-
Notifications
You must be signed in to change notification settings - Fork 456
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate Bandit into CI #1110
Milestone
Comments
Update on this:
Overall, we're at the point where we could definitely run bandit in CI as long as we didn't block pull requests on finding 0 issues. It would take a bit more work (in terms of marking things as |
Current output: (venv3.8) [terri@cedar cve-bin-tool]$ bandit -c bandit.conf -r cve_bin_tool/
[main] INFO profile include tests: None
[main] INFO profile exclude tests: B607,B603,B404
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO using config: bandit.conf
[main] INFO running on Python 3.8.10
133 [0.. 50.. 100.. ]
Run started:2021-07-22 21:44:19.548770
Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: cve_bin_tool/cve_scanner.py:162
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
161 if cve_list:
162 query = f"""
163 SELECT CVE_number, severity, description, score, cvss_version, cvss_vector
164 FROM cve_severity
165 WHERE CVE_number IN ({",".join(["?"] * len(cve_list))}) AND score >= ?
166 ORDER BY CVE_number
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Low
Location: cve_bin_tool/helper_script.py:213
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
212 # finding out all distinct (vendor, product) pairs with the help of product_name
213 query = f"""
214 SELECT distinct vendor, product FROM cve_range
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Medium
Location: cve_bin_tool/version_signature.py:75
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
74 datestamp = self.cursor.execute(
75 f"SELECT * FROM {self.update_table_name}"
76 ).fetchone() # update_table_name validated in __init__
--------------------------------------------------
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Medium
Location: cve_bin_tool/version_signature.py:102
More Info: https://bandit.readthedocs.io/en/latest/plugins/b608_hardcoded_sql_expressions.html
101 data = self.cursor.execute(
102 f"SELECT * FROM {self.table_name}"
103 ).fetchall() # table_name validated in __init__
--------------------------------------------------
Code scanned:
Total lines of code: 6460
Total lines skipped (#nosec): 4
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 0.0
Medium: 4.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 2.0
Medium: 2.0
High: 0.0
Files skipped (0):
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Not 100% sure if this is a brilliant idea, but it would probably be helpful for us to integrate Bandit into our CI and potentially pre-commit rules to get early warning on potential security flaws.
Bandit has a number of rules that aren't "don't do this" but "make sure you do secure code review on this component" so I definitely don't want CI to fail unless we get rid of all messages from Bandit, so we'll have to be a bit clever about how we set it up. I want it to give us useful feedback but hopefully not block PRs unnecessarily and I'm not sure what the best tuning for that is (yet).
The text was updated successfully, but these errors were encountered: