Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the column offset to the issue model #618

Merged
merged 6 commits into from
Dec 17, 2020
Merged

Conversation

tonybaloney
Copy link
Contributor

This proposed change propagates the col_offset of the offending node in the AST to the Issue data model.

Just as you can report line number this allows reporting of the column offset as well.

Column offset reporting is a standard feature on many linters, also I've noticed the way that bandit is used by linter integrations like VSCode could benefit having the col offset of the reported function call, import etc.
In some cases there are two issues on a single line and this would indicate which is belongs to which report.

I noticed the custom formatter didn't have any unit tests, so I added one for this change.

Example output below:

python -m bandit examples/ -f custom --msg-template '{line}:{col} - {severity} - {test_id}:{msg}' -r                                                                                                                        col_offset ⍟1
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 2.7.15
85 [0.. [manager]       ERROR   Exception occurred when executing tests against examples/nonsense2.py. Run "bandit --debug examples/nonsense2.py" to see the full traceback.
50.. ]
1:0 - LOW - B101:Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
4:8 - MEDIUM - B104:Possible binding to all interfaces.
6:7 - MEDIUM - B305:Use of insecure cipher mode cryptography.hazmat.primitives.ciphers.modes.ECB.
1:0 - HIGH - B413:The pyCrypto library and its module ARC2 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
2:0 - HIGH - B413:The pyCrypto library and its module ARC4 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
3:0 - HIGH - B413:The pyCrypto library and its module Blowfish are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
4:0 - HIGH - B413:The pyCrypto library and its module DES are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
5:0 - HIGH - B413:The pyCrypto library and its module XOR are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
11:0 - HIGH - B413:The pyCrypto library and its module SHA are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
12:0 - HIGH - B413:The pyCrypto library and its module Random are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
13:0 - HIGH - B413:The pyCrypto library and its module Counter are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
22:9 - HIGH - B304:Use of insecure cipher Crypto.Cipher.ARC2.new. Replace with a known secure cipher such as AES.
24:9 - HIGH - B304:Use of insecure cipher Cryptodome.Cipher.ARC2.new. Replace with a known secure cipher such as AES.
29:10 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
30:9 - HIGH - B304:Use of insecure cipher Crypto.Cipher.ARC4.new. Replace with a known secure cipher such as AES.
32:9 - HIGH - B304:Use of insecure cipher Cryptodome.Cipher.ARC4.new. Replace with a known secure cipher such as AES.
42:9 - HIGH - B304:Use of insecure cipher Crypto.Cipher.Blowfish.new. Replace with a known secure cipher such as AES.
45:9 - HIGH - B304:Use of insecure cipher Cryptodome.Cipher.Blowfish.new. Replace with a known secure cipher such as AES.
52:9 - HIGH - B304:Use of insecure cipher Crypto.Cipher.DES.new. Replace with a known secure cipher such as AES.
56:9 - HIGH - B304:Use of insecure cipher Cryptodome.Cipher.DES.new. Replace with a known secure cipher such as AES.
61:9 - HIGH - B304:Use of insecure cipher Crypto.Cipher.XOR.new. Replace with a known secure cipher such as AES.
63:9 - HIGH - B304:Use of insecure cipher Cryptodome.Cipher.XOR.new. Replace with a known secure cipher such as AES.
66:16 - HIGH - B304:Use of insecure cipher cryptography.hazmat.primitives.ciphers.algorithms.ARC4. Replace with a known secure cipher such as AES.
70:16 - HIGH - B304:Use of insecure cipher cryptography.hazmat.primitives.ciphers.algorithms.Blowfish. Replace with a known secure cipher such as AES.
74:16 - HIGH - B304:Use of insecure cipher cryptography.hazmat.primitives.ciphers.algorithms.IDEA. Replace with a known secure cipher such as AES.
2:0 - HIGH - B413:The pyCrypto library and its module MD2 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
3:0 - HIGH - B413:The pyCrypto library and its module MD4 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
4:0 - HIGH - B413:The pyCrypto library and its module MD5 are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
5:0 - HIGH - B413:The pyCrypto library and its module SHA are no longer actively maintained and have been deprecated. Consider using pyca/cryptography library.
12:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
13:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
15:18 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
17:6 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
19:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
21:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
22:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
23:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
24:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
26:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
27:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
28:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
29:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
31:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
32:0 - MEDIUM - B303:Use of insecure MD2, MD4, MD5, or SHA1 hash function.
1:0 - LOW - B403:Consider possible security implications associated with dill module.
6:6 - MEDIUM - B301:Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.
11:6 - MEDIUM - B301:Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.

Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is test_custom.py part of the column offset? If not, I suggest moving to a separate PR..

tests/unit/formatters/test_custom.py Outdated Show resolved Hide resolved
@tonybaloney
Copy link
Contributor Author

Is test_custom.py part of the column offset? If not, I suggest moving to a separate PR..

Yes, it's the test for the change.

@tonybaloney
Copy link
Contributor Author

@ericwb changes updated as requested

Copy link
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to see the column indicator expanded to other formatters. But for now, this works for custom.

@ericwb ericwb added this to the Release 1.7.1 milestone Dec 17, 2020
@ericwb ericwb merged commit 82db41a into PyCQA:master Dec 17, 2020
ericwb added a commit that referenced this pull request Dec 19, 2020
Recently, #618 introduced column offsets to the custom formatter.
But other formatters should also show the column offset.

Signed-off-by: Eric Brown <browne@vmware.com>
mikespallino pushed a commit to mikespallino/bandit that referenced this pull request Aug 25, 2021
* Add the column offset to the issue model and expose via the custom formatter
* Fix import order and update auto-help
* Fetch property from dict but default to 0 for backward compatibility. Update the test as well
* Update test_custom.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
mikespallino pushed a commit to mikespallino/bandit that referenced this pull request Aug 25, 2021
Recently, PyCQA#618 introduced column offsets to the custom formatter.
But other formatters should also show the column offset.

Signed-off-by: Eric Brown <browne@vmware.com>
mikespallino pushed a commit to mikespallino/bandit that referenced this pull request Jan 7, 2022
* Add the column offset to the issue model and expose via the custom formatter
* Fix import order and update auto-help
* Fetch property from dict but default to 0 for backward compatibility. Update the test as well
* Update test_custom.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>
mikespallino pushed a commit to mikespallino/bandit that referenced this pull request Jan 7, 2022
Recently, PyCQA#618 introduced column offsets to the custom formatter.
But other formatters should also show the column offset.

Signed-off-by: Eric Brown <browne@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants