Integrated Cwe class and url information.

PyCQA · May 19, 2020 · 555b912 · 555b912
1 parent 961c6ec
commit 555b912
Show file tree

Hide file tree

Showing 35 changed files with 185 additions and 69 deletions.
diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py
@@ -12,7 +12,7 @@
 
 def report_issue(check, name):
     return issue.Issue(
-        severity=check.get('level', 'MEDIUM'), cwe=0, confidence='HIGH',
+        severity=check.get('level', 'MEDIUM'), confidence='HIGH',
         text=check['message'].replace('{name}', name),
         ident=name, test_id=check.get("id", 'LEGACY'))
 

diff --git a/bandit/core/issue.py b/bandit/core/issue.py
@@ -14,12 +14,71 @@
 from bandit.core import constants
 
 
+class Cwe(object):
+    UNDEF = 0
+    IMPROPER_INPUT_VALIDATION = 20
+    OS_COMMAND_INJECTION = 78
+    BASIC_XSS = 80
+    SQL_INJECTION = 89
+    CODE_INJECTION = 94
+    IMPROPER_WILDCARD_NEUTRALIZATION = 155
+    HARD_CODED_PASSWORD = 259
+    IMPROPER_CERT_VALIDATION = 295
+    INADEQUATE_ENCRYPTION_STRENGH = 326
+    BROKEN_CRYPTO = 327
+    INSECURE_TEMP_FILE = 377
+    MULTIPLE_BINDS = 605
+    IMPROPER_CHECK_OF_EXEPT_COND = 703
+    INCORRECT_PERMISSION_ASSIGNMENT = 732
+
+    MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html"
+
+    def __init__(self, id=UNDEF):
+        self.id = id
+
+    def link(self):
+        if self.id == Cwe.UNDEF:
+            return ""
+
+        return Cwe.MITRE_URL_PATTERN % str(self.id)
+
+    def __str__(self):
+        if self.id == Cwe.UNDEF:
+            return ""
+
+        return "CWE-%i (%s)" % (self.id, self.link())
+
+    def as_dict(self):
+        return {
+            "id": self.id,
+            "link": self.link()
+        } if self.id != Cwe.UNDEF else {}
+
+    def as_jsons(self):
+        return str(self.as_dict())
+
+    def from_dict(self, data):
+        if 'id' in data:
+            self.id = int(data['id'])
+        else:
+            self.id = Cwe.UNDEF
+
+    def __eq__(self, other):
+        return self.id == other.id
+
+    def __ne__(self, other):
+        return self.id != other.id
+
+    def __hash__(self):
+        return id(self)
+
+
 class Issue(object):
-    def __init__(self, severity, cwe,
+    def __init__(self, severity, cwe=0,
                  confidence=constants.CONFIDENCE_DEFAULT,
                  text="", ident=None, lineno=None, test_id=""):
         self.severity = severity
-        self.cwe = cwe
+        self.cwe = Cwe(cwe)
         self.confidence = confidence
         if isinstance(text, bytes):
             text = text.decode('utf-8')
@@ -32,9 +91,9 @@ def __init__(self, severity, cwe,
         self.linerange = []
 
     def __str__(self):
-        return ("Issue: '%s' from %s:%s: CWE: %i, Severity: %s Confidence: "
+        return ("Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: "
                 "%s at %s:%i") % (self.text, self.test_id,
-                                  (self.ident or self.test), self.cwe,
+                                  (self.ident or self.test), str(self.cwe),
                                   self.severity, self.confidence, self.fname,
                                   self.lineno)
 
@@ -104,7 +163,7 @@ def as_dict(self, with_code=True):
             'test_name': self.test,
             'test_id': self.test_id,
             'issue_severity': self.severity,
-            'issue_cwe': self.cwe,
+            'issue_cwe': self.cwe.as_dict(),
             'issue_confidence': self.confidence,
             'issue_text': self.text.encode('utf-8').decode('utf-8'),
             'line_number': self.lineno,
@@ -119,7 +178,7 @@ def from_dict(self, data, with_code=True):
         self.code = data["code"]
         self.fname = data["filename"]
         self.severity = data["issue_severity"]
-        self.cwe = int(data["issue_cwe"])
+        self.cwe = cwe_from_dict(data["issue_cwe"])
         self.confidence = data["issue_confidence"]
         self.text = data["issue_text"]
         self.test = data["test_name"]
@@ -128,7 +187,13 @@ def from_dict(self, data, with_code=True):
         self.linerange = data["line_range"]
 
