li in call_argument: - argument_string = argument_string + f" {li}" + argument_string += f" {li}" elif isinstance(call_argument, str): argument_string = call_argument From 4208e9d95ebbe2c1fa294b3dad7685035520b92f Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 23 Jun 2024 17:07:52 -0700 Subject: [PATCH 12/28] Performance improvement in blacklist function (#1148) The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: #438 Signed-off-by: Eric Brown --- bandit/blacklists/calls.py | 4 ++-- bandit/core/blacklisting.py | 3 +-- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py index d69f5dd3c..3d5f21cd0 100644 --- a/bandit/blacklists/calls.py +++ b/bandit/blacklists/calls.py @@ -537,7 +537,7 @@ def gen_blacklist(): "telnetlib", "B312", issue.Cwe.CLEARTEXT_TRANSMISSION, - ["telnetlib.*"], + ["telnetlib.Telnet"], "Telnet-related functions are being called. Telnet is considered " "insecure. Use SSH or some other encrypted protocol.", "HIGH", @@ -662,7 +662,7 @@ def gen_blacklist(): "ftplib", "B321", issue.Cwe.CLEARTEXT_TRANSMISSION, - ["ftplib.*"], + ["ftplib.FTP"], "FTP-related functions are being called. FTP is considered " "insecure. Use SSH/SFTP/SCP or some other encrypted protocol.", "HIGH", diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index 2f84ae023..2bbb093d5 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -3,7 +3,6 @@ # # SPDX-License-Identifier: Apache-2.0 import ast -import fnmatch from bandit.core import issue @@ -55,7 +54,7 @@ def blacklist(context, config): name = context.call_keywords["name"] for check in blacklists[node_type]: for qn in check["qualnames"]: - if name is not None and fnmatch.fnmatch(name, qn): + if name is not None and name == qn: return report_issue(check, name) if node_type.startswith("Import"): From 6142b7a6aa1b9a4ac997955e48eadab144434df2 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 23 Jun 2024 17:08:10 -0700 Subject: [PATCH 13/28] Add test for usage of FTP_TLS (#1149) * Performance improvement in blacklist function The blacklisting function is currently using fnmatch.fnmatch() to do matching of qualified names of blacklist calls. It seems it is only used for telnetlib and ftplib where they are setting the qualified name in a file glob style (telnetlib.*). This change would slightly break backward compatibility if there are any third-party plugins that use globbing in the qualified names for blacklisting. I think the likelyhood is small. I also think it is better to be more explicit in the qualified name patterns. In the case of ftplib, FTP is insecure, but FTP_TLS is not. So this already is resolving one false postive. The other effect of this change is a slight boost to performance. When scanning cpython prior to this fix, it would take around 1 min. After the fix, closer to 50 seconds. So a nice little bump in speed. Fixes: #438 Signed-off-by: Eric Brown * Add test for usage of FTP_TLS This change adds an FTP_TLS call to the examples. A high severity error is no longer reported as a result of the fix in PR #1148 that explicitly now matches blacklist call qualified names rather than using a file glob. However, you will notice that there is one more high severity issue reported in the tests as a result of the import of ftplib.FTP_TLS because the blacklist import is only checking for "ftplib". Fixes: #148 Signed-off-by: Eric Brown --------- Signed-off-by: Eric Brown --- examples/ftplib.py | 17 ++++++++++++++++- tests/functional/test_functional.py | 4 ++-- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/examples/ftplib.py b/examples/ftplib.py index beaeb74af..6664ed001 100644 --- a/examples/ftplib.py +++ b/examples/ftplib.py @@ -1,9 +1,24 @@ from ftplib import FTP +from ftplib import FTP_TLS + +# bad ftp = FTP('ftp.debian.org') ftp.login() ftp.cwd('debian') ftp.retrlines('LIST') -ftp.quit() \ No newline at end of file +ftp.quit() + +# okay +ftp = ftplib.FTP_TLS( + "ftp.us.debian.org", + context=ssl.create_default_context(), +) +ftp.login() + +ftp.cwd("debian") +ftp.retrlines("LIST") + +ftp.quit() diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index fd96796f8..a92fe3f9c 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -246,8 +246,8 @@ def test_telnet_usage(self): def test_ftp_usage(self): """Test for `import ftplib` and FTP.