PyCQA · ericwb · Jan 30, 2022 · May 13, 2020 · May 19, 2020 · May 19, 2020
diff --git a/bandit/core/blacklisting.py b/bandit/core/blacklisting.py
@@ -5,6 +5,7 @@
 import ast
 import fnmatch
 
+from bandit.core import cwemap
 from bandit.core import issue
 
 
@@ -13,6 +14,7 @@ def report_issue(check, name):
         severity=check.get("level", "MEDIUM"),
         confidence="HIGH",
         text=check["message"].replace("{name}", name),
+        cwe=cwemap.CWEMAP[check.get("id", "LEGACY")],
         ident=name,
         test_id=check.get("id", "LEGACY"),
     )

diff --git a/bandit/core/cwemap.py b/bandit/core/cwemap.py
@@ -0,0 +1,79 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+from bandit.core import issue
+
+CWEMAP = {
+    "B000": issue.Cwe.NOTSET,
+    "LEGACY": issue.Cwe.NOTSET,
+    # Plugins
+    "B101": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
+    "B102": issue.Cwe.OS_COMMAND_INJECTION,
+    "B103": issue.Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
+    "B104": issue.Cwe.MULTIPLE_BINDS,
+    "B105": issue.Cwe.HARD_CODED_PASSWORD,
+    "B108": issue.Cwe.INSECURE_TEMP_FILE,
+    "B110": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
+    "B112": issue.Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
+    "B201": issue.Cwe.CODE_INJECTION,
+    "B324": issue.Cwe.BROKEN_CRYPTO,
+    "B501": issue.Cwe.IMPROPER_CERT_VALIDATION,
+    "B502": issue.Cwe.BROKEN_CRYPTO,
+    "B503": issue.Cwe.BROKEN_CRYPTO,
+    "B504": issue.Cwe.BROKEN_CRYPTO,
+    "B505": issue.Cwe.INADEQUATE_ENCRYPTION_STRENGTH,
+    "B506": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B507": issue.Cwe.IMPROPER_CERT_VALIDATION,
+    "B601": issue.Cwe.OS_COMMAND_INJECTION,
+    "B602": issue.Cwe.OS_COMMAND_INJECTION,
+    "B603": issue.Cwe.OS_COMMAND_INJECTION,
+    "B604": issue.Cwe.OS_COMMAND_INJECTION,
+    "B605": issue.Cwe.OS_COMMAND_INJECTION,
+    "B606": issue.Cwe.OS_COMMAND_INJECTION,
+    "B607": issue.Cwe.OS_COMMAND_INJECTION,
+    "B608": issue.Cwe.SQL_INJECTION,
+    "B609": issue.Cwe.IMPROPER_WILDCARD_NEUTRALIZATION,
+    "B611": issue.Cwe.SQL_INJECTION,
+    "B701": issue.Cwe.CODE_INJECTION,
+    "B702": issue.Cwe.BASIC_XSS,
+    "B703": issue.Cwe.BASIC_XSS,
+    # Calls
+    "B301": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
+    "B302": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
+    "B303": issue.Cwe.BROKEN_CRYPTO,
+    "B304": issue.Cwe.BROKEN_CRYPTO,
+    "B305": issue.Cwe.BROKEN_CRYPTO,
+    "B306": issue.Cwe.INSECURE_TEMP_FILE,
+    "B307": issue.Cwe.OS_COMMAND_INJECTION,
+    "B308": issue.Cwe.XSS,
+    "B309": issue.Cwe.CLEARTEXT_TRANSMISSION,
+    "B310": issue.Cwe.PATH_TRAVERSAL,
+    "B311": issue.Cwe.INSUFFICIENT_RANDOM_VALUES,
+    "B312": issue.Cwe.CLEARTEXT_TRANSMISSION,
+    "B313": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B314": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B315": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B316": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B317": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B318": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B319": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B320": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B321": issue.Cwe.CLEARTEXT_TRANSMISSION,
+    "B322": issue.Cwe.OS_COMMAND_INJECTION,
+    "B323": issue.Cwe.IMPROPER_CERT_VALIDATION,
+    "B325": issue.Cwe.INSECURE_TEMP_FILE,
+    # Imports
+    "B401": issue.Cwe.CLEARTEXT_TRANSMISSION,
+    "B402": issue.Cwe.CLEARTEXT_TRANSMISSION,
+    "B403": issue.Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
+    "B404": issue.Cwe.OS_COMMAND_INJECTION,
+    "B405": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B406": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B407": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B408": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B409": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B410": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B411": issue.Cwe.IMPROPER_INPUT_VALIDATION,
+    "B412": issue.Cwe.IMPROPER_ACCESS_CONTROL,
+    "B413": issue.Cwe.BROKEN_CRYPTO,
+    "B414": issue.Cwe.BROKEN_CRYPTO,
+}
diff --git a/bandit/core/issue.py b/bandit/core/issue.py
@@ -7,10 +7,77 @@
 from bandit.core import constants
 