 
+def cwe_from_dict(data):
+    cwe = Cwe()
+    cwe.from_dict(data)
+    return cwe
+
+
 def issue_from_dict(data):
-    i = Issue(severity=data["issue_severity"], cwe=int(data["issue_cwe"]))
+    i = Issue(severity=data["issue_severity"])
     i.from_dict(data)
     return i
diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py
@@ -68,6 +68,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         writer.writeheader()
         for result in results:
             r = result.as_dict(with_code=False)
+            r['issue_cwe'] = r['issue_cwe']['link']
             r['more_info'] = docs_utils.get_url(r['test_id'])
             writer.writerow(r)
 

diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py
@@ -100,8 +100,8 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
         indent, COLOR[issue.severity], issue.test_id, issue.test,
         issue.text))
 
-    bits.append("%s   Severity: %s CWE: %i Confidence: %s" % (
-        indent, issue.severity.capitalize(), issue.cwe,
+    bits.append("%s   Severity: %s CWE: %s Confidence: %s" % (
+        indent, issue.severity.capitalize(), str(issue.cwe),
         issue.confidence.capitalize()))
 
     bits.append("%s   Location: %s:%s" % (

diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py
@@ -73,8 +73,8 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
     bits.append("%s>> Issue: [%s:%s] %s" % (
         indent, issue.test_id, issue.test, issue.text))
 
-    bits.append("%s   Severity: %s CWE: %i Confidence: %s" % (
-        indent, issue.severity.capitalize(), issue.cwe,
+    bits.append("%s   Severity: %s CWE: %s Confidence: %s" % (
+        indent, issue.severity.capitalize(), str(issue.cwe),
         issue.confidence.capitalize()))
 
     bits.append("%s   Location: %s:%s" % (

diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py
@@ -40,6 +40,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -51,7 +52,7 @@ def flask_debug_true(context):
             if context.check_call_arg_value('debug', 'True'):
                 return bandit.Issue(
                     severity=bandit.HIGH,
-                    cwe=94,
+                    cwe=Cwe.CODE_INJECTION,
                     confidence=bandit.MEDIUM,
                     text="A Flask app appears to be run with debug=True, "
                          "which exposes the Werkzeug debugger and allows "

diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py
@@ -41,6 +41,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -49,7 +50,7 @@
 def assert_used(context):
     return bandit.Issue(
         severity=bandit.LOW,
-        cwe=703,
+        cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND,
         confidence=bandit.HIGH,
         text=("Use of assert detected. The enclosed code "
               "will be removed when compiling to optimised byte code.")

diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py
@@ -42,6 +42,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -54,7 +55,7 @@ def request_with_no_cert_validation(context):
         if context.check_call_arg_value('verify', 'False'):
             issue = bandit.Issue(
                 severity=bandit.HIGH,
-                cwe=295,
+                cwe=Cwe.IMPROPER_CERT_VALIDATION,
                 confidence=bandit.HIGH,
                 text="Requests call with verify=False disabling SSL "
                      "certificate checks, security issue.",

diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py
@@ -8,6 +8,7 @@
 import ast
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -77,7 +78,7 @@ def django_extra_used(context):
         if insecure:
             return bandit.Issue(
                 severity=bandit.MEDIUM,
-                cwe=89,
+                cwe=Cwe.SQL_INJECTION,
                 confidence=bandit.MEDIUM,
                 text=description
             )
@@ -103,7 +104,7 @@ def django_rawsql_used(context):
             if not isinstance(sql, ast.Str):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
-                    cwe=89,
+                    cwe=Cwe.SQL_INJECTION,
                     confidence=bandit.MEDIUM,
                     text=description
                 )
diff --git a/bandit/plugins/django_xss.py b/bandit/plugins/django_xss.py
@@ -9,6 +9,7 @@
 import six
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -250,7 +251,7 @@ def check_risk(node):
     if not secure:
         return bandit.Issue(
             severity=bandit.MEDIUM,
-            cwe=80,
+            cwe=Cwe.BASIC_XSS,
             confidence=bandit.HIGH,
             text=description
         )

