34 questions
2
votes
0
answers
61
views
Detect usage of a (vulnerable) function in a imported module?
I would like to be able to detect if a (vulnerable) function is used in our code.
This so that we can sometimes implement a waiver for using vulnerable dependencies (let's not go into a discussion on ...
- 241
0
votes
0
answers
56
views
Incorporate Pylint and Bandit to Gitlab CICD Automation through Ansible
Here is my Gitlab Ansible script:
stages:
- linting
- deploy-s3
pylint:
stage: linting
script:
- TIMESTAMP=$(date -u +"%Y%m%d%H%M%S")
- REPORT_FILENAME="pylint_report_$...
- 501
1
vote
1
answer
125
views
Bandit vulnerability on 'Drop View <View_Name>'
I am not sure why bandit is notifying the below as 'Detected possible formatted SQL query. Use parameterized queries instead.':
conn.execute(f"DROP VIEW {view_name};")
Is there a way to ...
- 429
1
vote
1
answer
226
views
How to limit certain actions from Vowpal Wabbit Contextual Bandit based on context
I'm working on creating a contextual bandit for recommending actions to a user on our website. I want to limit certain actions from showing based on the users context.
For example, if a user has ...
- 31
0
votes
1
answer
684
views
Error when adding bandit command to MakeFile : make: *** [bandit] Error 1
I would like to incorporate Bandit security tests into my current Python project and add the command to my MakeFile.
In my Makefile, I added the following code:
.PHONY: bandit
bandit:
pip install ...
- 1
3
votes
1
answer
2k
views
pyproject.toml : toml parser not available, reinstall with toml extra
I am configuring my pyproject.toml so that bandit excludes the test files but it gives me the error ERROR pyproject.toml : toml parser not available, reinstall with toml extra
this is my pyproject....
- 261
1
vote
2
answers
334
views
Copy file from dockerfile build to host - bandit
I just started learning docker. To teach myself, I managed to containerize bandit (a python code scanner) but I'm not able to see the output of the scan before the container destroys itself. How can I ...
- 11
1
vote
1
answer
1k
views
How to skip bandit on multi line queries
I am trying to skip multiple line queries using bandit in my python query. I have tried to use #nosec but still there is bandit issue showing
Example:
"""#nosec""" ;Query ...
- 11
0
votes
0
answers
2k
views
Can SonarQube really detect memory leaks?
I'm using SonarQube (v8.9) at work with SonarScanner (v4.2).
I've created two memory leaks, one in Javascript and one in Python. They couldn't be detected from SonarScanner.
These are the snippets:
JS:...
0
votes
1
answer
2k
views
Checking vulnerabilities in python code with bandit using jenkins pipeline
Can anyone help me with this in jenkins:
Install the required jenkins plugins .
Configure your job to scan only python files .
Using bandit, scan only the python files of the directory- "...
- 11
7
votes
1
answer
2k
views
Run bash-command via subprocess in python without bandit Warning B404 and B603
Since the pre-commit hook does not allow even warnings and commits issued by bandit, I need to find a way to execute bash commands from python scripts without bandit complaining.
Using the subprocess ...
- 4,731
1
vote
0
answers
2k
views
Is it possible to run bandit on a bunch of python files in one folder using command prompt?
I have tried using bandit -r folder/path it does not seem to work. Any suggestions? Thanks! I am getting all my files skipped for some reason?
C:\Users\ablev\AppData\Local\Programs\Python\Python310&...
- 173
6
votes
2
answers
6k
views
Bandit Issue with Pyproject.toml
I'm trying to use pyproject.toml to exclude the venv/ directory. But it is not recognising the option.
[tool.bandit]
exclude = "/venv"
[tool.black]
exclude = "(venv)"
[tool.isort]...
- 16.9k
16
votes
2
answers
3k
views
Bandit B404 security issue with subprocess import?
According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 ...
- 921
0
votes
1
answer
630
views
equivalent of lxml.objectify cleanup_namespaces in defusedxml
I am getting below error in bandit.
Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
I ...
- 11