diff --git a/bandit/formatters/csv.py b/bandit/formatters/csv.py
index 81aa747db..4043434e0 100644
--- a/bandit/formatters/csv.py
+++ b/bandit/formatters/csv.py
@@ -11,9 +11,10 @@
.. code-block:: none
- filename,test_name,test_id,issue_severity,issue_confidence,issue_text,
- line_number,line_range,more_info
- examples/yaml_load.py,blacklist_calls,B301,MEDIUM,HIGH,"Use of unsafe yaml
+ filename,test_name,test_id,issue_severity,issue_confidence,issue_cwe,
+ issue_text,line_number,line_range,more_info
+ examples/yaml_load.py,blacklist_calls,B301,MEDIUM,HIGH,
+ https://cwe.mitre.org/data/definitions/20.html,"Use of unsafe yaml
load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().
",5,[5],https://bandit.readthedocs.io/en/latest/
@@ -22,6 +23,9 @@
.. versionchanged:: 1.5.0
New field `more_info` added to output
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
# Necessary for this formatter to work when imported on Python 2. Importing
# the standard library's csv module conflicts with the name of this module.
@@ -54,8 +58,8 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
"test_name",
"test_id",
"issue_severity",
- "issue_cwe",
"issue_confidence",
+ "issue_cwe",
"issue_text",
"line_number",
"col_offset",
diff --git a/bandit/formatters/custom.py b/bandit/formatters/custom.py
index fb9e8c34a..5a49e97f4 100644
--- a/bandit/formatters/custom.py
+++ b/bandit/formatters/custom.py
@@ -21,6 +21,9 @@
.. versionadded:: 1.5.0
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
import logging
import os
@@ -78,6 +81,7 @@ def report(manager, fileobj, sev_level, conf_level, template=None):
"msg": lambda issue: issue.text,
"confidence": lambda issue: issue.confidence,
"range": lambda issue: issue.linerange,
+ "cwe": lambda issue: issue.cwe,
}
# Create dictionary with tag sets to speed up search for similar tags
diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py
index ff6ea1f3e..48b6ac37f 100644
--- a/bandit/formatters/html.py
+++ b/bandit/formatters/html.py
@@ -112,6 +112,7 @@
Test ID: B506
Severity: MEDIUM
Confidence: HIGH
+ CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
File: examples/yaml_load.py
More info: {test_name}: {test_text}
Test ID: {test_id}
Severity: {severity}
- CWE: {cwe}
Confidence: {confidence}
+ CWE: {cwe}
File: {path}
Line number: {line_number}
More info: {url}
@@ -358,8 +365,8 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
test_id=issue.test_id,
test_text=issue.text,
severity=issue.severity,
- cwe=issue.cwe,
confidence=issue.confidence,
+ cwe=issue.cwe,
path=issue.fname,
code=code,
candidates=candidates,
diff --git a/bandit/formatters/json.py b/bandit/formatters/json.py
index cebe8310f..9926382e7 100644
--- a/bandit/formatters/json.py
+++ b/bandit/formatters/json.py
@@ -47,6 +47,10 @@
"filename": "examples/yaml_load.py",
"issue_confidence": "HIGH",
"issue_severity": "MEDIUM",
+ "issue_cwe": {
+ "id": 20,
+ "link": "https://cwe.mitre.org/data/definitions/20.html"
+ },
"issue_text": "Use of unsafe yaml load. Allows instantiation of
arbitrary objects. Consider yaml.safe_load().\n",
"line_number": 5,
@@ -62,6 +66,12 @@
.. versionadded:: 0.10.0
+.. versionchanged:: 1.5.0
+ New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
# Necessary so we can import the standard library json module while continuing
# to name this file json.py. (Python 2 only)
diff --git a/bandit/formatters/screen.py b/bandit/formatters/screen.py
index c1e204382..a24eb53d2 100644
--- a/bandit/formatters/screen.py
+++ b/bandit/formatters/screen.py
@@ -16,6 +16,7 @@
instantiation of arbitrary objects. Consider yaml.safe_load().
