bandit
bandit copied to clipboard
Published
20 hours ago •
PyCQA
PyCQA
False positive on token_fail_reason
Describe the bug
Up until this latest release, our bandit workflows have delivered passing results without issue. With our latest commit, 1.7.3 was installed and our unit testing failed with the following:
Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'Unexpected API response received'
Severity: Low Confidence: Medium
CWE: CWE-[25](https://github.com/CrowdStrike/falconpy/runs/5401017629?check_suite_focus=true#step:5:25)9 (https://cwe.mitre.org/data/definitions/259.html)
Location: src/falconpy/oauth2.py:157:41
More Info: https://bandit.readthedocs.io/en/1.7.3/plugins/b105_hardcoded_password_string.html
156 returned = generate_error_result("Unexpected API response received", 403)
157 self.token_fail_reason = "Unexpected API response received"
158 self.token_status = 403
Impacted code block
if isinstance(returned, dict):
self.token_status = returned["status_code"]
if self.token_status == 201:
self.token_expiration = returned["body"]["expires_in"]
self.token_time = time.time()
self.token_value = returned["body"]["access_token"]
self.token_fail_reason = None
# unrelated code continues...
else:
returned = generate_error_result("Unexpected API response received", 403)
self.token_fail_reason = "Unexpected API response received"
self.token_status = 403
Reproduction steps
Started occurring with the 1.7.3 install. (I've confirmed it's not an issue in 1.7.0 - 1.7.2)
Expected behavior
I don't believe there is a problem with the code above.
Bandit version
1.7.3 (Default)
Python version
3.10 (Default)
Additional context
Appears to be similar to issue #842.
Looks like a false positive as a result of #766 which now examines function calls with attributes that have the word "token" within them.
The hardcoded password/token/etc check tends to have a lower confidence to detect guaranteed cases of a hardcoded secret. You can always add # nosec comment to ignore this instance.
