openstack/bandit
Code Issues Proposed changes
bandit/doc/source/plugins/index.rst
Eric Brown 0ff55f1e2b Pretty up the plugin documentation 
* Add test IDs in the title of the plugin
* Make use of proper sphinx tags
* Add new Plugin ID Groupings section to plugins index

Change-Id: Ic0015da7fc9648564ea11250ba30ef301f3cd6bd
2016-01-14 08:34:33 -08:00

2.9 KiB
Raw Blame History

Bandit Test Plugins

Bandit supports many different tests to detect various security issues in python code. These tests are created as plugins and new ones can be created to extend the functionality offered by bandit today.

Writing Tests

To write a test:
  • Identify a vulnerability to build a test for, and create a new file in examples/ that contains one or more cases of that vulnerability.
  • Create a new Python source file to contain your test, you can reference existing tests for examples.
  • Consider the vulnerability you're testing for, mark the function with one or more of the appropriate decorators:
  • @checks('Call')
  • @checks('Import', 'ImportFrom')
  • @checks('Str')
  • Register your plugin using the bandit.plugins entry point, see example.
  • The function that you create should take a parameter "context" which is an instance of the context class you can query for information about the current element being examined. You can also get the raw AST node for more advanced use cases. Please see the context.py file for more.
  • Extend your Bandit configuration file as needed to support your new test.
  • Execute Bandit against the test file you defined in examples/ and ensure that it detects the vulnerability. Consider variations on how this vulnerability might present itself and extend the example file and the test function accordingly.

Example Test Plugin

@bandit.checks('Call')
def prohibit_unsafe_deserialization(context):
    if 'unsafe_load' in context.call_function_name_qual:
        return bandit.Issue(
            severity=bandit.HIGH,
            confidence=bandit.HIGH,
            text="Unsafe deserialization detected."
        )

To register your plugin, you have two options:

  1. If you're using setuptools directly, add something like the following to your setup call:

    # If you have an imaginary bson formatter in the bandit_bson module
# and a function called `formatter`.
entry_points={'bandit.formatters': ['bson = bandit_bson:formatter']}
# Or a check for using mako templates in bandit_mako that
entry_points={'bandit.plugins': ['mako = bandit_mako']}

  2. If you're using pbr, add something like the following to your setup.cfg file:

    [entry_points]
bandit.formatters =
    bson = bandit_bson:formatter
bandit.plugins =
    mako = bandit_mako

Plugin ID Groupings

ID Description
B1xx misc tests
B2xx application/framework miss-configuration
B3xx blacklists (calls)
B4xx blacklists (imports)
B5xx cryptography
B6xx injection
B7xx XSS

Complete Test Plugin Listing