bandit v1.7.5 releases: find common security issues in Python code

Overview

Bandit is a tool designed to find common security issues in Python code. To do this Bandit processes each file builds an AST from it and runs appropriate plugins against the AST nodes. Once Bandit has finished scanning all the files it generates a report.

Bandit was originally developed within the OpenStack Security Project and later rehomed to PyCQA.

Changelog v1.7.5

• • Add an example screen shot of Bandit to README by @ericwb in #847
  • Bad link to screen shot by @ericwb in #848
  • Use a constant for weak hashes by @ericwb in #850
  • Group location line with code output by @ericwb in #822
  • Fix line range using Python 3.8 end_lineno by @ericwb in #821
  • Add classifier to indicate Py3 only by @ericwb in #853
  • Removal of blacklist call B309 httpsconnection by @ericwb in #858
  • Remove blacklist call check for os.tempnam by @ericwb in #859
  • Indiciate hash type in message by @ericwb in #860
  • Add the httpx module check for verify by @ericwb in #861
  • Add doc for hashlib plugin by @ericwb in #862
  • Make use of rich for progress bar by @ericwb in #863
  • Replace toml with tomli by @mkniewallner in #829
  • Fix up B109 and B111 removed plugins docs by @ericwb in #864
  • add check for “requests” calls without timeout by @mschfh in #743
  • Fix for build breaks in format job by @ericwb in #869
  • Add license and contributing links to docs by @ericwb in #867
  • Remove redundant word Bandit in titles of sections by @ericwb in #873
  • Add request for feedback via 👍 by @ericwb in #871
  • Add a Discord link to the docs by @ericwb in #870
  • Adding logging.config.listen() plugin with examples by @raj3shp in #874
  • Removal of ghugo by @ericwb in #881
  • Remove redundant pip line by @ericwb in #884
  • Corrected documentation on configuration by @a-takahashi223 in #868
  • Start testing against Python 3.11 by @mkniewallner in #887
  • Add myself to sponsor list by @ericwb in #885
  • Add Discord link to README by @ericwb in #875
  • Update action versions in Actions workflows (#890) by @mportesdev in #893
  • Add dependency review action by @ericwb in #891
  • Fix an unclosed tag in HTML formatter by @mportesdev in #896

• ‘Test plugin listing’ in docs incorrectly pointing B612 to plugin ref of B102 by @rajaramsrn in #897
• Make small fixes in docs by @mportesdev in #899
• Specify semver range for Python 3.11 by @mportesdev in #901
• Add another bad example of yaml load by @ericwb in #905
• Add releases link in “Version control integration” by @travisjungroth in #909
• Update version of dependency-review-action by @mportesdev in #911
• Avoid redundant message if debug on by @ericwb in #913
• Remove invalid checking on hashlib by @ericwb in #914
• Add some missing curve types by @ericwb in #920
• add jsonpickle deserialization blacklist by @SugarP1g in #707
• Fix reading the number argument from config file by @KAUTH in #923
• Add end_col_offset if available by @ericwb in #851
• Enhancement Proposal: Plugin “assert_used” config-skip snippet by @marianomartinelli in #695
• Blacklist pandas read_pickle and add functional test for it by @jaspersival in #710
• Docs for request without timeout has dead link by @ericwb in #925
• Add case for global exec by @tonybaloney in #570
• Fix a false positive condition yaml_load by @ericwb in #927
• Fix issue #453 jinja2 template select_autoescape when using jinja2.select_autoescape by @kinow in #454
• Adding tarfile.extractall() plugin with examples by @yilmi in #549
• Check for deprecated TLS 1.1 by @ericwb in #928
• weak_cryptographic_key assumes positional arg by @ericwb in #930
• Fix filename of B202 in docs by @mportesdev in #932
• Remove python 2 reference in docs by @ericwb in #933
• Pass correct number of arguments to match the %s placeholders. by @mportesdev in #934
• Fixup some invalid pickle testing by @ericwb in #924
• Fix json and yaml formatters to respect num lines by @ericwb in #929
• Fix AttributeError on detect of tuple assign condition by @ericwb in #931
• [docs] Mention exclude_dirs option available in TOML and YAML by @bittner in #876
• Typo fix by @PermanAtayev in #945
• remove py2 exec example in docs by @clavedeluna in #947
• Add official Python 3.11 support by @ericwb in #964
• DOC: Add explanation on how to use pre-commit with config file by @phofl in #968
• Fix breaking build due to new tox by @ericwb in #983
• Correct build status badge in README by @gliptak in #980
• Improve detecting SQL injections in f-strings by @kfrydel in #917
• Improve handling nosec for multi-line strings by @kfrydel in #915
• Check for github action updates monthly by @jlosito in #989
• Added a bit more project_urls by @KOLANICH in #985

Installation

virtualenv bandit-env (optional)
pip install bandit

# Or if you’re working with a Python 3 project

pip3 install bandit

Configuration

Bandit is designed to be configurable and cover a wide range of needs, it may be used as either a local developer utility or as part of a full CI/CD pipeline. To provide for these various usage scenarios bandit can be configured via a YAML file. This file is completely optional and in many cases not needed, it may be specified on the command line by using -c.

A bandit configuration file may choose the specific test plugins to run and override the default configurations of those tests. An example config might look like the following:

### profile may optionally select or skip tests



# (optional) list included tests here:

tests: ['B201', 'B301']



# (optional) list skipped tests here:

skips: ['B101', 'B601']



### override settings - used to set settings for plugins to non-default values



any_other_function_with_shell_equals_true:

  no_shell: [os.execl, os.execle, os.execlp, os.execlpe, os.execv, os.execve,

    os.execvp, os.execvpe, os.spawnl, os.spawnle, os.spawnlp, os.spawnlpe,

    os.spawnv, os.spawnve, os.spawnvp, os.spawnvpe, os.startfile]

  shell: [os.system, os.popen, os.popen2, os.popen3, os.popen4,

    popen2.popen2, popen2.popen3, popen2.popen4, popen2.Popen3,

    popen2.Popen4, commands.getoutput,  commands.getstatusoutput]

  subprocess: [subprocess.Popen, subprocess.call, subprocess.check_call,

    subprocess.check_output]

If you require several sets of tests for specific tasks, then you should create several config files and pick from them using -c. If you only wish to control the specific tests that are to be run (and not their parameters) then using -s or  -t on the command line may be more appropriate.