diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py
index aecf1512f..67b7680aa 100644
--- a/bandit/core/blacklisting.py
+++ b/bandit/core/blacklisting.py
@@ -12,7 +12,7 @@
def report_issue(check, name):
return issue.Issue(
- severity=check.get('level', 'MEDIUM'), confidence='HIGH',
+ severity=check.get('level', 'MEDIUM'), cwe=0, confidence='HIGH',
text=check['message'].replace('{name}', name),
ident=name, test_id=check.get("id", 'LEGACY'))
diff --git a/bandit/core/issue.py b/bandit/core/issue.py
index 61394dbbd..2e653cc82 100644
--- a/bandit/core/issue.py
+++ b/bandit/core/issue.py
@@ -15,9 +15,11 @@
class Issue(object):
- def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
+ def __init__(self, severity, cwe,
+ confidence=constants.CONFIDENCE_DEFAULT,
text="", ident=None, lineno=None, test_id=""):
self.severity = severity
+ self.cwe = cwe
self.confidence = confidence
if isinstance(text, bytes):
text = text.decode('utf-8')
@@ -30,16 +32,17 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
self.linerange = []
def __str__(self):
- return ("Issue: '%s' from %s:%s: Severity: %s Confidence: "
+ return ("Issue: '%s' from %s:%s: CWE: %i, Severity: %s Confidence: "
"%s at %s:%i") % (self.text, self.test_id,
- (self.ident or self.test), self.severity,
- self.confidence, self.fname, self.lineno)
+ (self.ident or self.test), self.cwe,
+ self.severity, self.confidence, self.fname,
+ self.lineno)
def __eq__(self, other):
# if the issue text, severity, confidence, and filename match, it's
# the same issue from our perspective
- match_types = ['text', 'severity', 'confidence', 'fname', 'test',
- 'test_id']
+ match_types = ['text', 'severity', 'cwe', 'confidence', 'fname',
+ 'test', 'test_id']
return all(getattr(self, field) == getattr(other, field)
for field in match_types)
@@ -101,11 +104,12 @@ def as_dict(self, with_code=True):
'test_name': self.test,
'test_id': self.test_id,
'issue_severity': self.severity,
+ 'issue_cwe': self.cwe,
'issue_confidence': self.confidence,
'issue_text': self.text.encode('utf-8').decode('utf-8'),
'line_number': self.lineno,
'line_range': self.linerange,
- }
+ }
if with_code:
out['code'] = self.get_code()
@@ -115,6 +119,7 @@ def from_dict(self, data, with_code=True):
self.code = data["code"]
self.fname = data["filename"]
self.severity = data["issue_severity"]
+ self.cwe = int(data["issue_cwe"])
self.confidence = data["issue_confidence"]
self.text = data["issue_text"]
self.test = data["test_name"]
@@ -124,6 +129,6 @@ def from_dict(self, data, with_code=True):
def issue_from_dict(data):
- i = Issue(severity=data["issue_severity"])
+ i = Issue(severity=data["issue_severity"], cwe=int(data["issue_cwe"]))
i.from_dict(data)
return i
diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py
index 1fc5878e8..93135d6fd 100644
--- a/bandit/formatters/csv.py
+++ b/bandit/formatters/csv.py
@@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
'test_name',
'test_id',
'issue_severity',
+ 'issue_cwe',
'issue_confidence',
'issue_text',
'line_number',
diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py
index 29c008b70..ed3bc2ea6 100644
--- a/bandit/formatters/html.py
+++ b/bandit/formatters/html.py
@@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
{test_name}: {test_text}
Test ID: {test_id}
Severity: {severity}
+ CWE: {cwe}
Confidence: {confidence}
File: {path}
More info: {url}
@@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
test_id=issue.test_id,
test_text=issue.text,
severity=issue.severity,
+ cwe=issue.cwe,
confidence=issue.confidence,
path=issue.fname, code=code,
candidates=candidates,
diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py
index 1641f1afa..8407b9320 100644
--- a/bandit/formatters/screen.py
+++ b/bandit/formatters/screen.py
@@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
# returns a list of lines that should be added to the existing lines list
bits = []
bits.append("%s%s>> Issue: [%s:%s] %s" % (
- indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text))
+ indent, COLOR[issue.severity], issue.test_id, issue.test,
+ issue.text))
- bits.append("%s Severity: %s Confidence: %s" % (
- indent, issue.severity.capitalize(), issue.confidence.capitalize()))
+ bits.append("%s Severity: %s CWE: %i Confidence: %s" % (
+ indent, issue.severity.capitalize(), issue.cwe,
+ issue.confidence.capitalize()))
bits.append("%s Location: %s:%s" % (
indent, issue.fname,
@@ -110,7 +112,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
indent, docs_utils.get_url(issue.test_id), COLOR['DEFAULT']))
if show_code:
- bits.extend([indent + l for l in
+ bits.extend([indent + x for x in
issue.get_code(lines, True).split('\n')])
return '\n'.join([bit for bit in bits])
diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py
index 33fcba83f..5f47bbc00 100644
--- a/bandit/formatters/text.py
+++ b/bandit/formatters/text.py
@@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
bits.append("%s>> Issue: [%s:%s] %s" % (
indent, issue.test_id, issue.test, issue.text))
- bits.append("%s Severity: %s Confidence: %s" % (
- indent, issue.severity.capitalize(), issue.confidence.capitalize()))
+ bits.append("%s Severity: %s CWE: %i Confidence: %s" % (
+ indent, issue.severity.capitalize(), issue.cwe,
+ issue.confidence.capitalize()))
bits.append("%s Location: %s:%s" % (
indent, issue.fname, issue.lineno if show_lineno else ""))
@@ -83,7 +84,7 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
indent, docs_utils.get_url(issue.test_id)))
if show_code:
- bits.extend([indent + l for l in
+ bits.extend([indent + x for x in
issue.get_code(lines, True).split('\n')])
return '\n'.join([bit for bit in bits])
diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py
index a21e80024..720ccbe82 100644
--- a/bandit/formatters/xml.py
+++ b/bandit/formatters/xml.py
@@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
testcase = ET.SubElement(root, 'testcase',
classname=issue.fname, name=test)
- text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s'
- text = text % (issue.test_id, issue.severity, issue.confidence,
- issue.text, issue.fname, issue.lineno)
+ text = 'Test ID: %s Severity: %s CWE: %s ' \
+ 'Confidence: %s\n%s\nLocation %s:%s'
+ text = text % (issue.test_id, issue.severity, issue.cwe,
+ issue.confidence, issue.text, issue.fname,
+ issue.lineno)
ET.SubElement(testcase, 'error',
more_info=docs_utils.get_url(issue.test_id),
type=issue.severity,
diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py
index 76d2c60cb..0ef80e3b2 100644
--- a/bandit/plugins/app_debug.py
+++ b/bandit/plugins/app_debug.py
@@ -51,6 +51,7 @@ def flask_debug_true(context):
if context.check_call_arg_value('debug', 'True'):
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=94,
confidence=bandit.MEDIUM,
text="A Flask app appears to be run with debug=True, "
"which exposes the Werkzeug debugger and allows "
diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py
index b5356252b..60715c014 100644
--- a/bandit/plugins/asserts.py
+++ b/bandit/plugins/asserts.py
@@ -49,6 +49,7 @@
def assert_used(context):
return bandit.Issue(
severity=bandit.LOW,
+ cwe=703,
confidence=bandit.HIGH,
text=("Use of assert detected. The enclosed code "
"will be removed when compiling to optimised byte code.")
diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py
index f44cc7c9e..195ab8c7f 100644
--- a/bandit/plugins/crypto_request_no_cert_validation.py
+++ b/bandit/plugins/crypto_request_no_cert_validation.py
@@ -54,6 +54,7 @@ def request_with_no_cert_validation(context):
if context.check_call_arg_value('verify', 'False'):
issue = bandit.Issue(
severity=bandit.HIGH,
+ cwe=295,
confidence=bandit.HIGH,
text="Requests call with verify=False disabling SSL "
"certificate checks, security issue.",
diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py
index 524a3ee87..c8469e665 100644
--- a/bandit/plugins/django_sql_injection.py
+++ b/bandit/plugins/django_sql_injection.py
@@ -77,6 +77,7 @@ def django_extra_used(context):
if insecure:
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=89,
confidence=bandit.MEDIUM,
text=description
)
@@ -102,6 +103,7 @@ def django_rawsql_used(context):
if not isinstance(sql, ast.Str):
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=89,
confidence=bandit.MEDIUM,
text=description
)
diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py
index 17e134607..89a3ce433 100644
--- a/bandit/plugins/django_xss.py
+++ b/bandit/plugins/django_xss.py
@@ -250,6 +250,7 @@ def check_risk(node):
if not secure:
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=80,
confidence=bandit.HIGH,
text=description
)
diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py
index 3d7d8c2d7..e170a2b2e 100644
--- a/bandit/plugins/exec.py
+++ b/bandit/plugins/exec.py
@@ -41,6 +41,7 @@
def exec_issue():
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=78,
confidence=bandit.HIGH,
text="Use of exec detected."
)
diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py
index f02a85219..c6344333b 100644
--- a/bandit/plugins/general_bad_file_permissions.py
+++ b/bandit/plugins/general_bad_file_permissions.py
@@ -73,6 +73,7 @@ def set_bad_file_permissions(context):
filename = 'NOT PARSED'
return bandit.Issue(
severity=sev_level,
+ cwe=78,
confidence=bandit.HIGH,
text="Chmod setting a permissive mask %s on file (%s)." %
(oct(mode), filename)
diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py
index 1971aa540..77f2f24a2 100644
--- a/bandit/plugins/general_bind_all_interfaces.py
+++ b/bandit/plugins/general_bind_all_interfaces.py
@@ -43,6 +43,7 @@ def hardcoded_bind_all_interfaces(context):
if context.string_val == '0.0.0.0':
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=605,
confidence=bandit.MEDIUM,
text="Possible binding to all interfaces."
)
diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py
index 2a44c4cc1..1d832cf03 100644
--- a/bandit/plugins/general_hardcoded_password.py
+++ b/bandit/plugins/general_hardcoded_password.py
@@ -22,6 +22,7 @@
def _report(value):
return bandit.Issue(
severity=bandit.LOW,
+ cwe=259,
confidence=bandit.MEDIUM,
text=("Possible hardcoded password: '%s'" % value))
diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py
index 535cf1b3d..b99ad4037 100644
--- a/bandit/plugins/general_hardcoded_tmp.py
+++ b/bandit/plugins/general_hardcoded_tmp.py
@@ -71,6 +71,7 @@ def hardcoded_tmp_directory(context, config):
if any(context.string_val.startswith(s) for s in tmp_dirs):
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=377,
confidence=bandit.MEDIUM,
text="Probable insecure usage of temp file/directory."
)
diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py
index f40fc6a41..07a9d0a04 100644
--- a/bandit/plugins/hashlib_new_insecure_functions.py
+++ b/bandit/plugins/hashlib_new_insecure_functions.py
@@ -48,6 +48,7 @@ def hashlib_new(context):
name.lower() in ('md4', 'md5', 'sha', 'sha1')):
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=327,
confidence=bandit.HIGH,
text="Use of insecure MD4 or MD5 hash function.",
lineno=context.node.lineno,
diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py
index 4d26804b9..9e7e19c90 100644
--- a/bandit/plugins/injection_paramiko.py
+++ b/bandit/plugins/injection_paramiko.py
@@ -51,5 +51,6 @@ def paramiko_calls(context):
if context.is_module_imported_like(module):
if context.call_function_name in ['exec_command']:
return bandit.Issue(severity=bandit.MEDIUM,
+ cwe=78,
confidence=bandit.MEDIUM,
text=issue_text)
diff --git a/bandit/plugins/injection_shell.py b/bandit/plugins/injection_shell.py
index 210716643..1e0b5a708 100644
--- a/bandit/plugins/injection_shell.py
+++ b/bandit/plugins/injection_shell.py
@@ -199,6 +199,7 @@ def subprocess_popen_with_shell_equals_true(context, config):
if sev == bandit.LOW:
return bandit.Issue(
severity=bandit.LOW,
+ cwe=78,
confidence=bandit.HIGH,
text='subprocess call with shell=True seems safe, but '
'may be changed in the future, consider '
@@ -208,6 +209,7 @@ def subprocess_popen_with_shell_equals_true(context, config):
else:
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=78,
confidence=bandit.HIGH,
text='subprocess call with shell=True identified, '
'security issue.',
@@ -287,6 +289,7 @@ def subprocess_without_shell_equals_true(context, config):
if not has_shell(context):
return bandit.Issue(
severity=bandit.LOW,
+ cwe=78,
confidence=bandit.HIGH,
text='subprocess call - check for execution of untrusted '
'input.',
@@ -365,6 +368,7 @@ def any_other_function_with_shell_equals_true(context, config):
if has_shell(context):
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=78,
confidence=bandit.LOW,
text='Function call with shell=True parameter identified, '
'possible security issue.',
@@ -451,6 +455,7 @@ def start_process_with_a_shell(context, config):
if sev == bandit.LOW:
return bandit.Issue(
severity=bandit.LOW,
+ cwe=78,
confidence=bandit.HIGH,
text='Starting a process with a shell: '
'Seems safe, but may be changed in the future, '
@@ -459,6 +464,7 @@ def start_process_with_a_shell(context, config):
else:
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=78,
confidence=bandit.HIGH,
text='Starting a process with a shell, possible injection'
' detected, security issue.'
