How to use the bandit.MEDIUM function in bandit
To help you get started, we’ve selected a few bandit examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
PyCQA / bandit / tests / unit / formatters / test_html.py View on Github 
def _get_issue_instance(severity=bandit.MEDIUM, confidence=bandit.MEDIUM):
new_issue = issue.Issue(severity, confidence, 'Test issue')
new_issue.fname = 'code.py'
new_issue.test = 'bandit_plugin'
new_issue.lineno = 1
return new_issuedef test_issue_filter_severity(self):
levels = [bandit.LOW, bandit.MEDIUM, bandit.HIGH]
issues = [_get_issue_instance(l, bandit.HIGH) for l in levels]
for level in levels:
rank = constants.RANKING.index(level)
for i in issues:
test = constants.RANKING.index(i.severity)
result = i.filter(level, bandit.UNDEFINED)
self.assertTrue((test >= rank) == result)def test_report_contents(self, get_issue_list, get_code):
self.manager.metrics.data['_totals'] = {'loc': 1000, 'nosec': 50}
issue_a = _get_issue_instance(severity=bandit.LOW)
issue_a.fname = 'abc.py'
issue_a.test = 'AAAAAAA'
issue_a.text = 'BBBBBBB'
issue_a.confidence = 'CCCCCCC'
# don't need to test severity, it determines the color which we're
# testing separately
issue_b = _get_issue_instance(severity=bandit.MEDIUM)
issue_c = _get_issue_instance(severity=bandit.HIGH)
issue_x = _get_issue_instance()
get_code.return_value = 'some code'
issue_y = _get_issue_instance()
get_issue_list.return_value = collections.OrderedDict(
[(issue_a, [issue_x, issue_y]),
(issue_b, [issue_x]), (issue_c, [issue_y])])
with open(self.tmp_fname, 'w') as tmp_file:
b_html.report(
self.manager, tmp_file, bandit.LOW, bandit.LOW)
with open(self.tmp_fname) as f:def password_config_option_not_marked_secret(context, config):
if(context.call_function_name_qual in config['function_names'] and
context.get_call_arg_at_position(0) is not None and
context.get_call_arg_at_position(0).endswith('password')):
# Checks whether secret=False or secret is not set (None).
# Returns True if argument found, and matches supplied values
# and None if argument not found at all.
if context.check_call_arg_value('secret',
constants.FALSE_VALUES) in [
True, None]:
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.MEDIUM,
text="oslo config option not marked secret=True "
"identified, security issue.",
lineno=context.get_lineno_for_call_arg('secret'),
)
# Checks whether secret is not True, for example when its set to a
# variable, secret=secret.
elif not context.check_call_arg_value('secret', 'True'):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.LOW,
text="oslo config option possibly not marked secret=True "
"identified.",
lineno=context.get_lineno_for_call_arg('secret'),
)def hardcoded_sql_expressions(context):
val = _evaluate_ast(context.node)
if _check_string(val[1]):
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.MEDIUM if val[0] else bandit.LOW,
text="Possible SQL injection vector through string-based "
"query construction."def _report(value):
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.MEDIUM,
text=("Possible hardcoded password: '%s'" % value))9 os.spawnvp(mode, file, args)
.. seealso::
- https://security.openstack.org
- https://docs.python.org/3/library/os.html#os.system
- https://docs.python.org/3/library/subprocess.html#frequently-used-arguments # noqa
- https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
.. versionadded:: 0.10.0
"""
if config and context.call_function_name_qual in config['no_shell']:
return bandit.Issue(
severity=bandit.LOW,
confidence=bandit.MEDIUM,
text='Starting a process without a shell.'
)while not isinstance(parent, (ast.Module, ast.FunctionDef)):
parent = parent._bandit_parent
secure = evaluate_call(xss_var, parent)
elif isinstance(xss_var, ast.BinOp):
is_mod = isinstance(xss_var.op, ast.Mod)
is_left_str = isinstance(xss_var.left, ast.Str)
if is_mod and is_left_str:
parent = node._bandit_parent
while not isinstance(parent, (ast.Module, ast.FunctionDef)):
parent = parent._bandit_parent
new_call = transform2call(xss_var)
secure = evaluate_call(new_call, parent)
if not secure:
return bandit.Issue(
severity=bandit.MEDIUM,
confidence=bandit.HIGH,
text=description
)def _report(strings):
reports = []
for string_data in strings:
if string_data.confidence == 1:
confidence = bandit.LOW
elif string_data.confidence == 2:
confidence = bandit.MEDIUM
elif string_data.confidence >= 3:
confidence = bandit.HIGH
if string_data.severity == 1:
severity = bandit.LOW
elif string_data.severity == 2:
severity = bandit.MEDIUM
elif string_data.severity >= 3:
severity = bandit.HIGH
if type(string_data.string) is not unicode:
string_data.string = string_data.string.decode('utf-8', errors='replace')
string_data.string = string_data.string.encode('ascii', errors='replace')
if len(string_data.string) > 12:
secret_start = string_data.string[:4]
secret_end = string_data.string[-4:]def paramiko_calls(context):
issue_text = ('Possible shell injection via Paramiko call, check inputs '
'are properly sanitized.')
for module in ['paramiko']:
if context.is_module_imported_like(module):
if context.call_function_name in ['exec_command']:
return bandit.Issue(severity=bandit.MEDIUM,
confidence=bandit.MEDIUM,
text=issue_text)bandit
Security oriented static analyser for python code.
Package Health Score
100 / 100Popular bandit functions
- bandit.blacklists.utils.build_conf_dict
- bandit.core.config.BanditConfig
- bandit.core.constants
- bandit.core.constants.RANKING
- bandit.core.context.Context
- bandit.core.docs_utils.get_url
- bandit.core.extension_loader
- bandit.core.extension_loader.MANAGER
- bandit.core.issue.Issue
- bandit.core.manager.BanditManager
- bandit.core.test_properties
- bandit.core.test_properties.checks
- bandit.core.test_properties.takes_config
- bandit.core.test_properties.test_id
- bandit.core.test_set.BanditTestSet
- bandit.core.utils
- bandit.HIGH
- bandit.Issue
- bandit.LOW
- bandit.MEDIUM