工具引见
Bandit这款工具能够用来搜索Python代码中常见的平安问题,在检测过程中,Bandit会对每一份Python代码文件停止处置,并构建AST,然后针对每一个AST节点运转相应的检测插件。完成平安扫描之后,Bandit会直接给用户生成检测报告。
工具装置
Bandit运用PyPI来停止分发,倡议广阔用户直接运用pip来装置Bandit。
创立虚拟环境(可选):
virtualenv bandit-env装置Bandit:
pip install bandit
# Or if you're working with a Python 3 project
pip3 install bandit
运转Bandit:
bandit -r path/to/your/code用户还能够运用源码文件直接装置Bandit,先从PyPI下载原tarball,然后运转下列命令:
python setup.py install工具运用
节点树运用样例:
bandit -r ~/your_repos/projectexamples/目录遍历运用样例,显现三行内容,并只报告高危问题:
bandit examples/*.py -n 3 –lllBandit还可以分离配置参数一同运转,运转下列命令即可运用ShellInjection来对examples目录运转平安扫描:
bandit examples/*.py -p ShellInjectionBandit还支持运用规范输入形式来扫描指定行数的代码:
cat examples/imports.py | bandit –运用样例:
- $bandit -h
-
- usage:bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
-
- [-p PROFILE] [-t TESTS] [-sSKIPS] [-l] [-i]
-
- [-f{csv,custom,html,json,screen,txt,xml,yaml}]
-
- [--msg-template MSG_TEMPLATE] [-o[OUTPUT_FILE]] [-v] [-d] [-q]
-
- [--ignore-nosec] [-x EXCLUDED_PATHS] [-bBASELINE]
-
- [--ini INI_PATH] [--version]
-
- [targets [targets ...]]
-
-
- Bandit- a Python source code security analyzer
-
-
- positionalarguments:
-
- targets source file(s) or directory(s)to be tested
-
-
- optionalarguments:
-
- -h, --help show this help message and exit
-
- -r, --recursive find and process files in subdirectories
-
- -a {file,vuln}, --aggregate {file,vuln}
-
- aggregate output byvulnerability (default) or by
-
- filename
-
- -n CONTEXT_LINES, --number CONTEXT_LINES
-
- maximum number of codelines to output for each issue
-
- -c CONFIG_FILE, --configfile CONFIG_FILE
-
- optional config file touse for selecting plugins and
-
- overriding defaults
-
- -p PROFILE, --profile PROFILE
-
- profile to use(defaults to executing all tests)
-
- -t TESTS, --tests TESTS
-
- comma-separated list oftest IDs to run
-
- <span liberation="" mono",="" courier,="" monospace;="" font-size:="" 13px;"=""> -s SKIPS, --skip SKIPS
-
- comma-separated list oftest IDs to skip
-
- -l, --level report only issues of a givenseverity level or higher
-
- (-l for LOW, -ll for MEDIUM, -lll forHIGH)
-
- -i, --confidence report only issues of a given confidencelevel or
-
- higher (-i for LOW, -iifor MEDIUM, -iii for HIGH)
-
- -f{csv,custom,html,json,screen,txt,xml,yaml}, --format{csv,custom,html,json,screen,txt,xml,yaml}
-
- specify output format
-
- --msg-template MSG_TEMPLATE
-
- specify output messagetemplate (only usable with
-
- --format custom), seeCUSTOM FORMAT section for list
-
- of available values
-
- -o [OUTPUT_FILE], --output [OUTPUT_FILE]
-
- write report tofilename
-
- -v, --verbose output extra information like excludedand included
-
- files
-
- -d, --debug turn on debug mode
-
- -q, --quiet, --silent
-
- only show output in thecase of an error
-
- --ignore-nosec do not skip lines with # nosec comments
-
- -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
-
- comma-separated list ofpaths (glob patterns supported)
-
- to exclude from scan(note that these are in addition
-
- to the excluded pathsprovided in the config file)
-
- -b BASELINE, --baseline BASELINE
-
- path of a baselinereport to compare against (only
-
- JSON-formatted filesare accepted)
-
- --ini INI_PATH path to a .bandit file that suppliescommand line
-
- arguments
-
- --version show program's version number andexit
-
-
- CUSTOMFORMATTING
-
- -----------------
-
-
- Availabletags:
-
-
- {abspath}, {relpath}, {line}, {test_id},
-
- {severity}, {msg}, {confidence}, {range}
-
-
- Exampleusage:
-
-
- Default template:
-
- bandit -r examples/ --format custom--msg-template \
-
- "{abspath}:{line}: {test_id}[bandit]:{severity}: {msg}"
-
-
- Provides same output as:
-
- bandit -r examples/ --format custom
-
-
- Tags can also be formatted in python string.format()style:
