Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Including CWE information #613

Merged
merged 22 commits into from
Jan 30, 2022
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions bandit/core/blacklisting.py
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,15 @@
import ast
import fnmatch

from bandit.core.cwemap import CWEMAP
ericwb marked this conversation as resolved.
Show resolved Hide resolved
from bandit.core import issue


def report_issue(check, name):
return issue.Issue(
severity=check.get('level', 'MEDIUM'), confidence='HIGH',
text=check['message'].replace('{name}', name),
cwe=CWEMAP[check.get("id", 'LEGACY')],
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOTSET or UNDEF?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes indeed NOTSET may be more clear. Just renamed the constant from UNDEF to NOTSET.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename LEGACY to NOTSET as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename LEGACY to NOTSET as well?

Mhh, I suppose that this would be a question for @dvyakimov and/or @ericwb as the LEGACY key was not introduced by the current PR and I am not 100% sure if this change could have any undesirable side-effects.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think LEGACY is fine for now.

ericwb marked this conversation as resolved.
Show resolved Hide resolved
ident=name, test_id=check.get("id", 'LEGACY'))


Expand Down
89 changes: 89 additions & 0 deletions bandit/core/cwemap.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
# -*- coding:utf-8 -*-
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Line can be removed as UTF-8 is only for when unicode characters are in the file.

ericwb marked this conversation as resolved.
Show resolved Hide resolved
#
# SPDX-License-Identifier: Apache-2.0

ericwb marked this conversation as resolved.
Show resolved Hide resolved
from bandit.core.issue import Cwe as Cwe
ericwb marked this conversation as resolved.
Show resolved Hide resolved

CWEMAP = {
"B000": Cwe.UNDEF,
"LEGACY": Cwe.UNDEF,

ericwb marked this conversation as resolved.
Show resolved Hide resolved
# Plugins
"B101": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B102": Cwe.OS_COMMAND_INJECTION,
ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B103": Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B104": Cwe.MULTIPLE_BINDS,
"B105": Cwe.HARD_CODED_PASSWORD,
"B108": Cwe.INSECURE_TEMP_FILE,
"B110": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
"B112": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B201": Cwe.CODE_INJECTION,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B324": Cwe.BROKEN_CRYPTO,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B501": Cwe.IMPROPER_CERT_VALIDATION,
"B502": Cwe.BROKEN_CRYPTO,
"B503": Cwe.BROKEN_CRYPTO,
"B504": Cwe.BROKEN_CRYPTO,
"B505": Cwe.INADEQUATE_ENCRYPTION_STRENGTH,
"B506": Cwe.IMPROPER_INPUT_VALIDATION,
"B507": Cwe.IMPROPER_CERT_VALIDATION,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B601": Cwe.OS_COMMAND_INJECTION,
"B602": Cwe.OS_COMMAND_INJECTION,
"B603": Cwe.OS_COMMAND_INJECTION,
"B604": Cwe.OS_COMMAND_INJECTION,
"B605": Cwe.OS_COMMAND_INJECTION,
"B606": Cwe.OS_COMMAND_INJECTION,
"B607": Cwe.OS_COMMAND_INJECTION,
"B608": Cwe.SQL_INJECTION,
"B609": Cwe.IMPROPER_WILDCARD_NEUTRALIZATION,
"B611": Cwe.SQL_INJECTION,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
"B701": Cwe.CODE_INJECTION,
"B702": Cwe.BASIC_XSS,
"B703": Cwe.BASIC_XSS,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
# Calls
"B301": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
"B302": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
"B303": Cwe.BROKEN_CRYPTO,
"B304": Cwe.BROKEN_CRYPTO,
"B305": Cwe.BROKEN_CRYPTO,
"B306": Cwe.INSECURE_TEMP_FILE,
"B307": Cwe.OS_COMMAND_INJECTION,
"B308": Cwe.XSS,
"B309": Cwe.CLEARTEXT_TRANSMISSION,
"B310": Cwe.PATH_TRAVERSAL,
"B311": Cwe.INSUFFICIENT_RANDOM_VALUES,
"B312": Cwe.CLEARTEXT_TRANSMISSION,
"B313": Cwe.IMPROPER_INPUT_VALIDATION,
"B314": Cwe.IMPROPER_INPUT_VALIDATION,
"B315": Cwe.IMPROPER_INPUT_VALIDATION,
"B316": Cwe.IMPROPER_INPUT_VALIDATION,
"B317": Cwe.IMPROPER_INPUT_VALIDATION,
"B318": Cwe.IMPROPER_INPUT_VALIDATION,
"B319": Cwe.IMPROPER_INPUT_VALIDATION,
"B320": Cwe.IMPROPER_INPUT_VALIDATION,
"B321": Cwe.CLEARTEXT_TRANSMISSION,
"B322": Cwe.OS_COMMAND_INJECTION,
"B323": Cwe.IMPROPER_CERT_VALIDATION,
"B325": Cwe.INSECURE_TEMP_FILE,
ericwb marked this conversation as resolved.
Show resolved Hide resolved

