Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a configuration option to prohibit # nosec without specific error codes #888

Open
mkniewallner opened this issue Apr 24, 2022 · 1 comment
Open

Add a configuration option to prohibit # nosec without specific error codes #888

mkniewallner opened this issue Apr 24, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@mkniewallner
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Now that bandit supports a way to only ignore specific error codes when using # nosec (#597), it could be nice to have a configuration option to disable usages of # nosec without specific error codes from a codebase entirely, in order to ensure that specific error codes are always used.

Today, it is not possible to enforce that, making it hard to make all developers respect this rule on large codebases.

Describe the solution you'd like
mypy recently implemented that in python/mypy#11633 (documentation is here), to give you an idea of how this could look like.

The feature could be implemented by adding a new boolean option disallow-broad-nosec (or any better name) that would defaults to False.

If set to True, then bandit would look for any # nosec comment that doesn't specify any error code.
So:

  • # nosec would throw an error
  • # nosec: B101 or # nosec: B101 B102 would not

The error itself could re-use the same template as already exists for other tests.
Though as the error is kind of a "meta-error", this could go under a specific range of errors ranging from B001 to B099, which could also be helpful if other "meta-errors" are added in the future (for instance, another error code to throw if a specific error code is used for # nosec, but is in the end not needed, to warn the user about it).

So this is what it could like, for instance:

Test results:
>> Issue: [B001:nosec_without_error_code] # nosec comment used without specifying error code
   Severity: High   Confidence: High
   Location: foo/bar.py:1:1
   More Info: https://bandit.readthedocs.io/en/X.X.X/plugins/b001_nosec_without_error_code.html

Describe alternatives you've considered
Instead of re-using existing template for error codes that are directly related to security issues, we could also have a dedicated template, to clearly separate "meta" errors like those and security ones, though a too broad # nosec comment could also be considered a security issue, depending on how we see it.

Additional context
If you feel like this feature could be useful, I'd be happy to try working on an implementation (though we would need to decide early or after a first draft if we re-use the existing error template, or handle the error in a different way).

Love this idea? Give it a 👍. We prioritize fulfilling features with the most 👍.
@mkniewallner mkniewallner added the enhancement New feature or request label Apr 24, 2022
@cleder
Copy link

cleder commented Jul 14, 2023

Taking this a step further, I'd also like to see lines that are annotated with # nosec BXXX to be reported if the specified error is not raised.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cleder @mkniewallner