* calls.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 2}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 3}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 3}, } self.check_example("ftplib.py", expect) From ec384b84261e563d4dc5cfe71673f159fcb199af Mon Sep 17 00:00:00 2001 From: Lucas Cimon <925560+Lucas-C@users.noreply.github.com> Date: Mon, 24 Jun 2024 05:53:33 +0200 Subject: [PATCH 14/28] New check: B113: TrojanSource - Bidirectional control characters (#757) * New check: B113: TrojanSource - Bidirectional control characters * Handling Python source files using a non-UTF8 encoding * Pleasing pep8 * Adding missing "SPDX-License-Identifier: Apache-2.0" comment * Also forbidding \u200F * Fixups for pre-commit hooks * Fixing KeyError: 'file_data' * Update issue.py * Apply suggestions from code review * Update bandit/plugins/trojansource.py --------- Co-authored-by: Eric Brown Co-authored-by: Eric Brown --- bandit/core/issue.py | 3 +- bandit/core/node_visitor.py | 10 ++++ bandit/core/test_properties.py | 6 ++- bandit/core/tester.py | 5 +- bandit/plugins/trojansource.py | 77 +++++++++++++++++++++++++++++ doc/source/plugins/trojansource.rst | 5 ++ examples/trojansource.py | 5 ++ examples/trojansource_latin1.py | 7 +++ setup.cfg | 3 ++ tests/functional/test_functional.py | 14 ++++++ 10 files changed, 131 insertions(+), 4 deletions(-) create mode 100755 bandit/plugins/trojansource.py create mode 100644 doc/source/plugins/trojansource.rst create mode 100644 examples/trojansource.py create mode 100644 examples/trojansource_latin1.py diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 875e5e418..bfa583356 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -30,6 +30,7 @@ class Cwe: MULTIPLE_BINDS = 605 IMPROPER_CHECK_OF_EXCEPT_COND = 703 INCORRECT_PERMISSION_ASSIGNMENT = 732 + INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT = 838 MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html" @@ -84,7 +85,7 @@ def __init__( ident=None, lineno=None, test_id="", - col_offset=0, + col_offset=-1, end_col_offset=0, ): self.severity = severity diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index 26cdb2471..27a4de5ee 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -286,4 +286,14 @@ def process(self, data): """ f_ast = ast.parse(data) self.generic_visit(f_ast) + # Run tests that do not require access to the AST, + # but only to the whole file source: + self.context = { + "file_data": self.fdata, + "filename": self.fname, + "lineno": 0, + "linerange": [0, 1], + "col_offset": 0, + } + self.update_scores(self.tester.run_tests(self.context, "File")) return self.scores diff --git a/bandit/core/test_properties.py b/bandit/core/test_properties.py index cf969952f..f6d4da1a7 100644 --- a/bandit/core/test_properties.py +++ b/bandit/core/test_properties.py @@ -15,7 +15,11 @@ def checks(*args): def wrapper(func): if not hasattr(func, "_checks"): func._checks = [] - func._checks.extend(utils.check_ast_node(a) for a in args) + for arg in args: + if arg == "File": + func._checks.append("File") + else: + func._checks.append(utils.check_ast_node(arg)) LOG.debug("checks() decorator executed") LOG.debug(" func._checks: %s", func._checks) diff --git a/bandit/core/tester.py b/bandit/core/tester.py index af5ffdae9..6d41877cb 100644 --- a/bandit/core/tester.py +++ b/bandit/core/tester.py @@ -43,7 +43,7 @@ def run_tests(self, raw_context, checktype): tests = self.testset.get_tests(checktype) for test in tests: name = test.