Comments (3)
Grokzen
commented on June 20, 2024
(bandit) ➜ subgit git:(master) ✗ bandit subgit/ -r
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.10.12
Run started:2024-01-04 21:49:26.530119
Test results:
No issues identified.
Code scanned:
Total lines of code: 1162
Total lines skipped (#nosec): 8
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 0
High: 0
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 0
Files skipped (0):
from subgit.
holmboe
commented on June 20, 2024
@Grokzen could you go a little bit further on this to add more context? Add a comment in the ticket on what the Bandit result was before the exclusions were added.
Perhaps even use the more explicit #nosec Xnnn in the code? See https://bandit.readthedocs.io/en/latest/config.html#exclusions for examples.
from subgit.
Grokzen
commented on June 20, 2024
This is the bandit log before the exclusions was added in
Run started:2024-01-11 10:04:16.004581
Test results:
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b404-import-subprocess
Location: subgit/core.py:11:0
10 from pathlib import Path
11 from subprocess import PIPE, Popen
12
--------------------------------------------------
>> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
Severity: High Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b602_subprocess_popen_with_shell_equals_true.html
Location: subgit/core.py:34:14
33 stderr=None,
34 shell=True,
35 )
36 output, stderr = process.communicate()
37
38 return output, stderr
39
40
--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/blacklists/blacklist_imports.html#b404-import-subprocess
Location: subgit/inspect/git_inspect.py:6:0
5 import logging
6 import subprocess
7
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
Location: subgit/inspect/git_inspect.py:37:12
36 ],
37 shell=False,
38 capture_output=True,
39 )
40 except FileNotFoundError:
41 return False
42
43 return True
44
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b607_start_process_with_partial_path.html
Location: subgit/inspect/git_inspect.py:54:14
53
54 out = subprocess.run([
55 "gh", "repo", "list",
56 f"{owner}",
57 "--json", "id,name,defaultBranchRef,sshUrl,isArchived",
58 "-L", "100"
59 ],
60 shell=False,
61 capture_output=True,
62 )
63 data = json.loads(out.stdout)
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
Location: subgit/inspect/git_inspect.py:60:14
59 ],
60 shell=False,
61 capture_output=True,
62 )
63 data = json.loads(out.stdout)
64 repos = {}
65 mapped_data = {
66 repo["name"].lower():
67 repo for repo in data
68 if repo["isArchived"] == self.is_archived
69 }
--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b607_start_process_with_partial_path.html
Location: subgit/inspect/git_inspect.py:111:14
110
111 out = subprocess.run(
112 [
113 "gitlab",
114 "-o", "json",
115 "project", "list",
116 "--membership", "yes",
117 "--all",
118 ],
119 shell=False,
120 capture_output=True,
121 )
122 repos = {}
--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
Severity: Low Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
More Info: https://bandit.readthedocs.io/en/1.7.6/plugins/b603_subprocess_without_shell_equals_true.html
Location: subgit/inspect/git_inspect.py:119:14
118 ],
119 shell=False,
120 capture_output=True,
121 )
122 repos = {}
123 data = json.loads(out.stdout)
124 mapped_data = {
125 repo["name"].lower():
126 repo for repo in data
127 if repo["namespace"]["name"] == owner and repo["archived"] == self.is_archived
128 }
129 sorted_names = sorted([
130 repo["name"].lower()
--------------------------------------------------
Code scanned:
Total lines of code: 1162
Total lines skipped (#nosec): 0
Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 7
Medium: 0
High: 1
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 0
High: 8
Files skipped (0):
from subgit.
Related Issues (20)
- Implement sparse checkout from a repo
- Implement "subgit reset" command
- Allow for defining clone point HOT 9
- Implement gitlab/github import feature HOT 1
- Implement -c, --conf flag
- Implement threads or subprocesses for commands that is slow
- implement 'subgit clean' command
- Create basic integration python invoke script
- sgit init is broken
- Change import command name to inspect
- Change import/inspect command to instead of writing to a file directly to print to STDOUT
- Change config format from dict to list of projects
- Subsequent 'subgit pull': OSError: Reference at 'refs/heads/master' does already exist
- Change init command to create a usable example file
- Implement ruff as linting tool HOT 1
- Linter complains when running tox
- Cornercase with _check_remote
- TypeError when using the old config file format HOT 1
- Implement pre-commit checks HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from subgit.