Updates to address docstring code scan issues, add flake8 configurati…

…on (#671) * Updates to address docstring code scan issues, add flake8 configuration Signed-off-by: asears <asears@users.noreply.github.com> * Update .flake8 Co-authored-by: Eric Brown <ericwb@users.noreply.github.com> * Shorthand SPDX license one line header Signed-off-by: asears <asears@users.noreply.github.com> * update main for single-line SPDX and remove additional comment Signed-off-by: asears <asears@users.noreply.github.com> * revert init py docstrings. Signed-off-by: asears <asears@users.noreply.github.com> * Revert headings after PR review Signed-off-by: asears <asears@users.noreply.github.com> * remove 120 character limit setting Signed-off-by: asears <asears@users.noreply.github.com> * shorten description to address 80 character limit Signed-off-by: asears <asears@users.noreply.github.com> Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
PyCQA · Dec 20, 2020 · 6a281de · 6a281de
1 parent 1122e83
commit 6a281de
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 30 deletions.
diff --git a/bandit/__main__.py b/bandit/__main__.py
@@ -1,3 +1,16 @@
 #!/usr/bin/env python
+# SPDX-License-Identifier: Apache-2.0
+"""Bandit is a tool designed to find common security issues in Python code.
+
+Bandit is a tool designed to find common security issues in Python code.
+To do this Bandit processes each file, builds an AST from it, and runs
+appropriate plugins against the AST nodes. Once Bandit has finished
+scanning all the files it generates a report.
+
+Bandit was originally developed within the OpenStack Security Project and
+later rehomed to PyCQA.
+
+https://bandit.readthedocs.io/
+"""
 from bandit.cli import main
 main.main()
diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py
@@ -3,7 +3,6 @@
 # Copyright 2016 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
-
 r"""
 ====================================================
 Blacklist various Python calls known to be dangerous
@@ -329,7 +328,6 @@ def gen_blacklist():
 
     :return: a dictionary mapping node types to a list of blacklist data
     """
-
     sets = []
     sets.append(utils.build_conf_dict(
         'pickle', 'B301',
@@ -346,12 +344,12 @@ def gen_blacklist():
          'shelve.DbfilenameShelf'],
         'Pickle and modules that wrap it can be unsafe when used to '
         'deserialize untrusted data, possible security issue.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'marshal', 'B302', ['marshal.load', 'marshal.loads'],
         'Deserialization with the marshal module is possibly dangerous.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'md5', 'B303',
@@ -368,7 +366,7 @@ def gen_blacklist():
          'cryptography.hazmat.primitives.hashes.MD5',
          'cryptography.hazmat.primitives.hashes.SHA1'],
         'Use of insecure MD2, MD4, MD5, or SHA1 hash function.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'ciphers', 'B304',
@@ -388,30 +386,30 @@ def gen_blacklist():
         'Use of insecure cipher {name}. Replace with a known secure'
         ' cipher such as AES.',
         'HIGH'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'cipher_modes', 'B305',
         ['cryptography.hazmat.primitives.ciphers.modes.ECB'],
         'Use of insecure cipher mode {name}.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'mktemp_q', 'B306', ['tempfile.mktemp'],
         'Use of insecure and deprecated function (mktemp).'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'eval', 'B307', ['eval'],
         'Use of possibly insecure function - consider using safer '
         'ast.literal_eval.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'mark_safe', 'B308', ['django.utils.safestring.mark_safe'],
         'Use of mark_safe() may expose cross-site scripting '
         'vulnerabilities and should be reviewed.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'httpsconnection', 'B309',
@@ -421,7 +419,7 @@ def gen_blacklist():
         'Use of HTTPSConnection on older versions of Python prior to 2.7.9 '
         'and 3.4.3 do not provide security, see '
         'https://wiki.openstack.org/wiki/OSSN/OSSN-0033'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'urllib_urlopen', 'B310',
@@ -441,7 +439,7 @@ def gen_blacklist():
          'six.moves.urllib.request.FancyURLopener'],
         'Audit url open for permitted schemes. Allowing use of file:/ or '
         'custom schemes is often unexpected.'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'random', 'B311',
@@ -454,14 +452,14 @@ def gen_blacklist():
         'Standard pseudo-random generators are not suitable for '
         'security/cryptographic purposes.',
         'LOW'
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'telnetlib', 'B312', ['telnetlib.*'],
         'Telnet-related functions are being called. Telnet is considered '
         'insecure. Use SSH or some other encrypted protocol.',
         'HIGH'
-        ))
+    ))
 
     # Most of this is based off of Christian Heimes' work on defusedxml:
     #   https://pypi.org/project/defusedxml/#defusedxml-sax
@@ -478,7 +476,7 @@ def gen_blacklist():
          'xml.etree.cElementTree.fromstring',
          'xml.etree.cElementTree.XMLParser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_ElementTree', 'B314',
@@ -487,41 +485,41 @@ def gen_blacklist():
          'xml.etree.ElementTree.fromstring',
          'xml.etree.ElementTree.XMLParser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_expatreader', 'B315', ['xml.sax.expatreader.create_parser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_expatbuilder', 'B316',
         ['xml.dom.expatbuilder.parse',
          'xml.dom.expatbuilder.parseString'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_sax', 'B317',
         ['xml.sax.parse',
          'xml.sax.parseString',
          'xml.sax.make_parser'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_minidom', 'B318',
         ['xml.dom.minidom.parse',
          'xml.dom.minidom.parseString'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_pulldom', 'B319',
         ['xml.dom.pulldom.parse',
          'xml.dom.pulldom.parseString'],
         xml_msg
-        ))
+    ))
 
     sets.append(utils.build_conf_dict(
         'xml_bad_etree', 'B320',
@@ -534,7 +532,7 @@ def gen_blacklist():
         ('Using {name} to parse untrusted XML data is known to be '
          'vulnerable to XML attacks. Replace {name} with its '
          'defusedxml equivalent function.')
-        ))
+    ))
 