__name__ - # execute test with the an instance of the context class + # execute test with an instance of the context class temp_context = copy.copy(raw_context) context = b_context.Context(temp_context) try: @@ -66,7 +66,8 @@ def run_tests(self, raw_context, checktype): if result.lineno is None: result.lineno = temp_context["lineno"] result.linerange = temp_context["linerange"] - result.col_offset = temp_context["col_offset"] + if result.col_offset == -1: + result.col_offset = temp_context["col_offset"] result.end_col_offset = temp_context.get( "end_col_offset", 0 ) diff --git a/bandit/plugins/trojansource.py b/bandit/plugins/trojansource.py new file mode 100755 index 000000000..5c0eae5eb --- /dev/null +++ b/bandit/plugins/trojansource.py @@ -0,0 +1,77 @@ +# +# SPDX-License-Identifier: Apache-2.0 +r""" +===================================================== +B613: TrojanSource - Bidirectional control characters +===================================================== + +This plugin checks for the presence of unicode bidirectional control characters +in Python source files. Those characters can be embedded in comments and strings +to reorder source code characters in a way that changes its logic. + +:Example: + +.. code-block:: none + + >> Issue: [B613:trojansource] A Python source file contains bidirectional control characters ('\u202e'). + Severity: High Confidence: Medium + CWE: CWE-838 (https://cwe.mitre.org/data/definitions/838.html) + More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b113_trojansource.html + Location: examples/trojansource.py:4:25 + 3 access_level = "user" + 4 if access_level != 'none‮⁦': # Check if admin ⁩⁦' and access_level != 'user + 5 print("You are an admin.\n") + +.. seealso:: + + .. [1] https://trojansource.codes/ + .. [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 + +.. versionadded:: 1.7.10 + +""" # noqa: E501 +from tokenize import detect_encoding + +import bandit +from bandit.core import issue +from bandit.core import test_properties as test + + +BIDI_CHARACTERS = ( + "\u202A", + "\u202B", + "\u202C", + "\u202D", + "\u202E", + "\u2066", + "\u2067", + "\u2068", + "\u2069", + "\u200F", +) + + +@test.test_id("B613") +@test.checks("File") +def trojansource(context): + with open(context.filename, "rb") as src_file: + encoding, _ = detect_encoding(src_file.readline) + with open(context.filename, encoding=encoding) as src_file: + for lineno, line in enumerate(src_file.readlines(), start=1): + for char in BIDI_CHARACTERS: + try: + col_offset = line.index(char) + 1 + except ValueError: + continue + text = ( + "A Python source file contains bidirectional" + " control characters (%r)." % char + ) + return bandit.Issue( + severity=bandit.HIGH, + confidence=bandit.MEDIUM, + cwe=issue.Cwe.INAPPROPRIATE_ENCODING_FOR_OUTPUT_CONTEXT, + text=text, + lineno=lineno, + col_offset=col_offset, + ) diff --git a/doc/source/plugins/trojansource.rst b/doc/source/plugins/trojansource.rst new file mode 100644 index 000000000..8fa0bc47b --- /dev/null +++ b/doc/source/plugins/trojansource.rst @@ -0,0 +1,5 @@ +------------------ +B613: trojansource +------------------ + +.. automodule:: bandit.plugins.trojansource diff --git a/examples/trojansource.py b/examples/trojansource.py new file mode 100644 index 000000000..40c605579 --- /dev/null +++ b/examples/trojansource.py @@ -0,0 +1,5 @@ +#!/usr/bin/env python3 +# cf. https://trojansource.codes/ & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 +access_level = "user" +if access_level != 'none‮⁦': # Check if admin ⁩⁦' and access_level != 'user + print("You are an admin.\n") diff --git a/examples/trojansource_latin1.py b/examples/trojansource_latin1.py new file mode 100644 index 000000000..dee24e07c --- /dev/null +++ b/examples/trojansource_latin1.py @@ -0,0 +1,7 @@ +#!/usr/bin/env python3 +# -*- coding: latin-1 -*- +# cf. https://trojansource.codes & https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42574 +# Some special characters: +access_level = "user" +if access_level != 'none??': # Check if admin ??' and access_level != 'user + print("You are an admin.