I ran Bandit against Barbican and found some false positives regarding SQL.
It appears Bandit is mistaking our DocStrings with lots of colons as a SQL command construction.
Test results:
>> Possible SQL injection vector through string-based query construction, without SQLALCHEMY use
- /Users/dmccowan/barbican/barbican/plugin/interface/certificate_manager.py::242
239 :returns: A :class:`ResultDTO` instance containing the result
240 populated by the plugin implementation
241 :rtype: :class:`ResultDTO`
242 """
243 raise NotImplementedError # pragma: no cover
244
>> Possible SQL injection vector through string-based query construction, without SQLALCHEMY use
- /Users/dmccowan/barbican/barbican/plugin/simple_certificate_manager.py::55
52 :returns: A :class:`ResultDTO` instance containing the result
53 populated by the plugin implementation
54 :rtype: :class:`ResultDTO`
55 """
56 LOG.info(u._LI('Invoking modify_certificate_request()'))
57 return cert.ResultDTO(cert.CertificateStatus.WAITING_FOR_CA)
>> Possible SQL injection vector through string-based query construction, without SQLALCHEMY use
- /Users/dmccowan/barbican/barbican/plugin/symantec.py::96
93 this plugin. Plugins may also update/add
94 information here which Barbican will persist
95 on their behalf.
96 """
97 raise NotImplementedError # pragma: no cover
98
Here is an example docstring that triggers the warning.
It starts with "update" and includes the word "set" in the text.
It would make sense for Bandit to exclude doc strings from the string tests.
def modify_
"""Update the order meta-data
:param order_id: ID associated with the order
:param order_meta: Dict of meta-data associated with the order.
:param plugin_meta: Plugin meta-data previously set by calls to
:returns: A :class:`ResultDTO` instance containing the result
:rtype: :class:`ResultDTO`
"""