ericwb marked this conversation as resolved.
Show resolved Hide resolved
# Imports
"B401": Cwe.CLEARTEXT_TRANSMISSION,
"B402": Cwe.CLEARTEXT_TRANSMISSION,
"B403": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
"B404": Cwe.OS_COMMAND_INJECTION,
"B405": Cwe.IMPROPER_INPUT_VALIDATION,
"B406": Cwe.IMPROPER_INPUT_VALIDATION,
"B407": Cwe.IMPROPER_INPUT_VALIDATION,
"B408": Cwe.IMPROPER_INPUT_VALIDATION,
"B409": Cwe.IMPROPER_INPUT_VALIDATION,
"B410": Cwe.IMPROPER_INPUT_VALIDATION,
"B411": Cwe.IMPROPER_INPUT_VALIDATION,
"B412": Cwe.IMPROPER_ACCESS_CONTROL,
"B413": Cwe.BROKEN_CRYPTO,
"B414": Cwe.BROKEN_CRYPTO,
ericwb marked this conversation as resolved.
Show resolved Hide resolved
}
90 changes: 83 additions & 7 deletions bandit/core/issue.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,77 @@
from bandit.core import constants


class Cwe(object):
ericwb marked this conversation as resolved.
Show resolved Hide resolved
UNDEF = 0
IMPROPER_INPUT_VALIDATION = 20
PATH_TRAVERSAL = 22
OS_COMMAND_INJECTION = 78
XSS = 79
BASIC_XSS = 80
SQL_INJECTION = 89
CODE_INJECTION = 94
IMPROPER_WILDCARD_NEUTRALIZATION = 155
HARD_CODED_PASSWORD = 259
IMPROPER_ACCESS_CONTROL = 284
IMPROPER_CERT_VALIDATION = 295
CLEARTEXT_TRANSMISSION = 319
INADEQUATE_ENCRYPTION_STRENGTH = 326
BROKEN_CRYPTO = 327
INSUFFICIENT_RANDOM_VALUES = 330
INSECURE_TEMP_FILE = 377
DESERIALIZATION_OF_UNTRUSTED_DATA = 502
MULTIPLE_BINDS = 605
IMPROPER_CHECK_OF_EXCEPT_COND = 703
INCORRECT_PERMISSION_ASSIGNMENT = 732

MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html"

def __init__(self, id=UNDEF):
self.id = id

def link(self):
if self.id == Cwe.UNDEF:
return ""

return Cwe.MITRE_URL_PATTERN % str(self.id)

def __str__(self):
if self.id == Cwe.UNDEF:
return ""

return "CWE-%i (%s)" % (self.id, self.link())

def as_dict(self):
return {
"id": self.id,
"link": self.link()
} if self.id != Cwe.UNDEF else {}

def as_jsons(self):
return str(self.as_dict())

def from_dict(self, data):
if 'id' in data:
self.id = int(data['id'])
ericwb marked this conversation as resolved.
Show resolved Hide resolved
else:
self.id = Cwe.UNDEF

def __eq__(self, other):
return self.id == other.id

def __ne__(self, other):
return self.id != other.id

def __hash__(self):
return id(self)


class Issue(object):
def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
def __init__(self, severity, cwe=0,
confidence=constants.CONFIDENCE_DEFAULT,
text="", ident=None, lineno=None, test_id=""):
self.severity = severity
self.cwe = Cwe(cwe)
self.confidence = confidence
if isinstance(text, bytes):
text = text.decode('utf-8')
Expand All @@ -30,16 +97,17 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
self.linerange = []

