diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py index aecf1512f..67b7680aa 100644 --- a/bandit/core/blacklisting.py +++ b/bandit/core/blacklisting.py @@ -12,7 +12,7 @@ def report_issue(check, name): return issue.Issue( - severity=check.get('level', 'MEDIUM'), confidence='HIGH', + severity=check.get('level', 'MEDIUM'), cwe=0, confidence='HIGH', text=check['message'].replace('{name}', name), ident=name, test_id=check.get("id", 'LEGACY')) diff --git a/bandit/core/issue.py b/bandit/core/issue.py index 61394dbbd..2e653cc82 100644 --- a/bandit/core/issue.py +++ b/bandit/core/issue.py @@ -15,9 +15,11 @@ class Issue(object): - def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT, + def __init__(self, severity, cwe, + confidence=constants.CONFIDENCE_DEFAULT, text="", ident=None, lineno=None, test_id=""): self.severity = severity + self.cwe = cwe self.confidence = confidence if isinstance(text, bytes): text = text.decode('utf-8') @@ -30,16 +32,17 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT, self.linerange = [] def __str__(self): - return ("Issue: '%s' from %s:%s: Severity: %s Confidence: " + return ("Issue: '%s' from %s:%s: CWE: %i, Severity: %s Confidence: " "%s at %s:%i") % (self.text, self.test_id, - (self.ident or self.test), self.severity, - self.confidence, self.fname, self.lineno) + (self.ident or self.test), self.cwe, + self.severity, self.confidence, self.fname, + self.lineno) def __eq__(self, other): # if the issue text, severity, confidence, and filename match, it's # the same issue from our perspective - match_types = ['text', 'severity', 'confidence', 'fname', 'test', - 'test_id'] + match_types = ['text', 'severity', 'cwe', 'confidence', 'fname', + 'test', 'test_id'] return all(getattr(self, field) == getattr(other, field) for field in match_types) @@ -101,11 +104,12 @@ def as_dict(self, with_code=True): 'test_name': self.test, 'test_id': self.test_id, 'issue_severity': self.severity, + 'issue_cwe': self.cwe, 'issue_confidence': self.confidence, 'issue_text': self.text.encode('utf-8').decode('utf-8'), 'line_number': self.lineno, 'line_range': self.linerange, - } + } if with_code: out['code'] = self.get_code() @@ -115,6 +119,7 @@ def from_dict(self, data, with_code=True): self.code = data["code"] self.fname = data["filename"] self.severity = data["issue_severity"] + self.cwe = int(data["issue_cwe"]) self.confidence = data["issue_confidence"] self.text = data["issue_text"] self.test = data["test_name"] @@ -124,6 +129,6 @@ def from_dict(self, data, with_code=True): def issue_from_dict(data): - i = Issue(severity=data["issue_severity"]) + i = Issue(severity=data["issue_severity"], cwe=int(data["issue_cwe"])) i.from_dict(data) return i diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py index 1fc5878e8..93135d6fd 100644 --- a/bandit/formatters/csv.py +++ b/bandit/formatters/csv.py @@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): 'test_name', 'test_id', 'issue_severity', + 'issue_cwe', 'issue_confidence', 'issue_text', 'line_number', diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py index 29c008b70..ed3bc2ea6 100644 --- a/bandit/formatters/html.py +++ b/bandit/formatters/html.py @@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): {test_name}: {test_text}
Test ID: {test_id}
Severity: {severity}
+ CWE: {cwe}
Confidence: {confidence}
File: {path}
More info: {url}
@@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): test_id=issue.test_id, test_text=issue.text, severity=issue.severity, + cwe=issue.cwe, confidence=issue.confidence, path=issue.fname, code=code, candidates=candidates, diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py index 1641f1afa..8407b9320 100644 --- a/bandit/formatters/screen.py +++ b/bandit/formatters/screen.py @@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, # returns a list of lines that should be added to the existing lines list bits = [] bits.append("%s%s>> Issue: [%s:%s] %s" % ( - indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text)) + indent, COLOR[issue.severity], issue.test_id, issue.test, + issue.text)) - bits.append("%s Severity: %s Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.confidence.capitalize())) + bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( + indent, issue.severity.capitalize(), issue.cwe, + issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( indent, issue.fname, @@ -110,7 +112,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, docs_utils.get_url(issue.test_id), COLOR['DEFAULT'])) if show_code: - bits.extend([indent + l for l in + bits.extend([indent + x for x in issue.get_code(lines, True).split('\n')]) return '\n'.join([bit for bit in bits]) diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py index 33fcba83f..5f47bbc00 100644 --- a/bandit/formatters/text.py +++ b/bandit/formatters/text.py @@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, bits.append("%s>> Issue: [%s:%s] %s" % ( indent, issue.test_id, issue.test, issue.text)) - bits.append("%s Severity: %s Confidence: %s" % ( - indent, issue.severity.capitalize(), issue.confidence.capitalize())) + bits.append("%s Severity: %s CWE: %i Confidence: %s" % ( + indent, issue.severity.capitalize(), issue.cwe, + issue.confidence.capitalize())) bits.append("%s Location: %s:%s" % ( indent, issue.fname, issue.lineno if show_lineno else "")) @@ -83,7 +84,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True, indent, docs_utils.get_url(issue.test_id))) if show_code: - bits.extend([indent + l for l in + bits.extend([indent + x for x in issue.get_code(lines, True).split('\n')]) return '\n'.join([bit for bit in bits]) diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py index a21e80024..720ccbe82 100644 --- a/bandit/formatters/xml.py +++ b/bandit/formatters/xml.py @@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1): testcase = ET.SubElement(root, 'testcase', classname=issue.fname, name=test) - text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s' - text = text % (issue.test_id, issue.severity, issue.confidence, - issue.text, issue.fname, issue.lineno) + text = 'Test ID: %s Severity: %s CWE: %s ' \ + 'Confidence: %s\n%s\nLocation %s:%s' + text = text % (issue.test_id, issue.severity, issue.cwe, + issue.confidence, issue.text, issue.fname, + issue.lineno) ET.SubElement(testcase, 'error', more_info=docs_utils.get_url(issue.test_id), type=issue.severity, diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py index 76d2c60cb..0ef80e3b2 100644 --- a/bandit/plugins/app_debug.py +++ b/bandit/plugins/app_debug.py @@ -51,6 +51,7 @@ def flask_debug_true(context): if context.check_call_arg_value('debug', 'True'): return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.MEDIUM, text="A Flask app appears to be run with debug=True, " "which exposes the Werkzeug debugger and allows " diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py index b5356252b..60715c014 100644 --- a/bandit/plugins/asserts.py +++ b/bandit/plugins/asserts.py @@ -49,6 +49,7 @@ def assert_used(context): return bandit.Issue( severity=bandit.LOW, + cwe=703, confidence=bandit.HIGH, text=("Use of assert detected. The enclosed code " "will be removed when compiling to optimised byte code.") diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py index f44cc7c9e..195ab8c7f 100644 --- a/bandit/plugins/crypto_request_no_cert_validation.py +++ b/bandit/plugins/crypto_request_no_cert_validation.py @@ -54,6 +54,7 @@ def request_with_no_cert_validation(context): if context.check_call_arg_value('verify', 'False'): issue = bandit.Issue( severity=bandit.HIGH, + cwe=295, confidence=bandit.HIGH, text="Requests call with verify=False disabling SSL " "certificate checks, security issue.", diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py index 524a3ee87..c8469e665 100644 --- a/bandit/plugins/django_sql_injection.py +++ b/bandit/plugins/django_sql_injection.py @@ -77,6 +77,7 @@ def django_extra_used(context): if insecure: return bandit.Issue( severity=bandit.MEDIUM, + cwe=89, confidence=bandit.MEDIUM, text=description ) @@ -102,6 +103,7 @@ def django_rawsql_used(context): if not isinstance(sql, ast.Str): return bandit.Issue( severity=bandit.MEDIUM, + cwe=89, confidence=bandit.MEDIUM, text=description ) diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py index 17e134607..89a3ce433 100644 --- a/bandit/plugins/django_xss.py +++ b/bandit/plugins/django_xss.py @@ -250,6 +250,7 @@ def check_risk(node): if not secure: return bandit.Issue( severity=bandit.MEDIUM, + cwe=80, confidence=bandit.HIGH, text=description ) diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py index 3d7d8c2d7..e170a2b2e 100644 --- a/bandit/plugins/exec.py +++ b/bandit/plugins/exec.py @@ -41,6 +41,7 @@ def exec_issue(): return bandit.Issue( severity=bandit.MEDIUM, + cwe=78, confidence=bandit.HIGH, text="Use of exec detected." ) diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py index f02a85219..c6344333b 100644 --- a/bandit/plugins/general_bad_file_permissions.py +++ b/bandit/plugins/general_bad_file_permissions.py @@ -73,6 +73,7 @@ def set_bad_file_permissions(context): filename = 'NOT PARSED' return bandit.Issue( severity=sev_level, + cwe=78, confidence=bandit.HIGH, text="Chmod setting a permissive mask %s on file (%s)." % (oct(mode), filename) diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py index 1971aa540..77f2f24a2 100644 --- a/bandit/plugins/general_bind_all_interfaces.py +++ b/bandit/plugins/general_bind_all_interfaces.py @@ -43,6 +43,7 @@ def hardcoded_bind_all_interfaces(context): if context.string_val == '0.0.0.0': return bandit.Issue( severity=bandit.MEDIUM, + cwe=605, confidence=bandit.MEDIUM, text="Possible binding to all interfaces." ) diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py index 2a44c4cc1..1d832cf03 100644 --- a/bandit/plugins/general_hardcoded_password.py +++ b/bandit/plugins/general_hardcoded_password.py @@ -22,6 +22,7 @@ def _report(value): return bandit.Issue( severity=bandit.LOW, + cwe=259, confidence=bandit.MEDIUM, text=("Possible hardcoded password: '%s'" % value)) diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py index 535cf1b3d..b99ad4037 100644 --- a/bandit/plugins/general_hardcoded_tmp.py +++ b/bandit/plugins/general_hardcoded_tmp.py @@ -71,6 +71,7 @@ def hardcoded_tmp_directory(context, config): if any(context.string_val.startswith(s) for s in tmp_dirs): return bandit.Issue( severity=bandit.MEDIUM, + cwe=377, confidence=bandit.MEDIUM, text="Probable insecure usage of temp file/directory." ) diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py index f40fc6a41..07a9d0a04 100644 --- a/bandit/plugins/hashlib_new_insecure_functions.py +++ b/bandit/plugins/hashlib_new_insecure_functions.py @@ -48,6 +48,7 @@ def hashlib_new(context): name.lower() in ('md4', 'md5', 'sha', 'sha1')): return bandit.Issue( severity=bandit.MEDIUM, + cwe=327, confidence=bandit.HIGH, text="Use of insecure MD4 or MD5 hash function.", lineno=context.node.lineno, diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py index 4d26804b9..9e7e19c90 100644 --- a/bandit/plugins/injection_paramiko.py +++ b/bandit/plugins/injection_paramiko.py @@ -51,5 +51,6 @@ def paramiko_calls(context): if context.is_module_imported_like(module): if context.call_function_name in ['exec_command']: return bandit.Issue(severity=bandit.MEDIUM, + cwe=78, confidence=bandit.MEDIUM, text=issue_text) diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py index 210716643..1e0b5a708 100644 --- a/bandit/plugins/injection_shell.py +++ b/bandit/plugins/injection_shell.py @@ -199,6 +199,7 @@ def subprocess_popen_with_shell_equals_true(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='subprocess call with shell=True seems safe, but ' 'may be changed in the future, consider ' @@ -208,6 +209,7 @@ def subprocess_popen_with_shell_equals_true(context, config): else: return bandit.Issue( severity=bandit.HIGH, + cwe=78, confidence=bandit.HIGH, text='subprocess call with shell=True identified, ' 'security issue.', @@ -287,6 +289,7 @@ def