diff --git a/bandit/plugins/exec.py b/bandit/plugins/exec.py
@@ -35,13 +35,14 @@
 import six
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
 def exec_issue():
     return bandit.Issue(
         severity=bandit.MEDIUM,
-        cwe=78,
+        cwe=Cwe.OS_COMMAND_INJECTION,
         confidence=bandit.HIGH,
         text="Use of exec detected."
     )

diff --git a/bandit/plugins/general_bad_file_permissions.py b/bandit/plugins/general_bad_file_permissions.py
@@ -50,6 +50,7 @@
 import stat
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -73,7 +74,7 @@ def set_bad_file_permissions(context):
                     filename = 'NOT PARSED'
                 return bandit.Issue(
                     severity=sev_level,
-                    cwe=78,
+                    cwe=Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
                     confidence=bandit.HIGH,
                     text="Chmod setting a permissive mask %s on file (%s)." %
                     (oct(mode), filename)

diff --git a/bandit/plugins/general_bind_all_interfaces.py b/bandit/plugins/general_bind_all_interfaces.py
@@ -34,6 +34,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -43,7 +44,7 @@ def hardcoded_bind_all_interfaces(context):
     if context.string_val == '0.0.0.0':
         return bandit.Issue(
             severity=bandit.MEDIUM,
-            cwe=605,
+            cwe=Cwe.MULTIPLE_BINDS,
             confidence=bandit.MEDIUM,
             text="Possible binding to all interfaces."
         )
diff --git a/bandit/plugins/general_hardcoded_password.py b/bandit/plugins/general_hardcoded_password.py
@@ -9,6 +9,7 @@
 import sys
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -22,7 +23,7 @@
 def _report(value):
     return bandit.Issue(
         severity=bandit.LOW,
-        cwe=259,
+        cwe=Cwe.HARD_CODED_PASSWORD,
         confidence=bandit.MEDIUM,
         text=("Possible hardcoded password: '%s'" % value))
 

diff --git a/bandit/plugins/general_hardcoded_tmp.py b/bandit/plugins/general_hardcoded_tmp.py
@@ -51,6 +51,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -71,7 +72,7 @@ def hardcoded_tmp_directory(context, config):
     if any(context.string_val.startswith(s) for s in tmp_dirs):
         return bandit.Issue(
             severity=bandit.MEDIUM,
-            cwe=377,
+            cwe=Cwe.INSECURE_TEMP_FILE,
             confidence=bandit.MEDIUM,
             text="Probable insecure usage of temp file/directory."
         )
diff --git a/bandit/plugins/hashlib_new_insecure_functions.py b/bandit/plugins/hashlib_new_insecure_functions.py
@@ -31,6 +31,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -48,7 +49,7 @@ def hashlib_new(context):
                     name.lower() in ('md4', 'md5', 'sha', 'sha1')):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
-                    cwe=327,
+                    cwe=Cwe.BROKEN_CRYPTO,
                     confidence=bandit.HIGH,
                     text="Use of insecure MD4 or MD5 hash function.",
                     lineno=context.node.lineno,

diff --git a/bandit/plugins/injection_paramiko.py b/bandit/plugins/injection_paramiko.py
@@ -39,6 +39,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -51,6 +52,6 @@ def paramiko_calls(context):
         if context.is_module_imported_like(module):
             if context.call_function_name in ['exec_command']:
                 return bandit.Issue(severity=bandit.MEDIUM,
-                                    cwe=78,
+                                    cwe=Cwe.OS_COMMAND_INJECTION,
                                     confidence=bandit.MEDIUM,
                                     text=issue_text)