Skip to content

Commit

Permalink
Add CWE mappings to bandit vulnerabilities
Browse files Browse the repository at this point in the history
  • Loading branch information
julianthome committed May 14, 2020
1 parent 7304106 commit 362f25b
Show file tree
Hide file tree
Showing 12 changed files with 50 additions and 32 deletions.
1 change: 1 addition & 0 deletions bandit/formatters/csv.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
'test_name',
'test_id',
'issue_severity',
'issue_cwe',
'issue_confidence',
'issue_text',
'line_number',
Expand Down
2 changes: 2 additions & 0 deletions bandit/formatters/html.py
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
<b>{test_name}: </b> {test_text}<br>
<b>Test ID:</b> {test_id}<br>
<b>Severity: </b>{severity}<br>
<b>CWE: </b>{cwe}<br>
<b>Confidence: </b>{confidence}<br>
<b>File: </b><a href="{path}" target="_blank">{path}</a> <br>
<b>More info: </b><a href="{url}" target="_blank">{url}</a><br>
Expand Down Expand Up @@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
test_id=issue.test_id,
test_text=issue.text,
severity=issue.severity,
cwe=issue.cwe,
confidence=issue.confidence,
path=issue.fname, code=code,
candidates=candidates,
Expand Down
10 changes: 6 additions & 4 deletions bandit/formatters/screen.py
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
# returns a list of lines that should be added to the existing lines list
bits = []
bits.append("%s%s>> Issue: [%s:%s] %s" % (
indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text))
indent, COLOR[issue.severity], issue.test_id, issue.test,
issue.text))

bits.append("%s Severity: %s Confidence: %s" % (
indent, issue.severity.capitalize(), issue.confidence.capitalize()))
bits.append("%s Severity: %s CWE: %i Confidence: %s" % (
indent, issue.severity.capitalize(), issue.cwe,
issue.confidence.capitalize()))

bits.append("%s Location: %s:%s" % (
indent, issue.fname,
Expand All @@ -110,7 +112,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
indent, docs_utils.get_url(issue.test_id), COLOR['DEFAULT']))

if show_code:
bits.extend([indent + l for l in
bits.extend([indent + x for x in
issue.get_code(lines, True).split('\n')])

return '\n'.join([bit for bit in bits])
Expand Down
7 changes: 4 additions & 3 deletions bandit/formatters/text.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
bits.append("%s>> Issue: [%s:%s] %s" % (
indent, issue.test_id, issue.test, issue.text))

bits.append("%s Severity: %s Confidence: %s" % (
indent, issue.severity.capitalize(), issue.confidence.capitalize()))
bits.append("%s Severity: %s CWE: %i Confidence: %s" % (
indent, issue.severity.capitalize(), issue.cwe,
issue.confidence.capitalize()))

bits.append("%s Location: %s:%s" % (
indent, issue.fname, issue.lineno if show_lineno else ""))
Expand All @@ -83,7 +84,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
indent, docs_utils.get_url(issue.test_id)))

if show_code:
bits.extend([indent + l for l in
bits.extend([indent + x for x in
issue.get_code(lines, True).split('\n')])

return '\n'.join([bit for bit in bits])
Expand Down
8 changes: 5 additions & 3 deletions bandit/formatters/xml.py
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
testcase = ET.SubElement(root, 'testcase',
classname=issue.fname, name=test)

text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s'
text = text % (issue.test_id, issue.severity, issue.confidence,
issue.text, issue.fname, issue.lineno)
text = 'Test ID: %s Severity: %s CWE: %s ' \
'Confidence: %s\n%s\nLocation %s:%s'
text = text % (issue.test_id, issue.severity, issue.cwe,
issue.confidence, issue.text, issue.fname,
issue.lineno)
ET.SubElement(testcase, 'error',
more_info=docs_utils.get_url(issue.test_id),
type=issue.severity,
Expand Down
11 changes: 6 additions & 5 deletions tests/unit/core/test_issue.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ def test_issue_create(self):
def test_issue_str(self):
test_issue = _get_issue_instance()
self.assertEqual(
("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123, Severity: MEDIUM "
"Confidence: MEDIUM at code.py:1"),
("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123,"
" Severity: MEDIUM Confidence: MEDIUM at code.py:1"),
str(test_issue)
)