 
+class Cwe:
+    NOTSET = 0
+    IMPROPER_INPUT_VALIDATION = 20
+    PATH_TRAVERSAL = 22
+    OS_COMMAND_INJECTION = 78
+    XSS = 79
+    BASIC_XSS = 80
+    SQL_INJECTION = 89
+    CODE_INJECTION = 94
+    IMPROPER_WILDCARD_NEUTRALIZATION = 155
+    HARD_CODED_PASSWORD = 259
+    IMPROPER_ACCESS_CONTROL = 284
+    IMPROPER_CERT_VALIDATION = 295
+    CLEARTEXT_TRANSMISSION = 319
+    INADEQUATE_ENCRYPTION_STRENGTH = 326
+    BROKEN_CRYPTO = 327
+    INSUFFICIENT_RANDOM_VALUES = 330
+    INSECURE_TEMP_FILE = 377
+    DESERIALIZATION_OF_UNTRUSTED_DATA = 502
+    MULTIPLE_BINDS = 605
+    IMPROPER_CHECK_OF_EXCEPT_COND = 703
+    INCORRECT_PERMISSION_ASSIGNMENT = 732
+
+    MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html"
+
+    def __init__(self, id=NOTSET):
+        self.id = id
+
+    def link(self):
+        if self.id == Cwe.NOTSET:
+            return ""
+
+        return Cwe.MITRE_URL_PATTERN % str(self.id)
+
+    def __str__(self):
+        if self.id == Cwe.NOTSET:
+            return ""
+
+        return "CWE-%i (%s)" % (self.id, self.link())
+
+    def as_dict(self):
+        return (
+            {"id": self.id, "link": self.link()}
+            if self.id != Cwe.NOTSET
+            else {}
+        )
+
+    def as_jsons(self):
+        return str(self.as_dict())
+
+    def from_dict(self, data):
+        if "id" in data:
+            self.id = int(data["id"])
+        else:
+            self.id = Cwe.NOTSET
+
+    def __eq__(self, other):
+        return self.id == other.id
+
+    def __ne__(self, other):
+        return self.id != other.id
+
+    def __hash__(self):
+        return id(self)
+
+
 class Issue:
     def __init__(
         self,
         severity,
+        cwe=0,
         confidence=constants.CONFIDENCE_DEFAULT,
         text="",
         ident=None,
@@ -19,6 +86,7 @@ def __init__(
         col_offset=0,
     ):
         self.severity = severity
+        self.cwe = Cwe(cwe)
         self.confidence = confidence
         if isinstance(text, bytes):
             text = text.decode("utf-8")
@@ -33,11 +101,13 @@ def __init__(
 
     def __str__(self):
         return (
-            "Issue: '%s' from %s:%s: Severity: %s Confidence: " "%s at %s:%i"
+            "Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: "
+            "%s at %s:%i"
         ) % (
             self.text,
             self.test_id,
             (self.ident or self.test),
+            str(self.cwe),
             self.severity,
             self.confidence,
             self.fname,
@@ -50,6 +120,7 @@ def __eq__(self, other):
         match_types = [
             "text",
             "severity",
+            "cwe",
             "confidence",
             "fname",
             "test",
@@ -119,6 +190,7 @@ def as_dict(self, with_code=True):
             "test_name": self.test,
             "test_id": self.test_id,
             "issue_severity": self.severity,
+            "issue_cwe": self.cwe.as_dict(),
             "issue_confidence": self.confidence,
             "issue_text": self.text.encode("utf-8").decode("utf-8"),
             "line_number": self.lineno,
@@ -134,6 +206,7 @@ def from_dict(self, data, with_code=True):
         self.code = data["code"]
         self.fname = data["filename"]
         self.severity = data["issue_severity"]
+        self.cwe = cwe_from_dict(data["issue_cwe"])
         self.confidence = data["issue_confidence"]
         self.text = data["issue_text"]
         self.test = data["test_name"]
@@ -143,6 +216,12 @@ def from_dict(self, data, with_code=True):
         self.col_offset = data.get("col_offset", 0)
 