@@ -547,6 +553,7 @@ def start_process_with_no_shell(context, config):
if config and context.call_function_name_qual in config['no_shell']:
return bandit.Issue(
severity=bandit.LOW,
+ cwe=78,
confidence=bandit.MEDIUM,
text='Starting a process without a shell.'
)
@@ -642,6 +649,7 @@ def start_process_with_partial_path(context, config):
if isinstance(node, ast.Str) and not full_path_match.match(node.s):
return bandit.Issue(
severity=bandit.LOW,
+ cwe=78,
confidence=bandit.HIGH,
text='Starting a process with a partial executable path'
)
diff --git a/bandit/plugins/injection_sql.py b/bandit/plugins/injection_sql.py
index 3b5074635..ed17e82f0 100644
--- a/bandit/plugins/injection_sql.py
+++ b/bandit/plugins/injection_sql.py
@@ -104,6 +104,7 @@ def hardcoded_sql_expressions(context):
if _check_string(val[1]):
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=89,
confidence=bandit.MEDIUM if val[0] else bandit.LOW,
text="Possible SQL injection vector through string-based "
"query construction."
diff --git a/bandit/plugins/injection_wildcard.py b/bandit/plugins/injection_wildcard.py
index 2c70e22bc..032e060b4 100644
--- a/bandit/plugins/injection_wildcard.py
+++ b/bandit/plugins/injection_wildcard.py
@@ -132,6 +132,7 @@ def linux_commands_wildcard_injection(context, config):
):
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=155,
confidence=bandit.MEDIUM,
text="Possible wildcard injection in call: %s" %
context.call_function_name_qual,
diff --git a/bandit/plugins/insecure_ssl_tls.py b/bandit/plugins/insecure_ssl_tls.py
index d10dbc3f2..b2f6f0f5b 100644
--- a/bandit/plugins/insecure_ssl_tls.py
+++ b/bandit/plugins/insecure_ssl_tls.py
@@ -105,6 +105,7 @@ def ssl_with_bad_version(context, config):
if context.check_call_arg_value('ssl_version', bad_ssl_versions):
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=326,
confidence=bandit.HIGH,
text="ssl.wrap_socket call with insecure SSL/TLS protocol "
"version identified, security issue.",
@@ -114,6 +115,7 @@ def ssl_with_bad_version(context, config):
if context.check_call_arg_value('method', bad_ssl_versions):
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=326,
confidence=bandit.HIGH,
text="SSL.Context call with insecure SSL/TLS protocol "
"version identified, security issue.",
@@ -128,6 +130,7 @@ def ssl_with_bad_version(context, config):
context.get_lineno_for_call_arg('ssl_version'))
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=326,
confidence=bandit.MEDIUM,
text="Function call with insecure SSL/TLS protocol "
"identified, possible security issue.",
@@ -186,6 +189,7 @@ def ssl_with_bad_defaults(context, config):
if val in bad_ssl_versions:
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=326,
confidence=bandit.MEDIUM,
text="Function definition identified with insecure SSL/TLS "
"protocol version by default, possible security "
@@ -245,6 +249,7 @@ def ssl_with_no_version(context):