-
- <span liberation="" mono",="" courier,="" monospace;="" font-size:="" 13px;"=""> bandit -r examples/ --format custom--msg-template \
-
- "{relpath:20.20s}: {line:03}:{test_id:^8}: DEFECT: {msg:>20}"
-
-
- See python documentation for moreinformation about formatting style:
-
- https://docs.python.org/3.4/library/string.html
-
-
- Thefollowing tests were discovered and loaded:
-
- -----------------------------------------------
-
-
- B101 assert_used
-
- B102 exec_used
-
- B103 set_bad_file_permissions
-
- B104 hardcoded_bind_all_interfaces
-
- B105 hardcoded_password_string
-
- B106 hardcoded_password_funcarg
-
- B107 hardcoded_password_default
-
- B108 hardcoded_tmp_directory
-
- B110 try_except_pass
-
- B112 try_except_continue
-
- B201 flask_debug_true
-
- B301 pickle
-
- B302 marshal
-
- B303 md5
-
- B304 ciphers
-
- B305 cipher_modes
-
- B306 mktemp_q
-
- B307 eval
-
- B308 mark_safe
-
- B309 httpsconnection
-
- B310 urllib_urlopen
-
- B311 random
-
- B312 telnetlib
-
- B313 xml_bad_cElementTree
-
- B314 xml_bad_ElementTree
-
- B315 xml_bad_expatreader
-
- B316 xml_bad_expatbuilder
-
- B317 xml_bad_sax
-
- B318 xml_bad_minidom
-
- B319 xml_bad_pulldom
-
- B320 xml_bad_etree
-
- B321 ftplib
-
- B322 input
-
- B323 unverified_context
-
- B324 hashlib_new_insecure_functions
-
- B325 tempnam
-
- B401 import_telnetlib
-
- B402 import_ftplib
-
- B403 import_pickle
-
- B404 import_subprocess
-
- B405 import_xml_etree
-
- B406 import_xml_sax
-
- B407 import_xml_expat
-
- B408 import_xml_minidom
-
- B409 import_xml_pulldom
-
- B410 import_lxml
-
- B411 import_xmlrpclib
-
- B412 import_httpoxy
-
- B413 import_pycrypto
-
- B501 request_with_no_cert_validation
-
- B502 ssl_with_bad_version
-
- B503 ssl_with_bad_defaults
-
- B504 ssl_with_no_version
-
- B505 weak_cryptographic_key
-
- B506 yaml_load
-
- B507 ssh_no_host_key_verification
-
- B601 paramiko_calls
-
- B602 subprocess_popen_with_shell_equals_true
-
- B603 subprocess_without_shell_equals_true
-
- B604 any_other_function_with_shell_equals_true
-
- B605 start_process_with_a_shell
-
- B606 start_process_with_no_shell
-
- B607 start_process_with_partial_path
-
- B608 hardcoded_sql_expressions
-
- B609 linux_commands_wildcard_injection
-
- B610 django_extra_used
-
- B611 django_rawsql_used
-
- B701 jinja2_autoescape_false
-
- B702 use_of_mako_templates
-
- B703 django_mark_safe
基准线
Bandit允许用户指定需求停止比对的基线报告途径:
bandit -b BASELINE这样能够协助大家疏忽某些已知问题,或者是那些你不以为是问题的“问题”。大家能够运用下列命令生成基线报告:
bandit -f json -o PATH_TO_OUTPUT_FILE版本控制整合
装置并运用pre-commit,将下列内容添加至代码库的.pre-commit-config.yaml文件中:
repos:
- repo: https://github.com/PyCQA/bandit
rev: '' # Update me!
hooks:
- id: bandit
然后运转pre-commit即可。
扩展Bandit
Bandit允许用户编写和注册扩展以完成自定义检测或格式化(Formatter)功用。Bandit能够从下列两个节点加载插件:
bandit.formatters
bandit.plugins
Formatter需求接纳下列四种输入参数:
result_store:一个bandit.core.BanditResultStore实例
file_list:需求扫描检测的文件列表
scores:每个文件的扫描评分
excluded_files:列表中不需求扫描的文件
应用bandit.checks来对特定类型的AST节点停止检测扫描:
@bandit.checks('Call')
defprohibit_unsafe_deserialization(context):
if 'unsafe_load' incontext.call_function_name_qual:
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="Unsafe deserializationdetected."
)
注册插件时Bandit给用户提供了两个选项:
1、 假如你直接运用了装置工具(setuptools),我们需求在setup调用中添加下列信息:
# Ifyou have an imaginary bson formatter in the bandit_bson module
# anda function called `formatter`.
entry_points={'bandit.formatters':['bson = bandit_bson:formatter']}
# Ora check for using mako templates in bandit_mako that
entry_points={'bandit.plugins':['mako = bandit_mako']}
2、 假如你运用的是pbr,你需求在setup.cfg文件中添加下列信息:
[entry_points]
bandit.formatters=
bson= bandit_bson:formatter
bandit.plugins=
mako = bandit_mako
项目地址
参考文档:【最新版本】
Bandit:【GitHub传送门】
破绽提交:【传送门】
答应证协议
本项目遵照Apache开源答应证协议。
评论