Severity: Medium Confidence: High
+ CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
Location: examples/yaml_load.py:5
More Info: https://bandit.readthedocs.io/en/latest/
4 ystr = yaml.dump({'a' : 1, 'b' : 2, 'c' : 3})
@@ -24,6 +25,12 @@
.. versionadded:: 0.9.0
+.. versionchanged:: 1.5.0
+ New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
import datetime
import logging
@@ -111,15 +118,16 @@ def _output_issue_str(
)
bits.append(
- "%s Severity: %s CWE: %s Confidence: %s"
+ "%s Severity: %s Confidence: %s"
% (
indent,
issue.severity.capitalize(),
- str(issue.cwe),
issue.confidence.capitalize(),
)
)
+ bits.append(f"{indent} CWE: {str(issue.cwe)}")
+
bits.append(
"%s Location: %s:%s:%s"
% (
diff --git a/bandit/formatters/text.py b/bandit/formatters/text.py
index 3e821d1d6..c40059b74 100644
--- a/bandit/formatters/text.py
+++ b/bandit/formatters/text.py
@@ -24,6 +24,12 @@
.. versionadded:: 0.9.0
+.. versionchanged:: 1.5.0
+ New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
import datetime
import logging
@@ -79,15 +85,16 @@ def _output_issue_str(
)
bits.append(
- "%s Severity: %s CWE: %s Confidence: %s"
+ "%s Severity: %s Confidence: %s"
% (
indent,
issue.severity.capitalize(),
- str(issue.cwe),
issue.confidence.capitalize(),
)
)
+ bits.append(f"{indent} CWE: {str(issue.cwe)}")
+
bits.append(
"%s Location: %s:%s:%s"
% (
diff --git a/bandit/formatters/xml.py b/bandit/formatters/xml.py
index f3f9421bb..52bd850e2 100644
--- a/bandit/formatters/xml.py
+++ b/bandit/formatters/xml.py
@@ -17,13 +17,21 @@
message="Use of unsafe yaml load. Allows instantiation of arbitrary
objects. Consider yaml.safe_load().
" type="MEDIUM"
more_info="https://bandit.readthedocs.io/en/latest/">Test ID: B301
- Severity: MEDIUM Confidence: HIGH Use of unsafe yaml load. Allows
- instantiation of arbitrary objects. Consider yaml.safe_load().
+ Severity: MEDIUM Confidence: HIGH
+ CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html) Use of unsafe
+ yaml load.
+ Allows instantiation of arbitrary objects. Consider yaml.safe_load().
Location examples/yaml_load.py:5
.. versionadded:: 0.12.0
+.. versionchanged:: 1.5.0
+ New field `more_info` added to output
+
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
# This future import is necessary here due to the xml import below on Python
# 2.7
@@ -56,14 +64,14 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
)
text = (
- "Test ID: %s Severity: %s CWE: %s Confidence: %s\n%s\n"
+ "Test ID: %s Severity: %s Confidence: %s\nCWE: %s\n%s\n"
"Location %s:%s"
)
text = text % (
issue.test_id,
issue.severity,
- issue.cwe,
issue.confidence,
+ issue.cwe,
issue.text,
issue.fname,
issue.lineno,
diff --git a/bandit/formatters/yaml.py b/bandit/formatters/yaml.py
index bfd1e46ce..b9b0a446d 100644
--- a/bandit/formatters/yaml.py
+++ b/bandit/formatters/yaml.py
@@ -55,6 +55,9 @@
.. versionadded:: 1.5.0
+.. versionchanged:: 1.7.3
+ New field `CWE` added to output
+
"""
# Necessary for this formatter to work when imported on Python 2. Importing
# the standard library's yaml module conflicts with the name of this module.
diff --git a/tests/unit/formatters/test_screen.py b/tests/unit/formatters/test_screen.py
index e2d420aed..0032ccd2a 100644
--- a/tests/unit/formatters/test_screen.py
+++ b/tests/unit/formatters/test_screen.py
@@ -35,12 +35,15 @@ def _template(_issue, _indent_val, _code, _color):
_issue.test,
_issue.text,
),
- "{} Severity: {} CWE: {} Confidence: {}".format(
+ "{} Severity: {} Confidence: {}".format(
_indent_val,
_issue.severity.capitalize(),
- _issue.cwe,
_issue.confidence.capitalize(),
),
+ "{} CWE: {}".format(
+ _indent_val,
+ _issue.cwe,
+ ),
"{} Location: {}:{}:{}".format(
_indent_val, _issue.fname, _issue.lineno, _issue.col_offset
),
diff --git a/tests/unit/formatters/test_text.py b/tests/unit/formatters/test_text.py
index 2ce80d499..fa3616cfb 100644
--- a/tests/unit/formatters/test_text.py
+++ b/tests/unit/formatters/test_text.py
@@ -31,12 +31,12 @@ def _template(_issue, _indent_val, _code):
"{}>> Issue: [{}:{}] {}".format(
_indent_val, _issue.test_id, _issue.test, _issue.text
),
- "{} Severity: {} CWE: {} Confidence: {}".format(
+ "{} Severity: {} Confidence: {}".format(
_indent_val,
_issue.severity.capitalize(),
- _issue.cwe,
_issue.confidence.capitalize(),
),
+ f"{_indent_val} CWE: {_issue.cwe}",
"{} Location: {}:{}:{}".format(
_indent_val, _issue.fname, _issue.lineno, _issue.col_offset
),