# tests for that (ssl_version is not specified).
return bandit.Issue(
severity=bandit.LOW,
+ cwe=326,
confidence=bandit.MEDIUM,
text="ssl.wrap_socket call with no SSL/TLS protocol version "
"specified, the default SSLv23 could be insecure, "
diff --git a/bandit/plugins/jinja2_templates.py b/bandit/plugins/jinja2_templates.py
index 5f0cce492..a6dd254cf 100644
--- a/bandit/plugins/jinja2_templates.py
+++ b/bandit/plugins/jinja2_templates.py
@@ -83,6 +83,7 @@ def jinja2_autoescape_false(context):
getattr(node.value, 'value', None) is False)):
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=94,
confidence=bandit.HIGH,
text="Using jinja2 templates with autoescape="
"False is dangerous and can lead to XSS. "
@@ -103,6 +104,7 @@ def jinja2_autoescape_false(context):
else:
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=94,
confidence=bandit.MEDIUM,
text="Using jinja2 templates with autoescape="
"False is dangerous and can lead to XSS. "
@@ -114,6 +116,7 @@ def jinja2_autoescape_false(context):
# behavior
return bandit.Issue(
severity=bandit.HIGH,
+ cwe=94,
confidence=bandit.HIGH,
text="By default, jinja2 sets autoescape to False. Consider "
"using autoescape=True or use the select_autoescape "
diff --git a/bandit/plugins/mako_templates.py b/bandit/plugins/mako_templates.py
index 52bade79f..922d9bbc8 100644
--- a/bandit/plugins/mako_templates.py
+++ b/bandit/plugins/mako_templates.py
@@ -57,6 +57,7 @@ def use_of_mako_templates(context):
# feature and thus each variable must be carefully sanitized.
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=94,
confidence=bandit.HIGH,
text="Mako templates allow HTML/JS rendering by default and "
"are inherently open to XSS attacks. Ensure variables "
diff --git a/bandit/plugins/ssh_no_host_key_verification.py b/bandit/plugins/ssh_no_host_key_verification.py
index c491c538b..3aed26276 100644
--- a/bandit/plugins/ssh_no_host_key_verification.py
+++ b/bandit/plugins/ssh_no_host_key_verification.py
@@ -46,6 +46,7 @@ def ssh_no_host_key_verification(context):
context.call_args[0] in ['AutoAddPolicy', 'WarningPolicy']):
issue = bandit.Issue(
severity=bandit.HIGH,
+ cwe=295,
confidence=bandit.MEDIUM,
text='Paramiko call with policy set to automatically trust '
'the unknown host key.',
diff --git a/bandit/plugins/try_except_continue.py b/bandit/plugins/try_except_continue.py
index 264a23338..19694762a 100644
--- a/bandit/plugins/try_except_continue.py
+++ b/bandit/plugins/try_except_continue.py
@@ -96,5 +96,6 @@ def try_except_continue(context, config):
if isinstance(node.body[0], ast.Continue):
return bandit.Issue(
severity=bandit.LOW,
+ cwe=703,
confidence=bandit.HIGH,
text=("Try, Except, Continue detected."))
diff --git a/bandit/plugins/try_except_pass.py b/bandit/plugins/try_except_pass.py
index ae107ca2d..c253f5b51 100644
--- a/bandit/plugins/try_except_pass.py
+++ b/bandit/plugins/try_except_pass.py
@@ -95,6 +95,7 @@ def try_except_pass(context, config):
if isinstance(node.body[0], ast.Pass):
return bandit.Issue(
severity=bandit.LOW,
+ cwe=703,
confidence=bandit.HIGH,
text=("Try, Except, Pass detected.")
