bandit icon indicating copy to clipboard operation
bandit copied to clipboard
verified publisher icon PyCQA

Erroneous "no test failure on line" warning from plugin alert nosec?

Open fiendish opened this issue 3 years ago • 6 comments

Describe the bug

It looks like bandit warns about "no test failure on line" for a nosec where there definitely would be a test failure without the nosec.

Reproduction steps

  1. I start with a line that does foo = hashlib.md5(buffer.read()).digest().
  2. bandit -ll rightly complains about the use of MD5 with a B324 error from the hashlib plugin.
  3. I add #nosec B324 like this: foo = hashlib.md5(buffer.read()).digest() # nosec B324
  4. Bandit now says [tester] WARNING nosec encountered (B324), but no failed test on line 85

Seems a bit weird.

Expected behavior

Don't warn at me for this.

Bandit version

1.7.4 (Default)

Python version

3.9

Additional context

No response

fiendish avatar Aug 17 '22 18:08 fiendish

I'm facing the same issue using Bandit 1.7.4 with Python 3.10.4. Here's another minimal example for repro:

import os
cmd = "df -h"
os.popen(cmd).read()  # nosec B605

bandit -v test.py says WARNING nosec encountered (B605), but no failed test on line 3 while it will report B605 if I remove the # nosec.

full log 

[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.10.4
[node_visitor]	WARNING	Unable to find qualified name for module: test.py
[tester]	WARNING	nosec encountered (B605), but no failed test on line 3
Run started:2022-09-06 09:31:19.271042
Files in scope (1):
	test.py (score: {SEVERITY: 0, CONFIDENCE: 0})
Files excluded (0):

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 3
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 0
		Medium: 0
		High: 0
Files skipped (0):

However, the problem does not occur if I remove .read(). (It continues to claim Total lines skipped (#nosec): 0 though, as long as the B605 is specified.)

hrantzsch avatar Sep 06 '22 09:09 hrantzsch

I'm still seeing the same thing with Bandit 1.7.5 on Python 3.11.4. Yet another minimal example:

import os
import subprocess  # nosec B404

subprocess.run([os.getenv("SHELL")], check=False)  # nosec B603

Bandit says:

[tester]        WARNING nosec encountered (B603), but no failed test on line 4

but if I remove the # nosec B603, I get a test failure:

>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b603_subprocess_without_shell_equals_true.html
   Location: bandit.py:4:0
3
4       subprocess.run([os.getenv("SHELL")], check=False)

creideiki avatar Jul 04 '23 07:07 creideiki

However, the problem does not occur if I remove .read(). (It continues to claim Total lines skipped (#nosec): 0 though, as long as the B605 is specified.)

The problem appears to be related to how bandit observes "lines" where multiple function calls occur on the same line?

I get the warning if I do

return requests.get(url).json()  # nosec B113

or

requests.get(CARRIER_URL) and print("hello") # nosec B113

But I do not get the warning if I do

foo = requests.get(url)  # nosec B113
return foo.json()

fiendish avatar May 20 '24 18:05 fiendish