subprocess_without_shell_equals_true(context, config): if not has_shell(context): return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='subprocess call - check for execution of untrusted ' 'input.', @@ -365,6 +368,7 @@ def any_other_function_with_shell_equals_true(context, config): if has_shell(context): return bandit.Issue( severity=bandit.MEDIUM, + cwe=78, confidence=bandit.LOW, text='Function call with shell=True parameter identified, ' 'possible security issue.', @@ -451,6 +455,7 @@ def start_process_with_a_shell(context, config): if sev == bandit.LOW: return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='Starting a process with a shell: ' 'Seems safe, but may be changed in the future, ' @@ -459,6 +464,7 @@ def start_process_with_a_shell(context, config): else: return bandit.Issue( severity=bandit.HIGH, + cwe=78, confidence=bandit.HIGH, text='Starting a process with a shell, possible injection' ' detected, security issue.' @@ -547,6 +553,7 @@ def start_process_with_no_shell(context, config): if config and context.call_function_name_qual in config['no_shell']: return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.MEDIUM, text='Starting a process without a shell.' ) @@ -642,6 +649,7 @@ def start_process_with_partial_path(context, config): if isinstance(node, ast.Str) and not full_path_match.match(node.s): return bandit.Issue( severity=bandit.LOW, + cwe=78, confidence=bandit.HIGH, text='Starting a process with a partial executable path' ) diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py index 3b5074635..ed17e82f0 100644 --- a/bandit/plugins/injection_sql.py +++ b/bandit/plugins/injection_sql.py @@ -104,6 +104,7 @@ def hardcoded_sql_expressions(context): if _check_string(val[1]): return bandit.Issue( severity=bandit.MEDIUM, + cwe=89, confidence=bandit.MEDIUM if val[0] else bandit.LOW, text="Possible SQL injection vector through string-based " "query construction." diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py index 2c70e22bc..032e060b4 100644 --- a/bandit/plugins/injection_wildcard.py +++ b/bandit/plugins/injection_wildcard.py @@ -132,6 +132,7 @@ def linux_commands_wildcard_injection(context, config): ): return bandit.Issue( severity=bandit.HIGH, + cwe=155, confidence=bandit.MEDIUM, text="Possible wildcard injection in call: %s" % context.call_function_name_qual, diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py index d10dbc3f2..b2f6f0f5b 100644 --- a/bandit/plugins/insecure_ssl_tls.py +++ b/bandit/plugins/insecure_ssl_tls.py @@ -105,6 +105,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('ssl_version', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, + cwe=326, confidence=bandit.HIGH, text="ssl.wrap_socket call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -114,6 +115,7 @@ def ssl_with_bad_version(context, config): if context.check_call_arg_value('method', bad_ssl_versions): return bandit.Issue( severity=bandit.HIGH, + cwe=326, confidence=bandit.HIGH, text="SSL.Context call with insecure SSL/TLS protocol " "version identified, security issue.", @@ -128,6 +130,7 @@ def ssl_with_bad_version(context, config): context.get_lineno_for_call_arg('ssl_version')) return bandit.Issue( severity=bandit.MEDIUM, + cwe=326, confidence=bandit.MEDIUM, text="Function call with insecure SSL/TLS protocol " "identified, possible security issue.", @@ -186,6 +189,7 @@ def ssl_with_bad_defaults(context, config): if val in bad_ssl_versions: return bandit.Issue( severity=bandit.MEDIUM, + cwe=326, confidence=bandit.MEDIUM, text="Function definition identified with insecure SSL/TLS " "protocol version by default, possible security " @@ -245,6 +249,7 @@ def ssl_with_no_version(context): # tests for that (ssl_version is not specified). return bandit.Issue( severity=bandit.LOW, + cwe=326, confidence=bandit.MEDIUM, text="ssl.wrap_socket call with no SSL/TLS protocol version " "specified, the default SSLv23 could be insecure, " diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py index 5f0cce492..a6dd254cf 100644 --- a/bandit/plugins/jinja2_templates.py +++ b/bandit/plugins/jinja2_templates.py @@ -83,6 +83,7 @@ def jinja2_autoescape_false(context): getattr(node.value, 'value', None) is False)): return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.HIGH, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -103,6 +104,7 @@ def jinja2_autoescape_false(context): else: return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.MEDIUM, text="Using jinja2 templates with autoescape=" "False is dangerous and can lead to XSS. " @@ -114,6 +116,7 @@ def jinja2_autoescape_false(context): # behavior return bandit.Issue( severity=bandit.HIGH, + cwe=94, confidence=bandit.HIGH, text="By default, jinja2 sets autoescape to False. Consider " "using autoescape=True or use the select_autoescape " diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py index 52bade79f..922d9bbc8 100644 --- a/bandit/plugins/mako_templates.py +++ b/bandit/plugins/mako_templates.py @@ -57,6 +57,7 @@ def use_of_mako_templates(context): # feature and thus each variable must be carefully sanitized. return bandit.Issue( severity=bandit.MEDIUM, + cwe=94, confidence=bandit.HIGH, text="Mako templates allow HTML/JS rendering by default and " "are inherently open to XSS attacks. Ensure variables " diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py index c491c538b..3aed26276 100644 --- a/bandit/plugins/ssh_no_host_key_verification.py +++ b/bandit/plugins/ssh_no_host_key_verification.py @@ -46,6 +46,7 @@ def ssh_no_host_key_verification(context): context.call_args[0] in ['AutoAddPolicy', 'WarningPolicy']): issue = bandit.Issue( severity=bandit.HIGH, + cwe=295, confidence=bandit.MEDIUM, text='Paramiko call with policy set to automatically trust ' 'the unknown host key.', diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py index 264a23338..19694762a 100644 --- a/bandit/plugins/try_except_continue.py +++ b/bandit/plugins/try_except_continue.py @@ -96,5 +96,6 @@ def try_except_continue(context, config): if isinstance(node.body[0], ast.Continue): return bandit.Issue( severity=bandit.LOW, + cwe=703, confidence=bandit.HIGH, text=("Try, Except, Continue detected.")) diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py index ae107ca2d..c253f5b51 100644 --- a/bandit/plugins/try_except_pass.py +++ b/bandit/plugins/try_except_pass.py @@ -95,6 +95,7 @@ def try_except_pass(context, config): if isinstance(node.body[0], ast.Pass): return bandit.Issue( severity=bandit.LOW, + cwe=703, confidence=bandit.HIGH, text=("Try, Except, Pass detected.") ) diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py index 22920626b..95bccce64 100644 --- a/bandit/plugins/weak_cryptographic_key.py +++ b/bandit/plugins/weak_cryptographic_key.py @@ -70,6 +70,7 @@ def _classify_key_size(config, key_type, key_size): if key_size < size: return bandit.Issue( severity=level, + cwe=326, confidence=bandit.HIGH, text='%s key sizes below %d bits are considered breakable. ' % (key_type, size)) diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py index dd81a227d..c161d1af4 100644 --- a/bandit/plugins/yaml_load.py +++ b/bandit/plugins/yaml_load.py @@ -60,6 +60,7 @@ def yaml_load(context): ]): return bandit.Issue( severity=bandit.MEDIUM, + cwe=20, confidence=bandit.HIGH, text="Use of unsafe yaml load. Allows instantiation of" " arbitrary objects. Consider yaml.safe_load().", diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py index e3b73702d..e6a57ec03 100644 --- a/tests/functional/test_functional.py +++ b/tests/functional/test_functional.py @@ -737,6 +737,7 @@ def test_baseline_filter(self): "filename": "%s/examples/flask_debug.py", "issue_confidence": "MEDIUM", "issue_severity": "HIGH", + "issue_cwe": "94", "issue_text": "%s", "line_number": 10, "line_range": [ diff --git a/tests/unit/core/test_blacklisting.py b/tests/unit/core/test_blacklisting.py index 2889fd3ed..760b1a286 100644 --- a/tests/unit/core/test_blacklisting.py +++ b/tests/unit/core/test_blacklisting.py @@ -18,6 +18,7 @@ def