def __str__(self):
return ("Issue: '%s' from %s:%s: Severity: %s Confidence: "
return ("Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: "
"%s at %s:%i") % (self.text, self.test_id,
(self.ident or self.test), self.severity,
self.confidence, self.fname, self.lineno)
(self.ident or self.test), str(self.cwe),
self.severity, self.confidence, self.fname,
self.lineno)

def __eq__(self, other):
# if the issue text, severity, confidence, and filename match, it's
# the same issue from our perspective
match_types = ['text', 'severity', 'confidence', 'fname', 'test',
'test_id']
match_types = ['text', 'severity', 'cwe', 'confidence', 'fname',
'test', 'test_id']
return all(getattr(self, field) == getattr(other, field)
for field in match_types)

Expand Down Expand Up @@ -101,11 +169,12 @@ def as_dict(self, with_code=True):
'test_name': self.test,
'test_id': self.test_id,
'issue_severity': self.severity,
'issue_cwe': self.cwe.as_dict(),
'issue_confidence': self.confidence,
'issue_text': self.text.encode('utf-8').decode('utf-8'),
'line_number': self.lineno,
'line_range': self.linerange,
}
}

if with_code:
out['code'] = self.get_code()
Expand All @@ -115,6 +184,7 @@ def from_dict(self, data, with_code=True):
self.code = data["code"]
self.fname = data["filename"]
self.severity = data["issue_severity"]
self.cwe = cwe_from_dict(data["issue_cwe"])
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this why bandit 1.7.3 fails to load baseline data from JSON created by older bandit releases?

[manager] WARNING Failed to load baseline data: 'issue_cwe'

self.confidence = data["issue_confidence"]
self.text = data["issue_text"]
self.test = data["test_name"]
Expand All @@ -123,6 +193,12 @@ def from_dict(self, data, with_code=True):
self.linerange = data["line_range"]


def cwe_from_dict(data):
cwe = Cwe()
cwe.from_dict(data)
return cwe


def issue_from_dict(data):
i = Issue(severity=data["issue_severity"])
i.from_dict(data)
Expand Down
2 changes: 2 additions & 0 deletions bandit/formatters/csv.py
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
'test_name',
'test_id',
'issue_severity',
'issue_cwe',
'issue_confidence',
'issue_text',
'line_number',
Expand All @@ -67,6 +68,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
writer.writeheader()
for result in results:
r = result.as_dict(with_code=False)
r['issue_cwe'] = r['issue_cwe']['link']
r['more_info'] = docs_utils.get_url(r['test_id'])
writer.writerow(r)

Expand Down
2 changes: 2 additions & 0 deletions bandit/formatters/html.py
Original file line number Diff line number Diff line change
Expand Up @@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
<b>{test_name}: </b> {test_text}<br>
<b>Test ID:</b> {test_id}<br>
<b>Severity: </b>{severity}<br>
<b>CWE: </b>{cwe}<br>
<b>Confidence: </b>{confidence}<br>
<b>File: </b><a href="{path}" target="_blank">{path}</a> <br>
<b>More info: </b><a href="{url}" target="_blank">{url}</a><br>
Expand Down Expand Up @@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
test_id=issue.test_id,
test_text=issue.text,
severity=issue.severity,
cwe=issue.cwe,
confidence=issue.confidence,
path=issue.fname, code=code,
candidates=candidates,
Expand Down
8 changes: 5 additions & 3 deletions bandit/formatters/screen.py
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
# returns a list of lines that should be added to the existing lines list
bits = []
bits.append("%s%s>> Issue: [%s:%s] %s" % (
indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text))
indent, COLOR[issue.severity], issue.test_id, issue.test,
issue.text))

bits.append("%s Severity: %s Confidence: %s" % (
indent, issue.severity.capitalize(), issue.confidence.capitalize()))
bits.append("%s Severity: %s CWE: %s Confidence: %s" % (
indent, issue.severity.capitalize(), str(issue.cwe),
issue.confidence.capitalize()))

bits.append("%s Location: %s:%s" % (
indent, issue.fname,
Expand Down
5 changes: 3 additions & 2 deletions bandit/formatters/text.py
Original file line number Diff line number Diff line change
Expand Up @@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
bits.append("%s>> Issue: [%s:%s] %s" % (
indent, issue.test_id, issue.test, issue.text))