)
diff --git a/bandit/plugins/weak_cryptographic_key.py b/bandit/plugins/weak_cryptographic_key.py
index 22920626b..95bccce64 100644
--- a/bandit/plugins/weak_cryptographic_key.py
+++ b/bandit/plugins/weak_cryptographic_key.py
@@ -70,6 +70,7 @@ def _classify_key_size(config, key_type, key_size):
if key_size < size:
return bandit.Issue(
severity=level,
+ cwe=326,
confidence=bandit.HIGH,
text='%s key sizes below %d bits are considered breakable. ' %
(key_type, size))
diff --git a/bandit/plugins/yaml_load.py b/bandit/plugins/yaml_load.py
index dd81a227d..c161d1af4 100644
--- a/bandit/plugins/yaml_load.py
+++ b/bandit/plugins/yaml_load.py
@@ -60,6 +60,7 @@ def yaml_load(context):
]):
return bandit.Issue(
severity=bandit.MEDIUM,
+ cwe=20,
confidence=bandit.HIGH,
text="Use of unsafe yaml load. Allows instantiation of"
" arbitrary objects. Consider yaml.safe_load().",
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index e3b73702d..e6a57ec03 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -737,6 +737,7 @@ def test_baseline_filter(self):
"filename": "%s/examples/flask_debug.py",
"issue_confidence": "MEDIUM",
"issue_severity": "HIGH",
+ "issue_cwe": "94",
"issue_text": "%s",
"line_number": 10,
"line_range": [
diff --git a/tests/unit/core/test_blacklisting.py b/tests/unit/core/test_blacklisting.py
index 2889fd3ed..760b1a286 100644
--- a/tests/unit/core/test_blacklisting.py
+++ b/tests/unit/core/test_blacklisting.py
@@ -18,6 +18,7 @@ def test_report_issue(self):
self.assertIsInstance(issue_dict, dict)
self.assertEqual('B000', issue_dict['test_id'])
self.assertEqual('HIGH', issue_dict['issue_severity'])
+ self.assertEqual(0, issue_dict['issue_cwe'])
self.assertEqual('HIGH', issue_dict['issue_confidence'])
self.assertEqual('test name', issue_dict['issue_text'])
@@ -29,5 +30,6 @@ def test_report_issue_defaults(self):
self.assertIsInstance(issue_dict, dict)
self.assertEqual('LEGACY', issue_dict['test_id'])
self.assertEqual('MEDIUM', issue_dict['issue_severity'])
+ self.assertEqual(0, issue_dict['issue_cwe'])
self.assertEqual('HIGH', issue_dict['issue_confidence'])
self.assertEqual('test name', issue_dict['issue_text'])
diff --git a/tests/unit/core/test_issue.py b/tests/unit/core/test_issue.py
index 4d4fab6b2..d3057001b 100644
--- a/tests/unit/core/test_issue.py
+++ b/tests/unit/core/test_issue.py
@@ -21,8 +21,8 @@ def test_issue_create(self):
def test_issue_str(self):
test_issue = _get_issue_instance()
self.assertEqual(
- ("Issue: 'Test issue' from B999:bandit_plugin: Severity: MEDIUM "
- "Confidence: MEDIUM at code.py:1"),
+ ("Issue: 'Test issue' from B999:bandit_plugin: CWE: 123,"
+ " Severity: MEDIUM Confidence: MEDIUM at code.py:1"),
str(test_issue)
)
@@ -41,7 +41,7 @@ def test_issue_as_dict(self):
def test_issue_filter_severity(self):
levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH]
- issues = [_get_issue_instance(l, bandit.HIGH) for l in levels]
+ issues = [_get_issue_instance(x, bandit.HIGH) for x in levels]
for level in levels:
rank = constants.RANKING.index(level)
@@ -52,7 +52,7 @@ def test_issue_filter_severity(self):
def test_issue_filter_confidence(self):
levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH]
- issues = [_get_issue_instance(bandit.HIGH, l) for l in levels]
+ issues = [_get_issue_instance(bandit.HIGH, x) for x in levels]
for level in levels:
rank = constants.RANKING.index(level)
@@ -108,7 +108,7 @@ def test_matches_issue(self):
@mock.patch('linecache.getline')
def test_get_code(self, getline):
getline.return_value = b'\x08\x30'
- new_issue = issue.Issue(bandit.MEDIUM, lineno=1)
+ new_issue = issue.Issue(bandit.MEDIUM, cwe=123, lineno=1)
try:
new_issue.get_code()
@@ -116,8 +116,9 @@ def test_get_code(self, getline):