test_report_issue(self): self.assertIsInstance(issue_dict, dict) self.assertEqual('B000', issue_dict['test_id']) self.assertEqual('HIGH', issue_dict['issue_severity']) + self.assertEqual(0, issue_dict['issue_cwe']) self.assertEqual('HIGH', issue_dict['issue_confidence']) self.assertEqual('test name', issue_dict['issue_text']) @@ -29,5 +30,6 @@ def test_report_issue_defaults(self): self.assertIsInstance(issue_dict, dict) self.assertEqual('LEGACY', issue_dict['test_id']) self.assertEqual('MEDIUM', issue_dict['issue_severity']) + self.assertEqual(0, issue_dict['issue_cwe']) self.assertEqual('HIGH', issue_dict['issue_confidence']) self.assertEqual('test name', issue_dict['issue_text']) diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py index 4d4fab6b2..d3057001b 100644 --- a/tests/unit/core/test_issue.py +++ b/tests/unit/core/test_issue.py @@ -21,8 +21,8 @@ def test_issue_create(self): def test_issue_str(self): test_issue = _get_issue_instance() self.assertEqual( - ("Issue: 'Test issue' from B999:bandit_plugin: Severity: MEDIUM " - "Confidence: MEDIUM at code.py:1"), + ("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123," + " Severity: MEDIUM Confidence: MEDIUM at code.py:1"), str(test_issue) ) @@ -41,7 +41,7 @@ def test_issue_as_dict(self): def test_issue_filter_severity(self): levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH] - issues = [_get_issue_instance(l, bandit.HIGH) for l in levels] + issues = [_get_issue_instance(x, bandit.HIGH) for x in levels] for level in levels: rank = constants.RANKING.index(level) @@ -52,7 +52,7 @@ def test_issue_filter_severity(self): def test_issue_filter_confidence(self): levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH] - issues = [_get_issue_instance(bandit.HIGH, l) for l in levels] + issues = [_get_issue_instance(bandit.HIGH, x) for x in levels] for level in levels: rank = constants.RANKING.index(level) @@ -108,7 +108,7 @@ def test_matches_issue(self): @mock.patch('linecache.getline') def test_get_code(self, getline): getline.return_value = b'\x08\x30' - new_issue = issue.Issue(bandit.MEDIUM, lineno=1) + new_issue = issue.Issue(bandit.MEDIUM, cwe=123, lineno=1) try: new_issue.get_code() @@ -116,8 +116,9 @@ def test_get_code(self, getline): self.fail('Bytes not properly decoded in issue.get_code()') -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.test_id = 'B999' diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py index a9cfd21cc..a098a316f 100644 --- a/tests/unit/core/test_manager.py +++ b/tests/unit/core/test_manager.py @@ -18,8 +18,9 @@ class ManagerTests(testtools.TestCase): - def _get_issue_instance(self, sev=constants.MEDIUM, conf=constants.MEDIUM): - new_issue = issue.Issue(sev, conf, 'Test issue') + def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123, + conf=constants.MEDIUM): + new_issue = issue.Issue(sev, cwe, conf, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 @@ -111,6 +112,7 @@ def test_populate_baseline_success(self): "code": "test code", "filename": "example_file.py", "issue_severity": "low", + "issue_cwe": "123", "issue_confidence": "low", "issue_text": "test issue", "test_name": "some_test", @@ -122,7 +124,9 @@ def test_populate_baseline_success(self): } """ issue_dictionary = {"code": "test code", "filename": "example_file.py", - "issue_severity": "low", "issue_confidence": "low", + "issue_severity": "low", + "issue_cwe": "123", + "issue_confidence": "low", "issue_text": "test issue", "test_name": "some_test", "test_id": "x", "line_number": "n", "line_range": "n-m"} @@ -142,10 +146,10 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning): def test_results_count(self): levels = [constants.LOW, constants.MEDIUM, constants.HIGH] self.manager.results = ( - [issue.Issue(severity=l, confidence=l) for l in levels]) + [issue.Issue(severity=x, cwe=123, confidence=x) for x in levels]) - r = [self.manager.results_count(sev_filter=l, conf_filter=l) - for l in levels] + r = [self.manager.results_count(sev_filter=x, conf_filter=x) + for x in levels] self.assertEqual([3, 