\n") diff --git a/setup.cfg b/setup.cfg index 2dbee597c..52128b17d 100644 --- a/setup.cfg +++ b/setup.cfg @@ -152,6 +152,9 @@ bandit.plugins = #bandit/plugins/tarfile_unsafe_members.py tarfile_unsafe_members = bandit.plugins.tarfile_unsafe_members:tarfile_unsafe_members + # bandit/plugins/trojansource.py + trojansource = bandit.plugins.trojansource:trojansource + [build_sphinx] all_files = 1 build-dir = doc/build diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index a92fe3f9c..4597f7023 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -929,3 +929,17 @@ def test_tarfile_unsafe_members(self): "CONFIDENCE": {"UNDEFINED": 0, "LOW": 1, "MEDIUM": 2, "HIGH": 2}, } self.check_example("tarfile_extractall.py", expect) + + def test_trojansource(self): + expect = { + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 1}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 1, "HIGH": 0}, + } + self.check_example("trojansource.py", expect) + + def test_trojansource_latin1(self): + expect = { + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 0}, + } + self.check_example("trojansource_latin1.py", expect) From a670e03d739f659c2f5fc68971b04fa95e339555 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 24 Jun 2024 07:56:43 -0700 Subject: [PATCH 15/28] Bump docker/build-push-action from 6.0.0 to 6.1.0 (#1152) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.0.0 to 6.1.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/c382f710d39a5bb4e430307530a720f50c2d3318...31159d49c0d4756269a0940a750801a1ea5d7003) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index bbe2d77a0..b961bf623 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6 + uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6 with: context: . file: ./docker/Dockerfile From 67ba25122350e8db1e44ed33b3ecd1b05ca97be4 Mon Sep 17 00:00:00 2001 From: Mathieu Kniewallner Date: Tue, 25 Jun 2024 16:06:21 +0200 Subject: [PATCH 16/28] feat(plugins): add support for `httpx` in `B113` (#1060) * refactor: move `HTTP_VERBS`/`HTTPX_ATTRS` to `core.utils` * perf(core): use sets for `HTTP_REQUEST_VERBS`/`HTTPX_ATTRS` * feat(plugins): add support for `httpx` in `B113` * refactor: put back `HTTP_VERBS`/`HTTPX_ATTRS` into plugins * Update bandit/plugins/request_without_timeout.py * Update bandit/plugins/request_without_timeout.py * Update bandit/plugins/request_without_timeout.py --------- Co-authored-by: Eric Brown --- .../crypto_request_no_cert_validation.py | 4 +- bandit/plugins/request_without_timeout.py | 24 +++++--- examples/requests-missing-timeout.py | 55 ++++++++++++++++--- examples/requests-ssl-verify-disabled.py | 46 ++++++++-------- tests/functional/test_functional.py | 4 +- 5 files changed, 93 insertions(+), 40 deletions(-) diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index 223d421ff..11791ed1e 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -54,8 +54,8 @@ @test.checks("Call") @test.test_id("B501") def request_with_no_cert_validation(context): - HTTP_VERBS = ("get", "options", "head", "post", "put", "patch", "delete") - HTTPX_ATTRS = ("request", "stream", "Client", "AsyncClient") + HTTP_VERBS + HTTP_VERBS = {"get", "options", "head", "post", "put", "patch", "delete"} + HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS qualname = context.call_function_name_qual.split(".")[0] if ( diff --git a/bandit/plugins/request_without_timeout.py b/bandit/plugins/request_without_timeout.py index a418b6cc0..d571a49ea 100644 --- a/bandit/plugins/request_without_timeout.py +++ b/bandit/plugins/request_without_timeout.py @@ -4,7 +4,8 @@ B113: Test for missing requests timeout ======================================= -This plugin test checks for ``requests`` calls without a timeout specified. +This plugin test checks for ``requests`` or ``httpx`` calls without a timeout +specified. Nearly all production code should use this parameter in nearly all requests, Failure to do so can cause your program to hang indefinitely. @@ -17,7 +18,7 @@ .. code-block:: none - >> Issue: [B113:request_without_timeout] Requests call without timeout + >> Issue: [B113:request_without_timeout] Call to requests without timeout Severity: Medium Confidence: Low CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html) More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html @@ -27,7 +28,7 @@ 4 requests.get('https://gmail.com', timeout=None) -------------------------------------------------- - >> Issue: [B113:request_without_timeout] Requests call with timeout set to None + >> Issue: [B113:request_without_timeout] Call to requests with timeout set to None Severity: Medium Confidence: Low CWE: CWE-400 (https://cwe.mitre.org/data/definitions/400.html) More Info: https://bandit.readthedocs.io/en/latest/plugins/b113_request_without_timeout.html @@ -42,6 +43,9 @@ .. versionadded:: 1.7.5 +.. versionchanged:: 1.7.10 + Added check for httpx module + """ # noqa: E501 import bandit from bandit.core import issue @@ -51,17 +55,23 @@ @test.checks("Call") @test.test_id("B113") def request_without_timeout(context): - http_verbs = ("get", "options", "head", "post", "put", "patch", "delete") + HTTP_VERBS = {"get", "options", "head", "post", "put", "patch", "delete"} + HTTPX_ATTRS = {"request", "stream", "Client", "AsyncClient"} | HTTP_VERBS qualname = context.call_function_name_qual.split(".")