bits.append("%s Severity: %s Confidence: %s" % (
indent, issue.severity.capitalize(), issue.confidence.capitalize()))
bits.append("%s Severity: %s CWE: %s Confidence: %s" % (
indent, issue.severity.capitalize(), str(issue.cwe),
issue.confidence.capitalize()))

bits.append("%s Location: %s:%s" % (
indent, issue.fname, issue.lineno if show_lineno else ""))
Expand Down
8 changes: 5 additions & 3 deletions bandit/formatters/xml.py
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
testcase = ET.SubElement(root, 'testcase',
classname=issue.fname, name=test)

text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s'
text = text % (issue.test_id, issue.severity, issue.confidence,
issue.text, issue.fname, issue.lineno)
text = 'Test ID: %s Severity: %s CWE: %s ' \
'Confidence: %s\n%s\nLocation %s:%s'
text = text % (issue.test_id, issue.severity, issue.cwe,
issue.confidence, issue.text, issue.fname,
issue.lineno)
ET.SubElement(testcase, 'error',
more_info=docs_utils.get_url(issue.test_id),
type=issue.severity,
Expand Down
2 changes: 2 additions & 0 deletions bandit/plugins/app_debug.py
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@
"""

import bandit
from bandit.core.cwemap import CWEMAP
ericwb marked this conversation as resolved.
Show resolved Hide resolved
from bandit.core import test_properties as test


Expand All @@ -51,6 +52,7 @@ def flask_debug_true(context):
if context.check_call_arg_value('debug', 'True'):
return bandit.Issue(
severity=bandit.HIGH,
cwe=CWEMAP["B201"],
ericwb marked this conversation as resolved.
Show resolved Hide resolved
confidence=bandit.MEDIUM,
text="A Flask app appears to be run with debug=True, "
"which exposes the Werkzeug debugger and allows "
Expand Down
2 changes: 2 additions & 0 deletions bandit/plugins/asserts.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
"""

import bandit
from bandit.core.cwemap import CWEMAP
ericwb marked this conversation as resolved.
Show resolved Hide resolved
from bandit.core import test_properties as test


Expand All @@ -49,6 +50,7 @@
def assert_used(context):
return bandit.Issue(
severity=bandit.LOW,
cwe=CWEMAP["B101"],
ericwb marked this conversation as resolved.
Show resolved Hide resolved
confidence=bandit.HIGH,
text=("Use of assert detected. The enclosed code "
"will be removed when compiling to optimised byte code.")
Expand Down
2 changes: 2 additions & 0 deletions bandit/plugins/crypto_request_no_cert_validation.py
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
"""

import bandit
from bandit.core.cwemap import CWEMAP
ericwb marked this conversation as resolved.
Show resolved Hide resolved
from bandit.core import test_properties as test


Expand All @@ -54,6 +55,7 @@ def request_with_no_cert_validation(context):
if context.check_call_arg_value('verify', 'False'):
issue = bandit.Issue(
severity=bandit.HIGH,
cwe=CWEMAP["B501"],
ericwb marked this conversation as resolved.
Show resolved Hide resolved
confidence=bandit.HIGH,
text="Requests call with verify=False disabling SSL "
"certificate checks, security issue.",
Expand Down
3 changes: 3 additions & 0 deletions bandit/plugins/django_sql_injection.py
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@
import ast

import bandit
from bandit.core.cwemap import CWEMAP
ericwb marked this conversation as resolved.
Show resolved Hide resolved
from bandit.core import test_properties as test


Expand Down Expand Up @@ -77,6 +78,7 @@ def django_extra_used(context):
if insecure:
return bandit.Issue(
severity=bandit.MEDIUM,
cwe=CWEMAP["B611"],
ericwb marked this conversation as resolved.
Show resolved Hide resolved
confidence=bandit.MEDIUM,
text=description
)
Expand All @@ -102,6 +104,7 @@ def django_rawsql_used(context):
if not isinstance(sql, ast.Str):
return bandit.Issue(
severity=bandit.MEDIUM,
cwe=CWEMAP["B611"],
ericwb marked this conversation as resolved.
Show resolved Hide resolved
confidence=bandit.MEDIUM,
text=description
)
Loading