Expand All @@ -41,7 +41,7 @@ def test_issue_as_dict(self):

def test_issue_filter_severity(self):
levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH]
issues = [_get_issue_instance(l, bandit.HIGH) for l in levels]
issues = [_get_issue_instance(x, bandit.HIGH) for x in levels]

for level in levels:
rank = constants.RANKING.index(level)
Expand All @@ -52,7 +52,7 @@ def test_issue_filter_severity(self):

def test_issue_filter_confidence(self):
levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH]
issues = [_get_issue_instance(bandit.HIGH, l) for l in levels]
issues = [_get_issue_instance(bandit.HIGH, x) for x in levels]

for level in levels:
rank = constants.RANKING.index(level)
Expand Down Expand Up @@ -116,7 +116,8 @@ def test_get_code(self, getline):
self.fail('Bytes not properly decoded in issue.get_code()')


def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM):
def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
confidence=bandit.MEDIUM):
new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
Expand Down
9 changes: 5 additions & 4 deletions tests/unit/core/test_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,8 @@

class ManagerTests(testtools.TestCase):

def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123, conf=constants.MEDIUM):
def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123,
conf=constants.MEDIUM):
new_issue = issue.Issue(sev, cwe, conf, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
Expand Down Expand Up @@ -145,10 +146,10 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning):
def test_results_count(self):
levels = [constants.LOW, constants.MEDIUM, constants.HIGH]
self.manager.results = (
[issue.Issue(severity=l, cwe=123, confidence=l) for l in levels])
[issue.Issue(severity=x, cwe=123, confidence=x) for x in levels])

r = [self.manager.results_count(sev_filter=l, conf_filter=l)
for l in levels]
r = [self.manager.results_count(sev_filter=x, conf_filter=x)
for x in levels]

self.assertEqual([3, 2, 1], r)

Expand Down
3 changes: 2 additions & 1 deletion tests/unit/formatters/test_html.py
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,8 @@ def test_escaping(self, get_issue_list, get_code):
self.assertNotIn(marker, contents)


def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM):
def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
confidence=bandit.MEDIUM):
new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
Expand Down
10 changes: 6 additions & 4 deletions tests/unit/formatters/test_json.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,13 @@ def setUp(self):
'lineno': 4,
'linerange': [4]}
self.check_name = 'hardcoded_bind_all_interfaces'
self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.')
self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM,
'Possible binding to all interfaces.')

self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW, 'Candidate A', lineno=1),
issue.Issue(bandit.HIGH, 123, bandit.HIGH, 'Candiate B',
lineno=2)]
self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW,
'Candidate A', lineno=1),
issue.Issue(bandit.HIGH, 123, bandit.HIGH,
'Candiate B', lineno=2)]

self.manager.out_file = self.tmp_fname

Expand Down
6 changes: 4 additions & 2 deletions tests/unit/formatters/test_screen.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code, _color):
return_val = ["{}{}>> Issue: [{}:{}] {}".
format(_indent_val, _color, _issue.test_id,
_issue.test, _issue.text),
"{} Severity: {} Confidence: {}".
"{} Severity: {} CWE: {} Confidence: {}".
format(_indent_val, _issue.severity.capitalize(),
_issue.cwe,
_issue.confidence.capitalize()),
"{} Location: {}:{}".
format(_indent_val, _issue.fname, _issue.lineno),
Expand Down Expand Up @@ -198,7 +199,8 @@ def test_report_baseline(self, get_issue_list):
output_str.assert_has_calls(calls, any_order=True)


def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM):
def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
confidence=bandit.MEDIUM):
new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
Expand Down
7 changes: 5 additions & 2 deletions tests/unit/formatters/test_text.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code):
return_val = ["{}>> Issue: [{}:{}] {}".
format(_indent_val, _issue.test_id, _issue.test,
_issue.text),
"{} Severity: {} Confidence: {}".
"{} Severity: {} CWE: {} Confidence: {}".
format(_indent_val, _issue.severity.capitalize(),
_issue.cwe,
_issue.confidence.capitalize()),
"{} Location: {}:{}".
format(_indent_val, _issue.fname, _issue.lineno),
Expand Down Expand Up @@ -130,6 +131,7 @@ def test_report_nobaseline(self, get_issue_list):
'binding.py (score: ',
"CONFIDENCE: 1",
"SEVERITY: 1",
"CWE: 123",
'Files excluded (1):',
'def.py',
'Undefined: 1',
Expand Down Expand Up @@ -186,7 +188,8 @@ def test_report_baseline(self, get_issue_list):
output_str.assert_has_calls(calls, any_order=True)


def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, confidence=bandit.MEDIUM):
def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
confidence=bandit.MEDIUM):
new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
Expand Down
8 changes: 4 additions & 4 deletions tests/unit/formatters/test_yaml.py
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,10 @@ def setUp(self):
self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM,
'Possible binding to all interfaces.')

self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW, 'Candidate A',
lineno=1),
issue.Issue(bandit.HIGH, 123, bandit.HIGH, 'Candiate B',
lineno=2)]
self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW,
'Candidate A', lineno=1),
issue.Issue(bandit.HIGH, 123, bandit.HIGH,
'Candiate B', lineno=2)]

self.manager.out_file = self.tmp_fname

Expand Down

0 comments on commit 362f25b

Please sign in to comment.