[0] - if qualname == "requests" and context.call_function_name in http_verbs: + if ( + qualname == "requests" + and context.call_function_name in HTTP_VERBS + or qualname == "httpx" + and context.call_function_name in HTTPX_ATTRS + ): # check for missing timeout if context.check_call_arg_value("timeout") is None: return bandit.Issue( severity=bandit.MEDIUM, confidence=bandit.LOW, cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION, - text="Requests call without timeout", + text=f"Call to {qualname} without timeout", ) # check for timeout=None if context.check_call_arg_value("timeout", "None"): @@ -69,5 +79,5 @@ def request_without_timeout(context): severity=bandit.MEDIUM, confidence=bandit.LOW, cwe=issue.Cwe.UNCONTROLLED_RESOURCE_CONSUMPTION, - text="Requests call with timeout set to None", + text=f"Call to {qualname} with timeout set to None", ) diff --git a/examples/requests-missing-timeout.py b/examples/requests-missing-timeout.py index 38f24440a..fa71c4b0e 100644 --- a/examples/requests-missing-timeout.py +++ b/examples/requests-missing-timeout.py @@ -1,27 +1,68 @@ +import httpx import requests import not_requests +# Errors requests.get('https://gmail.com') requests.get('https://gmail.com', timeout=None) -requests.get('https://gmail.com', timeout=5) requests.post('https://gmail.com') requests.post('https://gmail.com', timeout=None) -requests.post('https://gmail.com', timeout=5) requests.put('https://gmail.com') requests.put('https://gmail.com', timeout=None) -requests.put('https://gmail.com', timeout=5) requests.delete('https://gmail.com') requests.delete('https://gmail.com', timeout=None) -requests.delete('https://gmail.com', timeout=5) requests.patch('https://gmail.com') requests.patch('https://gmail.com', timeout=None) -requests.patch('https://gmail.com', timeout=5) requests.options('https://gmail.com') requests.options('https://gmail.com', timeout=None) -requests.options('https://gmail.com', timeout=5) requests.head('https://gmail.com') requests.head('https://gmail.com', timeout=None) -requests.head('https://gmail.com', timeout=5) +httpx.get('https://gmail.com') +httpx.get('https://gmail.com', timeout=None) +httpx.post('https://gmail.com') +httpx.post('https://gmail.com', timeout=None) +httpx.put('https://gmail.com') +httpx.put('https://gmail.com', timeout=None) +httpx.delete('https://gmail.com') +httpx.delete('https://gmail.com', timeout=None) +httpx.patch('https://gmail.com') +httpx.patch('https://gmail.com', timeout=None) +httpx.options('https://gmail.com') +httpx.options('https://gmail.com', timeout=None) +httpx.head('https://gmail.com') +httpx.head('https://gmail.com', timeout=None) +httpx.Client() +httpx.Client(timeout=None) +httpx.AsyncClient() +httpx.AsyncClient(timeout=None) +with httpx.Client() as client: + client.get('https://gmail.com') +with httpx.Client(timeout=None) as client: + client.get('https://gmail.com') +async with httpx.AsyncClient() as client: + await client.get('https://gmail.com') +async with httpx.AsyncClient(timeout=None) as client: + await client.get('https://gmail.com') # Okay not_requests.get('https://gmail.com') +requests.get('https://gmail.com', timeout=5) +requests.post('https://gmail.com', timeout=5) +requests.put('https://gmail.com', timeout=5) +requests.delete('https://gmail.com', timeout=5) +requests.patch('https://gmail.com', timeout=5) +requests.options('https://gmail.com', timeout=5) +requests.head('https://gmail.com', timeout=5) +httpx.get('https://gmail.com', timeout=5) +httpx.post('https://gmail.com', timeout=5) +httpx.put('https://gmail.com', timeout=5) +httpx.delete('https://gmail.com', timeout=5) +httpx.patch('https://gmail.com', timeout=5) +httpx.options('https://gmail.com', timeout=5) +httpx.head('https://gmail.com', timeout=5) +httpx.Client(timeout=5) +httpx.AsyncClient(timeout=5) +with