ci: run bandit on test code (fixes #1528) (#1579)

* ci: skip assert on tests

* fix: issue B108 in test_scanner.py

* fix: issue B310 in utils.py and test_json.py

* fix: issue B307 in test_input_engine.py and test_merge.py

* doc: update bandit in contributing.md

CONTRIBUTING.md

@@ -211,12 +211,12 @@ specify a whole folder using ```./```
 
 ### Running bandit by itself
 
-We have a configuration file for bandit called `bandit.conf` that you should use.  This disables a few of the checkers and disables scanning of the test directory.
+We have a configuration file for bandit called `bandit.conf` that you should use.  This disables a few of the checkers.
 
 To run it on all the code we scan, use the following:
 
 ```bash
-bandit -c bandit.conf -r cve_bin_tool/
+bandit -c bandit.conf -r cve_bin_tool/ test/
 ```
 
 You can also run it on individual files:
@@ -225,7 +225,7 @@ You can also run it on individual files:
 bandit -c bandit.conf filename.py
 ```
 
-If you run it without the config file, it will run a few extra checkers and will run on test code, so you'll get additional warnings.
+If you run it without the config file, it will run a few extra checkers, so you'll get additional warnings.
 
 Bandit helps you target manual code review, but bandit issues aren't always things that need to be fixed, just reviewed.  If you have a bandit finding that doesn't actually need a fix, you can mark it as reviewed using a `# nosec` comment.  If possible, include details as to why the bandit results are ok for future reviewers.  For example, we have comments like `#nosec uses static https url above` in cases where bandit prompted us to review the variable being passed to urlopen().
 

bandit.conf

@@ -92,11 +92,9 @@ skips: ['B603', 'B607', 'B404', "B608"]
 # Explantion: cve-bin-tool is at heart a shell script that calls other processes.
 # Switching to pure python has significant performance impacts.
 
-exclude_dirs:
-  - "test/"
-  - "/test/"
-  - "./test/"
-  - "./build/lib/test/"
+# skips assert rule on tests
+assert_used:
+  skips: ['*/test_*.py']
 
 ### (optional) plugin settings - some test plugins require configuration data
 ### that may be given here, per-plugin. All bandit test plugins have a built in

test/test_input_engine.py

@@ -3,6 +3,7 @@
 
 import os
 import re
+from ast import literal_eval
 
 import pytest
 
@@ -109,7 +110,7 @@ def test_missing_fields(self, filepath, missing_fields):
         match = self.MISSING_FIELD_REGEX.search(exc.value.args[0])
         raised_fields = match.group(1)
 
-        assert missing_fields - eval(raised_fields) == set()
+        assert missing_fields - literal_eval(raised_fields) == set()
 
     @pytest.mark.parametrize(
         "filepath, parsed_data",

test/test_merge.py

@@ -3,6 +3,7 @@
 
 import os
 import re
+from ast import literal_eval
 
 import pytest
 
@@ -80,7 +81,7 @@ def test_missing_fields(self, filepaths, missing_fields):
         match = self.MISSING_FIELD_REGEX.search(exc.value.args[0])
         raised_fields = match.group(1)
 
-        assert missing_fields - eval(raised_fields) == set()
+        assert missing_fields - literal_eval(raised_fields) == set()
 
     @pytest.mark.parametrize(
         "filepaths, merged_data",

test/test_scanner.py

@@ -284,9 +284,8 @@ def test_cannot_open_file(self, caplog):
         assert str.find("Invalid file", caplog.text)
 
     def test_clean_file_path(self):
-        filepath = (
-            "/tmp/cve-bin-tool/dhtei34fd/file_name.extracted/usr/bin/vulnerable_file"
-        )
+        filepath = "/tmp/cve-bin-tool/dhtei34fd/file_name.extracted/usr/bin/vulnerable_file"  # nosec
+        # temp path is hardcoded for testing, not for usage
         expected_path = "/usr/bin/vulnerable_file"
 
         cleaned_path = self.scanner.clean_file_path(filepath)