CWE-755 and CWE-532 #647
CWE-755 and CWE-532 #647
Conversation
Signed-off-by: ebakrra <[email protected]>
There was a problem hiding this comment.
the main readme.md is missing the entries for CWE-532 and CWE-755
https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Secure-Coding-Guide-for-Python/readme.md
Add following SPDX headers to at least the top of the .py code examples. No need to quote SPDS in the README.md's
# SPDX-FileCopyrightText: OpenSSF project contributors
# SPDX-License-Identifier: MIT
|
|
||
| ## Example Solution | ||
|
|
||
| The `example01.py` solution uses a custom filter in Python's logging module to automatically mask sensitive data in the logs. While this is a good solution for central handling in large software project it does require that all modules use the same string such as password=, variation's such as pass= or pass: won't work and continue to print the plain text password. |
There was a problem hiding this comment.
backtick inline code examples or names:
password=
pass=
|
|
||
| For security purposes, sensitive information should never be printed to the console in log messages (for instance, a passenger's age). In Python's logging module, there are five logging levels: | ||
|
|
||
| * DEBUG |
There was a problem hiding this comment.
backtick any inline code examples or names in below bullet list and following sentence DEBUG or INFO
|
|
||
| |Tool|Version|Checker|Description| | ||
| |:----|:----|:----|:----| | ||
| |[Pylint](https://pylint.pycqa.org/)|2023.10.1|[W1203:logging-fstring-interpolation](W1203:logging-fstring-interpolation)|Use lazy % formatting in logging functions| |
There was a problem hiding this comment.
missing the link in the (0) its not W1203:logging-fstring-interpolation
|
|
||
| |Tool|Version|Checker|Description| | ||
| |:----|:----|:----|:----| | ||
| |[Pylint](https://pylint.pycqa.org/)|2023.10.1|[W1203:logging-fstring-interpolation](W1203:logging-fstring-interpolation)|Use lazy % formatting in logging functions| |
There was a problem hiding this comment.
References is also missing the 4 links in the introduction.
| *[compliant01.py](compliant.py):* | ||
|
|
||
| ```py | ||
| """ Non-compliant Code Example """ |
There was a problem hiding this comment.
Says """Non compliant .... expecting """ Compliant
|
|
||
| The file opening and reading should be surrounded by the `try/except` block. This way, we can catch the generic `OSError` and handle the error differently depending on its cause (such as the file not existing or it being a directory instead). | ||
|
|
||
| *[compliant01.py](compliant.py):* |
There was a problem hiding this comment.
the link in the brackets is missing 01, should be (compliant01.py)
| read_file(f"{uuid.uuid4()}.txt") | ||
| ``` | ||
|
|
||
| ## Risk Assessment |
There was a problem hiding this comment.
Remove Risk Assessment section
Added missing links and backticks as per comments Signed-off-by: BartyBoi1128 <[email protected]>
Updated compliant01 mistakes, and removed Risk Assessment section Signed-off-by: BartyBoi1128 <[email protected]>
Updated references Signed-off-by: BartyBoi1128 <[email protected]>
Updated references again. Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Cosmetic changes and typo fix Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
Signed-off-by: BartyBoi1128 <[email protected]>
|
got approval from 2 reviewers, merging in |
Adding documentation and code for CWE-755 and CWE-532, pyDoc2GitHub as per #531