Including CWE information

bandit/core/issue.py

@@ -14,10 +14,71 @@
 from bandit.core import constants
 
 
+class Cwe(object):
+    UNDEF = 0
+    IMPROPER_INPUT_VALIDATION = 20
+    OS_COMMAND_INJECTION = 78
+    BASIC_XSS = 80
+    SQL_INJECTION = 89
+    CODE_INJECTION = 94
+    IMPROPER_WILDCARD_NEUTRALIZATION = 155
+    HARD_CODED_PASSWORD = 259
+    IMPROPER_CERT_VALIDATION = 295
+    INADEQUATE_ENCRYPTION_STRENGH = 326
+    BROKEN_CRYPTO = 327
+    INSECURE_TEMP_FILE = 377
+    MULTIPLE_BINDS = 605
+    IMPROPER_CHECK_OF_EXEPT_COND = 703
+    INCORRECT_PERMISSION_ASSIGNMENT = 732
+
+    MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html"
+
+    def __init__(self, id=UNDEF):
+        self.id = id
+
+    def link(self):
+        if self.id == Cwe.UNDEF:
+            return ""
+
+        return Cwe.MITRE_URL_PATTERN % str(self.id)
+
+    def __str__(self):
+        if self.id == Cwe.UNDEF:
+            return ""
+
+        return "CWE-%i (%s)" % (self.id, self.link())
+
+    def as_dict(self):
+        return {
+            "id": self.id,
+            "link": self.link()
+        } if self.id != Cwe.UNDEF else {}
+
+    def as_jsons(self):
+        return str(self.as_dict())
+
+    def from_dict(self, data):
+        if 'id' in data:
+            self.id = int(data['id'])
+        else:
+            self.id = Cwe.UNDEF
+
+    def __eq__(self, other):
+        return self.id == other.id
+
+    def __ne__(self, other):
+        return self.id != other.id
+
+    def __hash__(self):
+        return id(self)
+
+
 class Issue(object):
-    def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
+    def __init__(self, severity, cwe=0,
+                 confidence=constants.CONFIDENCE_DEFAULT,
                  text="", ident=None, lineno=None, test_id=""):
         self.severity = severity
+        self.cwe = Cwe(cwe)
         self.confidence = confidence
         if isinstance(text, bytes):
             text = text.decode('utf-8')
@@ -30,16 +91,17 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
         self.linerange = []
 
     def __str__(self):
-        return ("Issue: '%s' from %s:%s: Severity: %s Confidence: "
+        return ("Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: "
                 "%s at %s:%i") % (self.text, self.test_id,
-                                  (self.ident or self.test), self.severity,
-                                  self.confidence, self.fname, self.lineno)
+                                  (self.ident or self.test), str(self.cwe),
+                                  self.severity, self.confidence, self.fname,
+                                  self.lineno)
 
     def __eq__(self, other):
         # if the issue text, severity, confidence, and filename match, it's
         # the same issue from our perspective
-        match_types = ['text', 'severity', 'confidence', 'fname', 'test',
-                       'test_id']
+        match_types = ['text', 'severity', 'cwe', 'confidence', 'fname',
+                       'test', 'test_id']
         return all(getattr(self, field) == getattr(other, field)
                    for field in match_types)
 
@@ -101,11 +163,12 @@ def as_dict(self, with_code=True):
             'test_name': self.test,
             'test_id': self.test_id,
             'issue_severity': self.severity,
+            'issue_cwe': self.cwe.as_dict(),
             'issue_confidence': self.confidence,
             'issue_text': self.text.encode('utf-8').decode('utf-8'),
             'line_number': self.lineno,
             'line_range': self.linerange,
-            }
+        }
 
         if with_code:
             out['code'] = self.get_code()
@@ -115,6 +178,7 @@ def from_dict(self, data, with_code=True):
         self.code = data["code"]
         self.fname = data["filename"]
         self.severity = data["issue_severity"]
+        self.cwe = cwe_from_dict(data["issue_cwe"])
         self.confidence = data["issue_confidence"]
         self.text = data["issue_text"]
         self.test = data["test_name"]
@@ -123,6 +187,12 @@ def from_dict(self, data, with_code=True):
         self.linerange = data["line_range"]
 
 
+def cwe_from_dict(data):
+    cwe = Cwe()
+    cwe.from_dict(data)
+    return cwe
+
+
 def issue_from_dict(data):
     i = Issue(severity=data["issue_severity"])
     i.from_dict(data)

bandit/formatters/csv.py

@@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
                       'test_name',
                       'test_id',
                       'issue_severity',
+                      'issue_cwe',
                       'issue_confidence',
                       'issue_text',
                       'line_number',
@@ -67,6 +68,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         writer.writeheader()
         for result in results:
             r = result.as_dict(with_code=False)
+            r['issue_cwe'] = r['issue_cwe']['link']
             r['more_info'] = docs_utils.get_url(r['test_id'])
             writer.writerow(r)
 

bandit/formatters/html.py

@@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
     <b>{test_name}: </b> {test_text}<br>
     <b>Test ID:</b> {test_id}<br>
     <b>Severity: </b>{severity}<br>
+    <b>CWE: </b>{cwe}<br>
     <b>Confidence: </b>{confidence}<br>
     <b>File: </b><a href="{path}" target="_blank">{path}</a> <br>
     <b>More info: </b><a href="{url}" target="_blank">{url}</a><br>
@@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
                                           test_id=issue.test_id,
                                           test_text=issue.text,
                                           severity=issue.severity,
+                                          cwe=issue.cwe,
                                           confidence=issue.confidence,
                                           path=issue.fname, code=code,
                                           candidates=candidates,

bandit/formatters/screen.py

@@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
     # returns a list of lines that should be added to the existing lines list
     bits = []
     bits.append("%s%s>> Issue: [%s:%s] %s" % (
-        indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text))
+        indent, COLOR[issue.severity], issue.test_id, issue.test,
+        issue.text))
 
-    bits.append("%s   Severity: %s   Confidence: %s" % (
-        indent, issue.severity.capitalize(), issue.confidence.capitalize()))
+    bits.append("%s   Severity: %s CWE: %s Confidence: %s" % (
+        indent, issue.severity.capitalize(), str(issue.cwe),
+        issue.confidence.capitalize()))
 
     bits.append("%s   Location: %s:%s" % (
         indent, issue.fname,

bandit/formatters/text.py

@@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
     bits.append("%s>> Issue: [%s:%s] %s" % (
         indent, issue.test_id, issue.test, issue.text))
 
-    bits.append("%s   Severity: %s   Confidence: %s" % (
-        indent, issue.severity.capitalize(), issue.confidence.capitalize()))
+    bits.append("%s   Severity: %s CWE: %s Confidence: %s" % (
+        indent, issue.severity.capitalize(), str(issue.cwe),
+        issue.confidence.capitalize()))
 
     bits.append("%s   Location: %s:%s" % (
         indent, issue.fname, issue.lineno if show_lineno else ""))

bandit/formatters/xml.py

@@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         testcase = ET.SubElement(root, 'testcase',
                                  classname=issue.fname, name=test)
 
-        text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s'
-        text = text % (issue.test_id, issue.severity, issue.confidence,
-                       issue.text, issue.fname, issue.lineno)
+        text = 'Test ID: %s Severity: %s CWE: %s ' \
+               'Confidence: %s\n%s\nLocation %s:%s'
+        text = text % (issue.test_id, issue.severity, issue.cwe,
+                       issue.confidence, issue.text, issue.fname,
+                       issue.lineno)
         ET.SubElement(testcase, 'error',
                       more_info=docs_utils.get_url(issue.test_id),
                       type=issue.severity,

bandit/plugins/app_debug.py

@@ -40,6 +40,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -51,6 +52,7 @@ def flask_debug_true(context):
             if context.check_call_arg_value('debug', 'True'):
                 return bandit.Issue(
                     severity=bandit.HIGH,
+                    cwe=Cwe.CODE_INJECTION,
                     confidence=bandit.MEDIUM,
                     text="A Flask app appears to be run with debug=True, "
                          "which exposes the Werkzeug debugger and allows "

bandit/plugins/asserts.py

@@ -41,6 +41,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -49,6 +50,7 @@
 def assert_used(context):
     return bandit.Issue(
         severity=bandit.LOW,
+        cwe=Cwe.IMPROPER_CHECK_OF_EXEPT_COND,
         confidence=bandit.HIGH,
         text=("Use of assert detected. The enclosed code "
               "will be removed when compiling to optimised byte code.")

