Permalink
Comparing changes
Choose two branches to see what’s changed or to start a new pull request.
If you need to, you can also or
learn more about diff comparisons.
Open a pull request
Create a new pull request by comparing changes across two branches. If you need to, you can also .
Learn more about diff comparisons here.
...
- 15 commits
- 30 files changed
- 6 contributors
Commits on Dec 9, 2023
-
Add the new release to bandit versions of bug template (#1075)
Add the new latest version and default version to the issue template for bugs.
Commits on Dec 11, 2023
-
Bump actions/setup-python from 4 to 5 (#1076)
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4 to 5. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v4...v5) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Commits on Dec 13, 2023
-
Handle variant in how policy is passed in paramiko (#1078)
Paramiko permits various ways of importing the missing host key policy. It allows paramiko.client.AutoAddPolicy or paramiko.AutoAddPolicy. The later isn't being handled in Bandit. This change adds news tests and modifies the plugin to inspect the AST to determine whether the argument is an Attribute, Name, or Call. Fixes #1077 Signed-off-by: Eric Brown <[email protected]>
Commits on Dec 16, 2023
-
Flag str.replace as possible sql injection (#1044)
* Flag str.replace as possible sql injection This extends the existing implementation for detecting possible cases of SQL injection to account for `str.replace` used in the string construction. Use of `str.replace` can lead to SQL injection in much the same way as `str.format` can, and that is already considered in the pre-existing implementation, along with other common string constructions. Resolves #878 * Revert cosmetic change * Fix lint * Reduce str.replace to LOW confidence in all cases Since the rate of false positives may be higher for str.replace over other string constructions like str.format, we should reduce to LOW confidence to compensate for this. * Update bandit/plugins/injection_sql.py Correct version in versionchanged directive Co-authored-by: Eric Brown <[email protected]> * Fix typo in comment --------- Co-authored-by: Ian Stapleton Cordasco <[email protected]> Co-authored-by: Eric Brown <[email protected]>
3 people authoredDec 16, 2023
Commits on Dec 21, 2023
-
defusedxml: Show correct module name (#1081)
The module name described in the warning message is incomplete and confusing.
Commits on Jan 9, 2024
-
Add tidelift to the sponsor funding list (#1089)
Now that Tidelift is officially lifting Bandit, we should include it in our sponsor links.
Commits on Jan 13, 2024
-
Create a security policy (#1091)
We really should provide guidance on how to open a security issue on Bandit itself. Tidelift also requires a security policy document that they can refer to and help coordinate for their customers.
Commits on Jan 14, 2024
-
Fix up issues found running Bandit on itself (#1093)
* Used nosec for false various positives. 1. xml.etree is used only for XML generation not parsing 2. "0.0.0.0" is used in the plugin itself 3. Various strings of temp directories are used in the plugin itself. 4. The subprocess call does use user input, but only from the command line itself that is running baseline. Although maybe this could be argued as an issue though. * Fixed the empty try-except-pass to have code in the except block. Fixes #948 Signed-off-by: Eric Brown <[email protected]>
Commits on Jan 19, 2024
-
Add random.randbytes to blacklist calls (#1096)
In Python 3.9, the random module added new function randbytes(n). This function shouldn't be used for any cryptographic operations. As the doc recommends, use secrets.token_bytes() instead. https://docs.python.org/3/library/random.html#random.randbytes Signed-off-by: Eric Brown <[email protected]>
Commits on Jan 20, 2024
-
Prepend ./ for files specified as CLI args (#1094)
The get_module_qualname_from_path() function called by the node visistor expects that all files are explicitly named with a "head" and "tail" which are path delimiters to denote where the file is within a python project. However, if someone uses the command line and simply asks bandit to scan dummy.py in the current working directory, it will be missing the explicit "./" prefix in order for get_module_qualname_from_path to run and determine the module fully qualified name from the path. So this fix simply prepends a dot and delimiter to explicitly denote a file in the current working directory as given from the CLI. Fixes #907 Signed-off-by: Eric Brown <[email protected]>
Commits on Jan 21, 2024
-
Rework GitPython dependency to be an extra for bandit-baseline (#1099)
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR #976. #976 Signed-off-by: Eric Brown <[email protected]>
Commits on Jan 22, 2024
Commits on Jan 23, 2024
-
Introduce Official Bandit Images (#1088)
* Introduce Official Bandit Images Folks are using various bandit images kindly built by others, but we should really start providing one of our that builds directly from source (the others use pip install). Should a different container image be subjected to some sort of attack (maintainer take over), this could lead to some serious problems for those using Bandit. This PR includes an action to build, publish and sign the image using sigstore cosign. This way (should they wish) users can verify the source of origin for these images were the offcial repo. You can see an example of this below, where I tested the action in my own test fork (bandit-test): https://search.sigstore.dev/?logIndex=61918446 Signed-off-by: Luke Hinds <[email protected]> * Update tags for other actions Signed-off-by: Luke Hinds <[email protected]> * Fix TOX Signed-off-by: Luke Hinds <[email protected]> * Single python release and review points Signed-off-by: Luke Hinds <[email protected]> * Single python release and review points Signed-off-by: Luke Hinds <[email protected]> * Remove arch from container tag Signed-off-by: Luke Hinds <[email protected]> * Remove arch from container tag Signed-off-by: Luke Hinds <[email protected]> * Missed text referencing arch tag Signed-off-by: Luke Hinds <[email protected]> * Add workflow dispatch * On schedule or dispatch, build from last release * Pin to digests --------- Signed-off-by: Luke Hinds <[email protected]>
-
Remove markdown formatting in reStructuredText formatted README (#1103)
A recent change to the README has code blocks in markdown format. Since our README is actually reStructuredText format, this causes syntax errors. It's even bigger of a problem when an attempt to publish the package with the README serving as the PyPI description. The syntax errors prevents package publishing. Fixes #1102 Signed-off-by: Eric Brown <[email protected]>
-
Downsize the org:repo name (#1104)
Currently we fail with: `ERROR: invalid tag "ghcr.io/PyCQA/bandit/bandit:latest": repository name must be lowercase` This is from the capitalized org name: PyCQA This change lowercases the entire string
Loading
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff 1.7.6...1.7.7