self.fail('Bytes not properly decoded in issue.get_code()')
-def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
- new_issue = issue.Issue(severity, confidence, 'Test issue')
+def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
+ confidence=bandit.MEDIUM):
+ new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
new_issue.test_id = 'B999'
diff --git a/tests/unit/core/test_manager.py b/tests/unit/core/test_manager.py
index a9cfd21cc..a098a316f 100644
--- a/tests/unit/core/test_manager.py
+++ b/tests/unit/core/test_manager.py
@@ -18,8 +18,9 @@
class ManagerTests(testtools.TestCase):
- def _get_issue_instance(self, sev=constants.MEDIUM, conf=constants.MEDIUM):
- new_issue = issue.Issue(sev, conf, 'Test issue')
+ def _get_issue_instance(self, sev=constants.MEDIUM, cwe=123,
+ conf=constants.MEDIUM):
+ new_issue = issue.Issue(sev, cwe, conf, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
new_issue.lineno = 1
@@ -111,6 +112,7 @@ def test_populate_baseline_success(self):
"code": "test code",
"filename": "example_file.py",
"issue_severity": "low",
+ "issue_cwe": "123",
"issue_confidence": "low",
"issue_text": "test issue",
"test_name": "some_test",
@@ -122,7 +124,9 @@ def test_populate_baseline_success(self):
}
"""
issue_dictionary = {"code": "test code", "filename": "example_file.py",
- "issue_severity": "low", "issue_confidence": "low",
+ "issue_severity": "low",
+ "issue_cwe": "123",
+ "issue_confidence": "low",
"issue_text": "test issue", "test_name":
"some_test", "test_id": "x", "line_number": "n",
"line_range": "n-m"}
@@ -142,10 +146,10 @@ def test_populate_baseline_invalid_json(self, mock_logger_warning):
def test_results_count(self):
levels = [constants.LOW, constants.MEDIUM, constants.HIGH]
self.manager.results = (
- [issue.Issue(severity=l, confidence=l) for l in levels])
+ [issue.Issue(severity=x, cwe=123, confidence=x) for x in levels])
- r = [self.manager.results_count(sev_filter=l, conf_filter=l)
- for l in levels]
+ r = [self.manager.results_count(sev_filter=x, conf_filter=x)
+ for x in levels]
self.assertEqual([3, 2, 1], r)
diff --git a/tests/unit/formatters/test_csv.py b/tests/unit/formatters/test_csv.py
index 1d459711e..6e24f4619 100644
--- a/tests/unit/formatters/test_csv.py
+++ b/tests/unit/formatters/test_csv.py
@@ -26,7 +26,7 @@ def setUp(self):
'lineno': 4,
'linerange': [4]}
self.check_name = 'hardcoded_bind_all_interfaces'
- self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
+ self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM,
'Possible binding to all interfaces.')
self.manager.out_file = self.tmp_fname
diff --git a/tests/unit/formatters/test_html.py b/tests/unit/formatters/test_html.py
index 30dd35484..c04793ae8 100644
--- a/tests/unit/formatters/test_html.py
+++ b/tests/unit/formatters/test_html.py
@@ -142,8 +142,9 @@ def test_escaping(self, get_issue_list, get_code):
self.assertNotIn(marker, contents)
-def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
- new_issue = issue.Issue(severity, confidence, 'Test issue')
+def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
+ confidence=bandit.MEDIUM):
+ new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
new_issue.lineno = 1
diff --git a/tests/unit/formatters/test_json.py b/tests/unit/formatters/test_json.py
index 37077e289..0f51d9e30 100644
--- a/tests/unit/formatters/test_json.py
+++ b/tests/unit/formatters/test_json.py
@@ -29,13 +29,13 @@ def setUp(self):
'lineno': 4,
'linerange': [4]}
self.check_name = 'hardcoded_bind_all_interfaces'
- self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
+ self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM,
'Possible binding to all interfaces.')