bandit/plugins/crypto_request_no_cert_validation.py

@@ -42,6 +42,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -54,6 +55,7 @@ def request_with_no_cert_validation(context):
         if context.check_call_arg_value('verify', 'False'):
             issue = bandit.Issue(
                 severity=bandit.HIGH,
+                cwe=Cwe.IMPROPER_CERT_VALIDATION,
                 confidence=bandit.HIGH,
                 text="Requests call with verify=False disabling SSL "
                      "certificate checks, security issue.",

bandit/plugins/django_sql_injection.py

@@ -8,6 +8,7 @@
 import ast
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -77,6 +78,7 @@ def django_extra_used(context):
         if insecure:
             return bandit.Issue(
                 severity=bandit.MEDIUM,
+                cwe=Cwe.SQL_INJECTION,
                 confidence=bandit.MEDIUM,
                 text=description
             )
@@ -102,6 +104,7 @@ def django_rawsql_used(context):
             if not isinstance(sql, ast.Str):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
+                    cwe=Cwe.SQL_INJECTION,
                     confidence=bandit.MEDIUM,
                     text=description
                 )

bandit/plugins/django_xss.py

@@ -9,6 +9,7 @@
 import six
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -250,6 +251,7 @@ def check_risk(node):
     if not secure:
         return bandit.Issue(
             severity=bandit.MEDIUM,
+            cwe=Cwe.BASIC_XSS,
             confidence=bandit.HIGH,
             text=description
         )

bandit/plugins/exec.py

@@ -35,12 +35,14 @@
 import six
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
 def exec_issue():
     return bandit.Issue(
         severity=bandit.MEDIUM,
+        cwe=Cwe.OS_COMMAND_INJECTION,
         confidence=bandit.HIGH,
         text="Use of exec detected."
     )

bandit/plugins/general_bad_file_permissions.py

@@ -50,6 +50,7 @@
 import stat
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -73,6 +74,7 @@ def set_bad_file_permissions(context):
                     filename = 'NOT PARSED'
                 return bandit.Issue(
                     severity=sev_level,
+                    cwe=Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
                     confidence=bandit.HIGH,
                     text="Chmod setting a permissive mask %s on file (%s)." %
                     (oct(mode), filename)

bandit/plugins/general_bind_all_interfaces.py

@@ -34,6 +34,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -43,6 +44,7 @@ def hardcoded_bind_all_interfaces(context):
     if context.string_val == '0.0.0.0':
         return bandit.Issue(
             severity=bandit.MEDIUM,
+            cwe=Cwe.MULTIPLE_BINDS,
             confidence=bandit.MEDIUM,
             text="Possible binding to all interfaces."
         )

bandit/plugins/general_hardcoded_password.py

@@ -9,6 +9,7 @@
 import sys
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -22,6 +23,7 @@
 def _report(value):
     return bandit.Issue(
         severity=bandit.LOW,
+        cwe=Cwe.HARD_CODED_PASSWORD,
         confidence=bandit.MEDIUM,
         text=("Possible hardcoded password: '%s'" % value))
 

bandit/plugins/general_hardcoded_tmp.py

@@ -51,6 +51,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -71,6 +72,7 @@ def hardcoded_tmp_directory(context, config):
     if any(context.string_val.startswith(s) for s in tmp_dirs):
         return bandit.Issue(
             severity=bandit.MEDIUM,
+            cwe=Cwe.INSECURE_TEMP_FILE,
             confidence=bandit.MEDIUM,
             text="Probable insecure usage of temp file/directory."
         )

bandit/plugins/hashlib_new_insecure_functions.py

@@ -31,6 +31,7 @@
 """
 
 import bandit
+from bandit.core.issue import Cwe as Cwe
 from bandit.core import test_properties as test
 
 
@@ -48,6 +49,7 @@ def hashlib_new(context):
                     name.lower() in ('md4', 'md5', 'sha', 'sha1')):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
+                    cwe=Cwe.BROKEN_CRYPTO,
                     confidence=bandit.HIGH,
                     text="Use of insecure MD4 or MD5 hash function.",
                     lineno=context.node.lineno,