httpx.Client(timeout=5) as client: + client.get('https://gmail.com') +async with httpx.AsyncClient(timeout=5) as client: + await client.get('https://gmail.com') diff --git a/examples/requests-ssl-verify-disabled.py b/examples/requests-ssl-verify-disabled.py index 25f5ef41f..c45b9e944 100644 --- a/examples/requests-ssl-verify-disabled.py +++ b/examples/requests-ssl-verify-disabled.py @@ -1,6 +1,7 @@ import httpx import requests +# Errors requests.get('https://gmail.com', timeout=30, verify=True) requests.get('https://gmail.com', timeout=30, verify=False) requests.post('https://gmail.com', timeout=30, verify=True) @@ -16,25 +17,26 @@ requests.head('https://gmail.com', timeout=30, verify=True) requests.head('https://gmail.com', timeout=30, verify=False) -httpx.request('GET', 'https://gmail.com', verify=True) -httpx.request('GET', 'https://gmail.com', verify=False) -httpx.get('https://gmail.com', verify=True) -httpx.get('https://gmail.com', verify=False) -httpx.options('https://gmail.com', verify=True) -httpx.options('https://gmail.com', verify=False) -httpx.head('https://gmail.com', verify=True) -httpx.head('https://gmail.com', verify=False) -httpx.post('https://gmail.com', verify=True) -httpx.post('https://gmail.com', verify=False) -httpx.put('https://gmail.com', verify=True) -httpx.put('https://gmail.com', verify=False) -httpx.patch('https://gmail.com', verify=True) -httpx.patch('https://gmail.com', verify=False) -httpx.delete('https://gmail.com', verify=True) -httpx.delete('https://gmail.com', verify=False) -httpx.stream('https://gmail.com', verify=True) -httpx.stream('https://gmail.com', verify=False) -httpx.Client() -httpx.Client(verify=False) -httpx.AsyncClient() -httpx.AsyncClient(verify=False) +# Okay +httpx.request('GET', 'https://gmail.com', timeout=30, verify=True) +httpx.request('GET', 'https://gmail.com', timeout=30, verify=False) +httpx.get('https://gmail.com', timeout=30, verify=True) +httpx.get('https://gmail.com', timeout=30, verify=False) +httpx.options('https://gmail.com', timeout=30, verify=True) +httpx.options('https://gmail.com', timeout=30, verify=False) +httpx.head('https://gmail.com', timeout=30, verify=True) +httpx.head('https://gmail.com', timeout=30, verify=False) +httpx.post('https://gmail.com', timeout=30, verify=True) +httpx.post('https://gmail.com', timeout=30, verify=False) +httpx.put('https://gmail.com', timeout=30, verify=True) +httpx.put('https://gmail.com', timeout=30, verify=False) +httpx.patch('https://gmail.com', timeout=30, verify=True) +httpx.patch('https://gmail.com', timeout=30, verify=False) +httpx.delete('https://gmail.com', timeout=30, verify=True) +httpx.delete('https://gmail.com', timeout=30, verify=False) +httpx.stream('https://gmail.com', timeout=30, verify=True) +httpx.stream('https://gmail.com', timeout=30, verify=False) +httpx.Client(timeout=30) +httpx.Client(timeout=30, verify=False) +httpx.AsyncClient(timeout=30) +httpx.AsyncClient(timeout=30, verify=False) diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index 4597f7023..681e45edf 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -411,8 +411,8 @@ def test_requests_ssl_verify_disabled(self): def test_requests_without_timeout(self): """Test for the `requests` library missing timeouts.""" expect = { - "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 14, "HIGH": 0}, - "CONFIDENCE": {"UNDEFINED": 0, "LOW": 14, "MEDIUM": 0, "HIGH": 0}, + "SEVERITY": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 36, "HIGH": 0}, + "CONFIDENCE": {"UNDEFINED": 0, "LOW": 36, "MEDIUM": 0, "HIGH": 0}, } self.check_example("requests-missing-timeout.py", expect) From c393ab3590401e32b8e96e2fd592e1f7f911aea5 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Thu, 27 Jun 2024 03:14:48 -0700 Subject: [PATCH 17/28] Nit: remove unused variable (#1153) Unsure what the intention of this variable was, but doesn't do anything now. Signed-off-by: Eric Brown --- bandit/core/node_visitor.