     # end of XML tests
 
@@ -543,7 +541,7 @@ def gen_blacklist():
         'FTP-related functions are being called. FTP is considered '
         'insecure. Use SSH/SFTP/SCP or some other encrypted protocol.',
         'HIGH'
-        ))
+    ))
 
     # skipped B322 as the check for a call to input() has been removed
 
@@ -554,14 +552,14 @@ def gen_blacklist():
         'using an insecure context via the _create_unverified_context that '
         'reverts to the previous behavior that does not validate certificates '
         'or perform hostname checks.'
-        ))
+    ))
 
     # skipped B324 (used in bandit/plugins/hashlib_new_insecure_functions.py)
 
     sets.append(utils.build_conf_dict(
         'tempnam', 'B325', ['os.tempnam', 'os.tmpnam'],
         'Use of os.tempnam() and os.tmpnam() is vulnerable to symlink '
         'attacks. Consider using tmpfile() instead.'
-        ))
+    ))
 
     return {'Call': sets}
diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py
@@ -215,7 +215,6 @@
 +------+---------------------+------------------------------------+-----------+
 
 """
-
 from bandit.blacklists import utils
 
 
@@ -230,7 +229,6 @@ def gen_blacklist():
 
     :return: a dictionary mapping node types to a list of blacklist data
     """
-
     sets = []
     sets.append(utils.build_conf_dict(
         'import_telnetlib', 'B401', ['telnetlib'],

diff --git a/bandit/blacklists/utils.py b/bandit/blacklists/utils.py
@@ -3,10 +3,10 @@
 # Copyright 2016 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
+r"""Utils module."""
 
 
 def build_conf_dict(name, bid, qualnames, message, level='MEDIUM'):
     """Build and return a blacklist configuration dict."""
-
     return {'name': name, 'id': bid, 'message': message,
             'qualnames': qualnames, 'level': level}
diff --git a/bandit/cli/baseline.py b/bandit/cli/baseline.py
@@ -13,6 +13,9 @@
 # reports on any new findings.
 # #############################################################################
 
+"""Bandit is a tool designed to find common security issues in Python code."""
+
+
 import argparse
 import contextlib
 import logging
@@ -33,8 +36,11 @@
 report_basename = 'bandit_baseline_result'
 valid_baseline_formats = ['txt', 'html', 'json']
 
+"""baseline.py"""
+
 
 def main():
+    """Execute Bandit."""
     # our cleanup function needs this and can't be passed arguments
     global current_commit
     global repo
@@ -120,6 +126,7 @@ def main():
 # #################### Clean up before exit ###################################
 @contextlib.contextmanager
 def baseline_setup():
+    """Baseline setup by creating temp folder and resetting repo."""
     d = tempfile.mkdtemp()
     yield d
     shutil.rmtree(d, True)
@@ -130,6 +137,7 @@ def baseline_setup():
 
 # #################### Setup logging ##########################################
 def init_logger():
+    """Init logger."""
     LOG.handlers = []
     log_level = logging.INFO
     log_format_string = "[%(levelname)7s ] %(message)s"
@@ -142,6 +150,7 @@ def init_logger():
 
 # #################### Perform initialization and validate assumptions ########
 def initialize():
+    """Initialize arguments and output formats."""
     valid = True
 
     # #################### Parse Args #########################################

diff --git a/bandit/cli/config_generator.py b/bandit/cli/config_generator.py
@@ -1,6 +1,9 @@
 # Copyright 2015 Red Hat Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
+"""Bandit is a tool designed to find common security issues in Python code."""
+
+
 from __future__ import print_function
 
 import argparse
@@ -49,6 +52,7 @@
 
 
 def init_logger():
+    """Init logger."""
     LOG.handlers = []
     log_level = logging.INFO
     log_format_string = "[%(levelname)5s]: %(message)s"
@@ -60,6 +64,7 @@ def init_logger():
 
 
 def parse_args():
+    """Parse arguments."""
     help_description = """Bandit Config Generator
 
     This tool is used to generate an optional profile.  The profile may be used
@@ -100,6 +105,7 @@ def parse_args():
 
 
 def get_config_settings():
+    """Get configuration settings."""
     config = {}
     for plugin in extension_loader.MANAGER.plugins:
         fn_name = plugin.name
@@ -117,6 +123,7 @@ def get_config_settings():
 
 
 def main():
+    """Config generator to write configuration file."""
     init_logger()
     args = parse_args()
 

diff --git a/bandit/cli/main.py b/bandit/cli/main.py
@@ -3,6 +3,9 @@
 # Copyright 2014 Hewlett-Packard Development Company, L.P.
 #
 # SPDX-License-Identifier: Apache-2.0
+"""Bandit is a tool designed to find common security issues in Python code."""
+
+
 import argparse
 import fnmatch
 import logging
@@ -21,11 +24,11 @@
 
 
 def _init_logger(log_level=logging.INFO, log_format=None):
-    '''Initialize the logger
+    """Initialize the logger.
 
     :param debug: Whether to enable debug mode
     :return: An instantiated logging instance
-    '''
+    """
     LOG.handlers = []
 
     if not log_format:
@@ -120,6 +123,7 @@ def _log_info(args, profile):
 
 
 def main():
+    """Bandit CLI."""
     # bring our logging stuff up as early as possible
     debug = (logging.DEBUG if '-d' in sys.argv or '--debug' in sys.argv else
              logging.INFO)