instance-scheduler-on-aws
instance-scheduler-on-aws copied to clipboard
Published
20 hours ago •
aws-solutions
aws-solutions
Bandit automated checks
These are the issues that bandit has found on the instance scheduler's Python code. I've reviewed manually and these look like genuine findings that should be addressed. Could you review?
bandit -r instance-scheduler
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.10.6
112 [0.. 50.. 100.. ]
Run started:2022-09-24 21:19:20.339807
Test results:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: instance-scheduler/boto_retry/__init__.py:210:20
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
209 raise ValueError("Random factor must be in range 0 to 1")
210 return value + (random.uniform(random_factor * -1, random_factor) * value) if random_factor != 0 else value
211
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/pytz/reference.py:124:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
123 return ZERO
124 assert dt.tzinfo is self
125
126 # Find first Sunday in April & the last in October.
127 start = first_sunday_on_or_after(DSTSTART.replace(year=dt.year))
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/pytz/tzfile.py:31:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
30 # Make sure it is a tzfile(5) file
31 assert magic == _byte_string('TZif'), 'Got magic %s' % repr(magic)
32
33 # Read out the transition times, localtime indices and ttinfo structures.
34 data_fmt = '>%(timecnt)dl %(timecnt)dB %(ttinfo)s %(charcnt)ds' % dict(
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/pytz/tzfile.py:40:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
39 # make sure we unpacked the right number of values
40 assert len(data) == 2 * timecnt + 3 * typecnt + 1
41 transitions = [memorized_datetime(trans)
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/pytz/tzinfo.py:392:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
391 local_dt.replace(tzinfo=None) - local_dt.tzinfo._utcoffset)
392 assert utc_time not in dates
393 dates[utc_time] = local_dt
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/__init__.py:60:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
59 urllib3_version = urllib3_version.split(".")
60 assert urllib3_version != ["dev"] # Verify urllib3 isn't installed from git.
61
62 # Sometimes, urllib3 only reports its version as 16.1.
63 if len(urllib3_version) == 2:
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/__init__.py:70:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
69 # urllib3 >= 1.21.1, <= 1.26
70 assert major == 1
71 assert minor >= 21
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/__init__.py:71:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
70 assert major == 1
71 assert minor >= 21
72 assert minor <= 26
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/__init__.py:72:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
71 assert minor >= 21
72 assert minor <= 26
73
74 # Check charset_normalizer for compatibility.
75 if chardet_version:
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/__init__.py:79:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
78 # chardet_version >= 3.0.2, < 6.0.0
79 assert (3, 0, 2) <= (major, minor, patch) < (6, 0, 0)
80 elif charset_normalizer_version:
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/__init__.py:84:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
83 # charset_normalizer >= 2.0.0 < 3.0.0
84 assert (2, 0, 0) <= (major, minor, patch) < (3, 0, 0)
85 else:
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/requests/_internal_utils.py:43:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
42 """
43 assert isinstance(u_string, str)
44 try:
--------------------------------------------------
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
Severity: High Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: instance-scheduler/requests/auth.py:148:23
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html
147 x = x.encode("utf-8")
148 return hashlib.md5(x).hexdigest()
149
--------------------------------------------------
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
Severity: High Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: instance-scheduler/requests/auth.py:156:23
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html
155 x = x.encode("utf-8")
156 return hashlib.sha1(x).hexdigest()
157
--------------------------------------------------
>> Issue: [B324:hashlib] Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False
Severity: High Confidence: High
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: instance-scheduler/requests/auth.py:205:17
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b324_hashlib.html
204
205 cnonce = hashlib.sha1(s).hexdigest()[:16]
206 if _algorithm == "MD5-SESS":
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/contrib/securetransport.py:719:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
718 leaf = Security.SecTrustGetCertificateAtIndex(trust, 0)
719 assert leaf
720
721 # Ok, now we want the DER bytes.
722 certdata = Security.SecCertificateCopyData(leaf)
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/contrib/securetransport.py:723:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
722 certdata = Security.SecCertificateCopyData(leaf)
723 assert certdata
724
725 data_length = CoreFoundation.CFDataGetLength(certdata)
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/contrib/securetransport.py:901:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
900 # See PEP 543 for the real deal.
901 assert not server_side
902 assert do_handshake_on_connect
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/contrib/securetransport.py:902:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
901 assert not server_side
902 assert do_handshake_on_connect
903 assert suppress_ragged_eofs
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/contrib/securetransport.py:903:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
902 assert do_handshake_on_connect
903 assert suppress_ragged_eofs
904
905 # Ok, we're good to go. Now we want to create the wrapped socket object
906 # and store it in the appropriate place.
907 wrapped_socket = WrappedSocket(sock)
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/packages/backports/makefile.py:23:4
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
22 reading = "r" in mode or not writing
23 assert reading or writing
24 binary = "b" in mode
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/packages/backports/makefile.py:45:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
44 else:
45 assert writing
46 buffer = io.BufferedWriter(raw, buffering)
--------------------------------------------------
>> Issue: [B102:exec_used] Use of exec detected.
Severity: Medium Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: instance-scheduler/urllib3/packages/six.py:787:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b102_exec_used.html
786 _locs_ = _globs_
787 exec ("""exec _code_ in _globs_, _locs_""")
788
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/response.py:500:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
499 """
500 assert self._fp
501 c_int_max = 2 ** 31 - 1
--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/util/connection.py:141:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
140 has_ipv6 = True
141 except Exception:
142 pass
--------------------------------------------------
>> Issue: [B504:ssl_with_no_version] ssl.wrap_socket call with no SSL/TLS protocol version specified, the default SSLv23 could be insecure, possible security issue.
Severity: Low Confidence: Medium
CWE: CWE-327 (https://cwe.mitre.org/data/definitions/327.html)
Location: instance-scheduler/urllib3/util/ssl_.py:179:19
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b504_ssl_with_no_version.html
178 }
179 return wrap_socket(socket, ciphers=self.ciphers, **kwargs)
180
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/util/ssltransport.py:120:8
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
119 reading = "r" in mode or not writing
120 assert reading or writing
121 binary = "b" in mode
--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Severity: Low Confidence: High
CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
Location: instance-scheduler/urllib3/util/ssltransport.py:142:12
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b101_assert_used.html
141 else:
142 assert writing
143 buffer = io.BufferedWriter(raw, buffering)
--------------------------------------------------
Code scanned:
Total lines of code: 31548
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 24
Medium: 1
High: 3
Total issues (by confidence):
Undefined: 0
Low: 0
Medium: 1
High: 27
Files skipped (0):
I noticed that most of the findings relate to libraries (requests, pytz, urllib3), so that's best addressed there.
There is one finding remaining that relates to the instance scheduler:
>> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Severity: Low Confidence: High
CWE: CWE-330 (https://cwe.mitre.org/data/definitions/330.html)
Location: instance-scheduler/boto_retry/__init__.py:210:20
More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
209 raise ValueError("Random factor must be in range 0 to 1")
210 return value + (random.uniform(random_factor * -1, random_factor) * value) if random_factor != 0 else value
211
I would suggest to add an ignore case like this:
return value + (random.uniform(random_factor * -1, random_factor) * value) if random_factor != 0 else value # nosec B311: random number generator not used in a security/cryptographic context