- self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A',
- lineno=1),
- issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B',
- lineno=2)]
+ self.candidates = [issue.Issue(123, bandit.LOW, bandit.LOW,
+ 'Candidate A', lineno=1),
+ issue.Issue(bandit.HIGH, 123, bandit.HIGH,
+ 'Candiate B', lineno=2)]
self.manager.out_file = self.tmp_fname
diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py
index 12dca6881..37913b05a 100644
--- a/tests/unit/formatters/test_screen.py
+++ b/tests/unit/formatters/test_screen.py
@@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code, _color):
return_val = ["{}{}>> Issue: [{}:{}] {}".
format(_indent_val, _color, _issue.test_id,
_issue.test, _issue.text),
- "{} Severity: {} Confidence: {}".
+ "{} Severity: {} CWE: {} Confidence: {}".
format(_indent_val, _issue.severity.capitalize(),
+ _issue.cwe,
_issue.confidence.capitalize()),
"{} Location: {}:{}".
format(_indent_val, _issue.fname, _issue.lineno),
@@ -198,8 +199,9 @@ def test_report_baseline(self, get_issue_list):
output_str.assert_has_calls(calls, any_order=True)
-def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
- new_issue = issue.Issue(severity, confidence, 'Test issue')
+def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
+ confidence=bandit.MEDIUM):
+ new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
new_issue.lineno = 1
diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py
index 355ace979..585df1e1b 100644
--- a/tests/unit/formatters/test_text.py
+++ b/tests/unit/formatters/test_text.py
@@ -32,8 +32,9 @@ def _template(_issue, _indent_val, _code):
return_val = ["{}>> Issue: [{}:{}] {}".
format(_indent_val, _issue.test_id, _issue.test,
_issue.text),
- "{} Severity: {} Confidence: {}".
+ "{} Severity: {} CWE: {} Confidence: {}".
format(_indent_val, _issue.severity.capitalize(),
+ _issue.cwe,
_issue.confidence.capitalize()),
"{} Location: {}:{}".
format(_indent_val, _issue.fname, _issue.lineno),
@@ -130,6 +131,7 @@ def test_report_nobaseline(self, get_issue_list):
'binding.py (score: ',
"CONFIDENCE: 1",
"SEVERITY: 1",
+ "CWE: 123",
'Files excluded (1):',
'def.py',
'Undefined: 1',
@@ -186,8 +188,9 @@ def test_report_baseline(self, get_issue_list):
output_str.assert_has_calls(calls, any_order=True)
-def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
- new_issue = issue.Issue(severity, confidence, 'Test issue')
+def _get_issue_instance(severity=bandit.MEDIUM, cwe=123,
+ confidence=bandit.MEDIUM):
+ new_issue = issue.Issue(severity, cwe, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
new_issue.lineno = 1
diff --git a/tests/unit/formatters/test_xml.py b/tests/unit/formatters/test_xml.py
index dd5e16d4a..aba23581e 100644
--- a/tests/unit/formatters/test_xml.py
+++ b/tests/unit/formatters/test_xml.py
@@ -26,7 +26,7 @@ def setUp(self):
'lineno': 4,
'linerange': [4]}
self.check_name = 'hardcoded_bind_all_interfaces'
- self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
+ self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM,
'Possible binding to all interfaces.')
self.manager.out_file = self.tmp_fname
diff --git a/tests/unit/formatters/test_yaml.py b/tests/unit/formatters/test_yaml.py
index de204ec1f..aeaceee85 100644
--- a/tests/unit/formatters/test_yaml.py
+++ b/tests/unit/formatters/test_yaml.py
@@ -29,13 +29,13 @@ def setUp(self):
'lineno': 4,
'linerange': [4]}
self.check_name = 'hardcoded_bind_all_interfaces'
- self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
+ self.issue = issue.Issue(bandit.MEDIUM, 123, bandit.MEDIUM,
'Possible binding to all interfaces.')
- self.candidates = [issue.Issue(bandit.LOW, bandit.LOW, 'Candidate A',
- lineno=1),
- issue.Issue(bandit.HIGH, bandit.HIGH, 'Candiate B',
- lineno=2)]
+ self.candidates = [issue.Issue(bandit.LOW, 123, bandit.LOW,
+ 'Candidate A', lineno=1),
+ issue.Issue(bandit.HIGH, 123, bandit.HIGH,
+ 'Candiate B', lineno=2)]
self.manager.out_file = self.tmp_fname