2, 1], r) diff --git a/tests/unit/formatters/test_csv.py b/tests/unit/formatters/test_csv.py index 1d459711e..6e24f4619 100644 --- a/tests/unit/formatters/test_csv.py +++ b/tests/unit/formatters/test_csv.py @@ -26,7 +26,7 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_html.py b/tests/unit/formatters/test_html.py index 30dd35484..c04793ae8 100644 --- a/tests/unit/formatters/test_html.py +++ b/tests/unit/formatters/test_html.py @@ -142,8 +142,9 @@ def test_escaping(self, get_issue_list, get_code): self.assertNotIn(marker, contents) -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py index 37077e289..0f51d9e30 100644 --- a/tests/unit/formatters/test_json.py +++ b/tests/unit/formatters/test_json.py @@ -29,13 +29,13 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A', - lineno=1), - issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B', - lineno=2)] + self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW, + 'Candidate A', lineno=1), + issue.Issue(bandit.HIGH, 123, bandit.HIGH, + 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py index 12dca6881..37913b05a 100644 --- a/tests/unit/formatters/test_screen.py +++ b/tests/unit/formatters/test_screen.py @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code, _color): return_val = ["{}{}>> Issue: [{}:{}] {}". format(_indent_val, _color, _issue.test_id, _issue.test, _issue.text), - "{} Severity: {} Confidence: {}". + "{} Severity: {} CWE: {} Confidence: {}". format(_indent_val, _issue.severity.capitalize(), + _issue.cwe, _issue.confidence.capitalize()), "{} Location: {}:{}". format(_indent_val, _issue.fname, _issue.lineno), @@ -198,8 +199,9 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py index 355ace979..585df1e1b 100644 --- a/tests/unit/formatters/test_text.py +++ b/tests/unit/formatters/test_text.py @@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code): return_val = ["{}>> Issue: [{}:{}] {}". format(_indent_val, _issue.test_id, _issue.test, _issue.text), - "{} Severity: {} Confidence: {}". + "{} Severity: {} CWE: {} Confidence: {}". format(_indent_val, _issue.severity.capitalize(), + _issue.cwe, _issue.confidence.capitalize()), "{} Location: {}:{}". format(_indent_val, _issue.fname, _issue.lineno), @@ -130,6 +131,7 @@ def test_report_nobaseline(self, get_issue_list): 'binding.py (score: ', "CONFIDENCE: 1", "SEVERITY: 1", + "CWE: 123", 'Files excluded (1):', 'def.py', 'Undefined: 1', @@ -186,8 +188,9 @@ def test_report_baseline(self, get_issue_list): output_str.assert_has_calls(calls, any_order=True) -def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM): - new_issue = issue.Issue(severity, confidence, 'Test issue') +def _get_issue_instance(severity=bandit.MEDIUM, cwe=123, + confidence=bandit.MEDIUM): + new_issue = issue.Issue(severity, cwe, confidence, 'Test issue') new_issue.fname = 'code.py' new_issue.test = 'bandit_plugin' new_issue.lineno = 1 diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py index dd5e16d4a..aba23581e 100644 --- a/tests/unit/formatters/test_xml.py +++ b/tests/unit/formatters/test_xml.py @@ -26,7 +26,7 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') self.manager.out_file = self.tmp_fname diff --git a/tests/unit/formatters/test_yaml.py b/tests/unit/formatters/test_yaml.py index de204ec1f..aeaceee85 100644 --- a/tests/unit/formatters/test_yaml.py +++ b/tests/unit/formatters/test_yaml.py @@ -29,13 +29,13 @@ def setUp(self): 'lineno': 4, 'linerange': [4]} self.check_name = 'hardcoded_bind_all_interfaces' - self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM, + self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM, 'Possible binding to all interfaces.') - self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A', - lineno=1), - issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B', - lineno=2)] + self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW, + 'Candidate A', lineno=1), + issue.Issue(bandit.HIGH, 123, bandit.HIGH, + 'Candiate B', lineno=2)] self.manager.out_file = self.tmp_fname