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/bandit/core/node_visitor.py b/bandit/core/node_visitor.py index 27a4de5ee..938e8733b 100644 --- a/bandit/core/node_visitor.py +++ b/bandit/core/node_visitor.py @@ -19,7 +19,6 @@ def __init__( ): self.debug = debug self.nosec_lines = nosec_lines - self.seen = 0 self.scores = { "SEVERITY": [0] * len(constants.RANKING), "CONFIDENCE": [0] * len(constants.RANKING), @@ -209,7 +208,6 @@ def pre_visit(self, node): self.context["filename"] = self.fname self.context["file_data"] = self.fdata - self.seen += 1 LOG.debug( "entering: %s %s [%s]", hex(id(node)), type(node), self.depth ) From ef1a67a0f6d802d95eb54876b07ef973012e09fd Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Thu, 27 Jun 2024 08:49:26 -0700 Subject: [PATCH 18/28] Add recent releases to version choice in bug report (#1151) Added 1.7.9 and 1.7.8 to bug template. --- .github/ISSUE_TEMPLATE/bug-report.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml index 99399f2d6..e2c467305 100644 --- a/.github/ISSUE_TEMPLATE/bug-report.yml +++ b/.github/ISSUE_TEMPLATE/bug-report.yml @@ -44,7 +44,9 @@ body: label: Bandit version description: Run "bandit --version" if unsure of version number options: - - 1.7.7 (Default) + - 1.7.9 (Default) + - 1.7.8 + - 1.7.7 - 1.7.6 - 1.7.5 - 1.7.4 From 9e56e8f751b0a5ed78a1b80b5ba413a2994a5ad5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 1 Jul 2024 13:05:18 +0000 Subject: [PATCH 19/28] Bump docker/build-push-action from 6.1.0 to 6.2.0 (#1155) --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index b961bf623..35f98a690 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6 + uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6 with: context: . file: ./docker/Dockerfile From e0af824d3e2316d876e549a5c5f53103050c3ec9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:10:58 -0700 Subject: [PATCH 20/28] Bump docker/build-push-action from 6.2.0 to 6.3.0 (#1157) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/15560696de535e4014efeff63c48f16952e52dd1...1a162644f9a7e87d8f4b053101d1d9a712edc18c) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 35f98a690..fd6982fd5 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@15560696de535e4014efeff63c48f16952e52dd1 # v6 + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6 with: context: . file: ./docker/Dockerfile From 89d2345a8edbd6e1ade45e01919462910ed47ce3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Jul 2024 07:11:22 -0700 Subject: [PATCH 21/28] Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 (#1156) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/d70bba72b1f3fd22344832f00baa16ece964efeb...4fd812986e6c8c2a69e18311145f9371337f27d4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index fd6982fd5..1f52a2abc 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -31,7 +31,7 @@ jobs: ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3 + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3 - name: Log in to GitHub Container Registry uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 From 708ab749502d79556eae5778561a7ae16b31be22 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 07:32:59 -0700 Subject: [PATCH 22/28] Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 (#1158) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/4fd812986e6c8c2a69e18311145f9371337f27d4...aa33708b10e362ff993539393ff100fa93ed6a27) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 1f52a2abc..7c1f74e73 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -31,7 +31,7 @@ jobs: ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3 + uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3 - name: Log in to GitHub Container Registry uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 From 90490c705926432df1922e5b73b94d0e21958c1a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 07:36:45 -0700 Subject: [PATCH 23/28] Bump docker/login-action from 3.2.0 to 3.3.0 (#1159) Bumps [docker/login-action](https://github.com/docker/login-action) from 3.2.0 to 3.3.0. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/0d4c9c5ea7693da7b068278f7b52bda2a190a446...9780b0c442fbb1117ed29e0efdff1e18412f7567) --- updated-dependencies: - dependency-name: docker/login-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Brown --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 7c1f74e73..0bfaa1d5c 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -34,7 +34,7 @@ jobs: uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3 - name: Log in to GitHub Container Registry - uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 with: registry: ghcr.io username: ${{ github.actor }} From 320495c4cf0c14f1b376d5699b581b994f509af4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 07:41:27 -0700 Subject: [PATCH 24/28] Bump docker/build-push-action from 6.3.0 to 6.5.0 (#1160) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.3.0 to 6.5.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/1a162644f9a7e87d8f4b053101d1d9a712edc18c...5176d81f87c23d6fc96624dfdbcd9f3830bbe445) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Eric Brown --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 0bfaa1d5c..4dfd9e112 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6 + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6 with: context: . file: ./docker/Dockerfile From 701b7d541723f7543663f7798a5266f5141f3212 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Aug 2024 07:31:16 -0700 Subject: [PATCH 25/28] Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 (#1163) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.5.0 to 3.6.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/aa33708b10e362ff993539393ff100fa93ed6a27...988b5a0280414f521da01fcc63a27aeeb4b104db) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 4dfd9e112..1aa2cd0a8 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -31,7 +31,7 @@ jobs: ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3 - name: Log in to GitHub Container Registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 From 221ced660e04fe84d617e625114afa7fdbe173f3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 07:06:27 -0700 Subject: [PATCH 26/28] Bump docker/build-push-action from 6.5.0 to 6.6.1 (#1166) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.5.0 to 6.6.1. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/5176d81f87c23d6fc96624dfdbcd9f3830bbe445...16ebe778df0e7752d2cfcbd924afdbbd89c1a755) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 1aa2cd0a8..0db4694c0 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 # v6 + uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6 with: context: . file: ./docker/Dockerfile From 77566a00b6c2486049247acdf6dab327dc03845b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Aug 2024 07:07:09 -0700 Subject: [PATCH 27/28] Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 (#1165) Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.5.0 to 3.6.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/59acb6260d9c0ba8f4a2f9d9b48431a222b68e20...4959ce089c160fddf62f7b42464195ba1a56d382) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index 0db4694c0..c78fc05bd 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -41,7 +41,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Install Cosign - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 with: cosign-release: 'v2.2.2' From 68022aa1d626a7702e3154987f4be278484033fb Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 19 Aug 2024 07:00:43 -0700 Subject: [PATCH 28/28] Bump docker/build-push-action from 6.6.1 to 6.7.0 (#1168) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.6.1 to 6.7.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/16ebe778df0e7752d2cfcbd924afdbbd89c1a755...5cd11c3a4ced054e52742c5fd54dca954e0edd85) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml index c78fc05bd..fa95f6754 100644 --- a/.github/workflows/build-publish-image.yml +++ b/.github/workflows/build-publish-image.yml @@ -51,7 +51,7 @@ jobs: - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@16ebe778df0e7752d2cfcbd924afdbbd89c1a755 # v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6 with: context: . file: ./docker/Dockerfile