Bandit

After excluding plugin from the bandit.yaml it still was used during the scaning

Bug #1554112 reported by Egor Kotko on 2016-03-07

6

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	Critical	Tim Kelsey

Bug Description

Steps to reproduce:
1. Create virtual environment #virtualenv venv
2. Activate it #. venv/bin/activate
3. Change bandit.yaml section "exclude" http://paste.openstack.org/show/489562/
4. Start bandit on any code:
#bandit -c my-bandit.yaml -r /web_test/ >> qwe

Actual result:

The result contains report from test "assert_used":
Issue: [assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
Location: /home/ykotko/FRESH-FUEL_MAIN/fuel-qa/fuelweb_test/models/fuel_web_client.py:1878
1877 else:
1878 assert 'No cluster_deletion task found!'
1879

Tags:

Revision history for this message

Eric Brown (ericwb) wrote on 2016-03-07:

#1

So the bandit.yaml has a profile called "All", but to use it you need to specify "-p All". In your example, a profile was not specified, meaning it will by default run using all plugins.

Changed in bandit:
status:	New → Invalid
assignee:	nobody → Eric Brown (ericwb)

Revision history for this message

Egor Kotko (ykotko) wrote on 2016-03-08:

#2

bandit_conf.yaml Edit (3.6 KiB, text/plain)

Revision history for this message

Egor Kotko (ykotko) wrote on 2016-03-08:

#3

bandit_plugin_excludes.yaml Edit (106 bytes, text/plain)

Revision history for this message

Egor Kotko (ykotko) wrote on 2016-03-08:

#4

I have tried add the parameter and got the error:

(bandit-security-check_VENV)srv:/home/jenkins/workspace/bandit-security-check$ bandit -c bandit_conf.yaml -r /home/jenkins/workspace/bandit-security-check/openstack/fuel-web.git -n5 -p bandit_conf_with_excludes
Traceback (most recent call last):
  File "/home/jenkins/workspace/bandit-security-check_VENV/bin/bandit", line 11, in <module>
    sys.exit(main())
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/bandit.py", line 286, in main
    ignore_nosec=args.ignore_nosec)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/manager.py", line 82, in __init__
    profile=profile)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/test_set.py", line 36, in __init__
    self.load_tests(filter=filter_list)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/test_set.py", line 146, in load_tests
    self._filter_tests(filter)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/test_set.py", line 102, in _filter_tests
    del temp_dict[check_type][test_name]
KeyError: 'try_except_pass'

Changed in bandit:
status:	Invalid → Confirmed

Revision history for this message

Jamie Finnigan (jamiefinnigan) wrote on 2016-03-16:

#5

I think this points to the Bandit docs not properly lining up with how we do config/profiles now, after recent changes.

Watch this space, improvements coming..

Revision history for this message

Travis McPeak (travis-mcpeak) wrote on 2016-03-16:

#6

Yeah, if nothing else we should at least confirm that you're not excluding a test that doesn't exist (hence the KeyError).

Revision history for this message

Tim Kelsey (tim-kelsey) wrote on 2016-03-17:

#7

There is a check for that condition in the code already, this is another bug, I'll take it.

Changed in bandit:
importance:	Undecided → Critical
assignee:	Eric Brown (ericwb) → Tim Kelsey (tim-kelsey)

Revision history for this message

Tim Kelsey (tim-kelsey) wrote on 2016-03-17:

#8

@ykotko im having trouble reproducing this bug. Im running "bandit -c ./bandit_hack.yml -r ./fuel-web/ -n5 -p All" using the latest bandit code in master and with the following config:

profiles:
    All:
        exclude:
            - assert_used
            - try_except_pass
        include:
            - any_other_function_with_shell_equals_true
            - blacklist_calls
            - blacklist_import_func
            - blacklist_imports
            - exec_used
            - execute_with_run_as_root_equals_true
            - hardcoded_bind_all_interfaces
            - hardcoded_password_string
            - hardcoded_password_funcarg
            - hardcoded_password_default
            - hardcoded_sql_expressions
            - hardcoded_tmp_directory
            - jinja2_autoescape_false
            - linux_commands_wildcard_injection
            - paramiko_calls
            - password_config_option_not_marked_secret
            - request_with_no_cert_validation
            - set_bad_file_permissions
            - subprocess_popen_with_shell_equals_true
            - subprocess_without_shell_equals_true
            - start_process_with_a_shell
            - start_process_with_no_shell
            - start_process_with_partial_path
            - ssl_with_bad_defaults
            - ssl_with_bad_version
            - ssl_with_no_version
            - use_of_mako_templates
            - weak_cryptographic_key

Is this the same as your setup? are you using the latest bandit from git or the one from PyPI?

Revision history for this message

Egor Kotko (ykotko) wrote on 2016-03-18:

#9

http://paste.openstack.org/show/491056/ - here is the bandit_conf.yaml with profile
bandit -c bandit_conf.yaml -r openstack/fuel-web.git/nailgun/ -n5 -p bandit_conf_with_excludes - the command

The result of execution
bandit-security-check$ bandit -c bandit_conf.yaml -r openstack/fuel-web.git/nailgun/ -n5 -p bandit_conf_with_excludes
Traceback (most recent call last):
  File "/home/jenkins/workspace/bandit-security-check_VENV/bin/bandit", line 11, in <module>
    sys.exit(main())
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/bandit.py", line 286, in main
    ignore_nosec=args.ignore_nosec)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/manager.py", line 82, in __init__
    profile=profile)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/test_set.py", line 36, in __init__
    self.load_tests(filter=filter_list)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/test_set.py", line 146, in load_tests
    self._filter_tests(filter)
  File "/home/jenkins/workspace/bandit-security-check_VENV/local/lib/python2.7/site-packages/bandit/core/test_set.py", line 102, in _filter_tests
    del temp_dict[check_type][test_name]
KeyError: 'try_except_pass'

The bandit was installed with help of command pip install "bandit==0.17.3"

Revision history for this message

Tim Kelsey (tim-kelsey) wrote on 2016-03-18:

#10

Thanks for the update @ykotko, I have reproduced this in 0.17.3 but can confirm it is fixed in the current head of master. We will push out a new release to address this issue.

Changed in bandit:
status:	Confirmed → Fix Committed

Tim Kelsey (tim-kelsey) on 2016-04-05

Changed in bandit:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.