Bandit Blacklist Plugins¶
Bandit supports built in functionality to implement blacklisting of imports and function calls, this functionality is provided by built in test ‘B001’. This test may be filtered as per normal plugin filtering rules.
The exact calls and imports that are blacklisted, and the issues reported, are controlled by plugin methods with the entry point ‘bandit.blacklists’ and can be extended by third party plugins if desired. Blacklist plugins will be discovered by Bandit at startup and called. The returned results are combined into the final data set, subject to Bandit’s normal test include/exclude rules allowing for fine grained control over blacklisted items. By convention, blacklisted calls should have IDs in the B3xx range and imports should have IDs in the B4xx range.
Plugin functions should return a dictionary mapping AST node types to lists of blacklist data. Currently the following node types are supported:
- Call, used for blacklisting calls.
- Import, used for blacklisting module imports (this also implicitly tests ImportFrom and Call nodes where the invoked function is Pythons built in ‘__import__()’ method).
Items in the data lists are Python dictionaries with the following structure:
key | data meaning |
---|---|
‘name’ | The issue name string. |
‘id’ | The bandit ID of the check, this must be unique and is used for filtering blacklist checks. |
‘qualnames’ | A Python list of fully qualified name strings. |
‘message’ | The issue message reported, this is a string that may contain the token ‘{name}’ that will be substituted with the matched qualname in the final report. |
‘level’ | The severity level reported. |
A utility method bandit.blacklists.utils.build_conf_dict is provided to aid building these dictionaries.
Example: | >> Issue: [B317:blacklist] Using xml.sax.parse to parse untrusted XML data
is known to be vulnerable to XML attacks. Replace xml.sax.parse with its
defusedxml equivalent function.
Severity: Medium Confidence: High
Location: ./examples/xml_sax.py:24
23 sax.parseString(xmlString, ExampleContentHandler())
24 sax.parse('notaxmlfilethatexists.xml', ExampleContentHandler)
25
|
---|