Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Including CWE information #613

Merged
merged 22 commits into from
Jan 30, 2022
Merged

Including CWE information #613

merged 22 commits into from
Jan 30, 2022

Conversation

julianthome
Copy link
Contributor

@julianthome julianthome commented May 13, 2020
edited
Loading

closes #612

This PR includes CWE mappings for every vulnerability.

@julianthome julianthome mentioned this pull request May 13, 2020
Closed
@julianthome julianthome changed the title Included CWE information WIP: Included CWE information May 13, 2020
@julianthome julianthome changed the title WIP: Included CWE information WIP: Including CWE information May 13, 2020
@julianthome julianthome changed the title WIP: Including CWE information Including CWE information May 14, 2020
ericwb
ericwb requested changes May 18, 2020
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than a hard-coded number for the CWE, I'd like to see a constant of some kind being defined and used. Also, users will find it very beneficial to have a URL link to the cwe.mitre.org site for the specific issue found. We do this for Bandit errors also, we refer to bandit docs.

ericwb
ericwb reviewed May 18, 2020
View reviewed changes
Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also elaborate the details of this feature in your PR/commit message. Typically, a feature issue is opened first and PR is linked to it. That will definitely help speed along the review for the approvers and make it much clearer to others.

@julianthome julianthome changed the title Including CWE information WIP: Including CWE information May 19, 2020
@julianthome
Copy link
Contributor Author

Thanks a lot @ericwb for your review 👍

I addressed your comments by replacing the integer parameters for the CWEs with variables; I have also integrated a Cwe class and added the url as meta-data. The class will make it easier to add more CWE meta-data in future if needed. In addition, I have linked the issue that corresponds to this PR.

@julianthome julianthome changed the title WIP: Including CWE information Including CWE information May 19, 2020
@julianthome julianthome requested a review from ericwb May 19, 2020 23:39
@dvyakimov
Copy link

@julianthome Thank you! Bug what about B301-B323, B325, B401-B413,B504, B603-B607 ?

@julianthome
Copy link
Contributor Author

@julianthome Thank you! Bug what about B301-B323, B325, B401-B413,B504, B603-B607 ?

Thanks for you response @dvyakimov. Yes, thanks for pointing this out. Going to update the MR soon 👍

@prabhu
Copy link

prabhu commented Jun 30, 2020

This is an awesome improvement. Looking forward to using this soon!

prabhu
prabhu reviewed Jun 30, 2020
View reviewed changes
bandit/core/issue.py Outdated Show resolved Hide resolved
prabhu
prabhu reviewed Jun 30, 2020
View reviewed changes
bandit/core/issue.py Outdated Show resolved Hide resolved
@julianthome
Copy link
Contributor Author

@dvyakimov I changed the MR according to your and @prabhu's comment. I put all the CWE mappings into a separate file cwemap.py to simplify the book-keeping.

I suppose the MR is ready for another round of review.

prabhu
prabhu reviewed Jul 7, 2020
View reviewed changes
bandit/core/blacklisting.py Outdated
from bandit.core import issue


def report_issue(check, name):
return issue.Issue(
severity=check.get('level', 'MEDIUM'), confidence='HIGH',
text=check['message'].replace('{name}', name),
cwe=CWEMAP[check.get("id", 'LEGACY')],
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOTSET or UNDEF?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes indeed NOTSET may be more clear. Just renamed the constant from UNDEF to NOTSET.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename LEGACY to NOTSET as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename LEGACY to NOTSET as well?

Mhh, I suppose that this would be a question for @dvyakimov and/or @ericwb as the LEGACY key was not introduced by the current PR and I am not 100% sure if this change could have any undesirable side-effects.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think LEGACY is fine for now.

@prabhu
Copy link

prabhu commented Jul 16, 2020

Any thoughts on this PR? @ericwb @dvyakimov ?

This was referenced Feb 28, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
mgedmin
mgedmin reviewed Mar 1, 2022
View reviewed changes
bandit/core/issue.py
@@ -134,6 +206,7 @@ def from_dict(self, data, with_code=True):
self.code = data["code"]
self.fname = data["filename"]
self.severity = data["issue_severity"]
self.cwe = cwe_from_dict(data["issue_cwe"])
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this why bandit 1.7.3 fails to load baseline data from JSON created by older bandit releases?

[manager] WARNING Failed to load baseline data: 'issue_cwe'

This was referenced Mar 6, 2022
Closed
Closed
Open
Merged
Merged
This was referenced Mar 14, 2022
Merged
Merged
This was referenced Mar 26, 2022
Closed
Merged
@renovate renovate bot mentioned this pull request Apr 26, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgedmin mgedmin mgedmin left review comments

@prabhu prabhu prabhu left review comments

@ericwb ericwb ericwb approved these changes

@ghugo ghugo Awaiting requested review from ghugo

@lukehinds lukehinds Awaiting requested review from lukehinds

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release 1.7.3
Development

Successfully merging this pull request may close these issues.

Include CWE mappings for all bandit issues
6 participants
@julianthome @dvyakimov @prabhu @Jeeppler @mgedmin @ericwb