 
+def cwe_from_dict(data):
+    cwe = Cwe()
+    cwe.from_dict(data)
+    return cwe
+
+
 def issue_from_dict(data):
     i = Issue(severity=data["issue_severity"])
     i.from_dict(data)

diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py
@@ -54,6 +54,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
             "test_name",
             "test_id",
             "issue_severity",
+            "issue_cwe",
             "issue_confidence",
             "issue_text",
             "line_number",
@@ -68,6 +69,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         writer.writeheader()
         for result in results:
             r = result.as_dict(with_code=False)
+            r["issue_cwe"] = r["issue_cwe"]["link"]
             r["more_info"] = docs_utils.get_url(r["test_id"])
             writer.writerow(r)
 

diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py
@@ -258,6 +258,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
     <b>{test_name}: </b> {test_text}<br>
     <b>Test ID:</b> {test_id}<br>
     <b>Severity: </b>{severity}<br>
+    <b>CWE: </b>{cwe}<br>
     <b>Confidence: </b>{confidence}<br>
     <b>File: </b><a href="{path}" target="_blank">{path}</a> <br>
     <b>Line number: </b>{line_number}<br>
@@ -357,6 +358,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
             test_id=issue.test_id,
             test_text=issue.text,
             severity=issue.severity,
+            cwe=issue.cwe,
             confidence=issue.confidence,
             path=issue.fname,
             code=code,

diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py
@@ -111,8 +111,13 @@ def _output_issue_str(
     )
 
     bits.append(
-        "%s   Severity: %s   Confidence: %s"
-        % (indent, issue.severity.capitalize(), issue.confidence.capitalize())
+        "%s   Severity: %s CWE: %s Confidence: %s"
+        % (
+            indent,
+            issue.severity.capitalize(),
+            str(issue.cwe),
+            issue.confidence.capitalize(),
+        )
     )
 
     bits.append(

diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py
@@ -79,8 +79,13 @@ def _output_issue_str(
     )
 
     bits.append(
-        "%s   Severity: %s   Confidence: %s"
-        % (indent, issue.severity.capitalize(), issue.confidence.capitalize())
+        "%s   Severity: %s CWE: %s Confidence: %s"
+        % (
+            indent,
+            issue.severity.capitalize(),
+            str(issue.cwe),
+            issue.confidence.capitalize(),
+        )
     )
 
     bits.append(

diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py
@@ -55,10 +55,14 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
             root, "testcase", classname=issue.fname, name=test
         )
 
-        text = "Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s"
+        text = (
+            "Test ID: %s Severity: %s CWE: %s Confidence: %s\n%s\n"
+            "Location %s:%s"
+        )
         text = text % (
             issue.test_id,
             issue.severity,
+            issue.cwe,
             issue.confidence,
             issue.text,
             issue.fname,

diff --git a/bandit/plugins/app_debug.py b/bandit/plugins/app_debug.py
@@ -37,6 +37,7 @@
 
 """  # noqa: E501
 import bandit
+from bandit.core import cwemap
 from bandit.core import test_properties as test
 
 
@@ -48,6 +49,7 @@ def flask_debug_true(context):
             if context.check_call_arg_value("debug", "True"):
                 return bandit.Issue(
                     severity=bandit.HIGH,
+                    cwe=cwemap.CWEMAP["B201"],
                     confidence=bandit.MEDIUM,
                     text="A Flask app appears to be run with debug=True, "
                     "which exposes the Werkzeug debugger and allows "

diff --git a/bandit/plugins/asserts.py b/bandit/plugins/asserts.py
@@ -50,6 +50,7 @@
 import fnmatch
 
 import bandit
+from bandit.core import cwemap
 from bandit.core import test_properties as test
 
 
@@ -68,6 +69,7 @@ def assert_used(context, config):
 
     return bandit.Issue(
         severity=bandit.LOW,
+        cwe=cwemap.CWEMAP["B101"],
         confidence=bandit.HIGH,
         text=(
             "Use of assert detected. The enclosed code "

diff --git a/bandit/plugins/crypto_request_no_cert_validation.py b/bandit/plugins/crypto_request_no_cert_validation.py
@@ -39,6 +39,7 @@
 
 """
 import bandit
+from bandit.core import cwemap
 from bandit.core import test_properties as test
 
 
@@ -53,6 +54,7 @@ def request_with_no_cert_validation(context):
         if context.check_call_arg_value("verify", "False"):
             issue = bandit.Issue(
                 severity=bandit.HIGH,
+                cwe=cwemap.CWEMAP["B501"],
                 confidence=bandit.HIGH,
                 text="Requests call with verify=False disabling SSL "
                 "certificate checks, security issue.",

diff --git a/bandit/plugins/django_sql_injection.py b/bandit/plugins/django_sql_injection.py
@@ -5,6 +5,7 @@
 import ast
 
 import bandit
+from bandit.core import cwemap
 from bandit.core import test_properties as test
 
 
@@ -74,6 +75,7 @@ def django_extra_used(context):
         if insecure:
             return bandit.Issue(
                 severity=bandit.MEDIUM,
+                cwe=cwemap.CWEMAP["B611"],
                 confidence=bandit.MEDIUM,
                 text=description,
             )
@@ -99,6 +101,7 @@ def django_rawsql_used(context):
             if not isinstance(sql, ast.Str):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
+                    cwe=cwemap.CWEMAP["B611"],
                     confidence=bandit.MEDIUM,
                     text=description,
                 )