Stack Overflow
Stack Overflow

Questions tagged [bandit-python]

Bandit is a tool designed to find common security issues in Python code.

See also

32 questions
47
votes
5 answers

What is the way to ignore/skip some issues from python bandit security issues report?

I've got a bunch of django_mark_safe errors >> Issue: [B703:django_mark_safe] Potential XSS on mark_safe function. Severity: Medium Confidence: High Location: ... More Info:…
ramusus
  • 7,789
  • 5
  • 38
  • 45
27
votes
7 answers

How can I make bandit skip B101 within tests?

I'm using bandit to check my code for potential security issues: bandit -r git-repository/ However, the most common item found by bandit is B101. It is triggered by assert statements within tests. I use pytest, so this is not a concern, but a good…
Martin Thoma
  • 124,992
  • 159
  • 614
  • 958
10
votes
2 answers

Bandit B404 security issue with subprocess import?

According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 questions: How could just importing this module be an…
fgoudra
  • 751
  • 8
  • 23
6
votes
2 answers

Bandit Issue with Pyproject.toml

I'm trying to use pyproject.toml to exclude the venv/ directory. But it is not recognising the option. [tool.bandit] exclude = "/venv" [tool.black] exclude = "(venv)" [tool.isort] profile = "black" skip = "venv" balanced_wrapping = true atomic =…
felix001
  • 15,341
  • 32
  • 94
  • 121
6
votes
0 answers

Python subprocess.run in secure way

My Python script has to run binary available only via console, so I use subprocess.run and it looks like this: CMD = [ "C:\\Program Files\\Azure DevOps Server 2019\\Tools\\TFSSecurity.exe", "/gd", …
kagarlickij
  • 7,327
  • 10
  • 36
  • 71
5
votes
2 answers

SonarQube does not display Bandit's Python security vulnerability report

Overview I'm using SonarQube 7.4.0.18908 to gather code coverage and perform static code analysis for a Python 3.6 project. The server is running in AWS. Things are working as expected (see screenshot below). Now I'd like to add security scanning…
yegorski
  • 335
  • 4
  • 9
4
votes
1 answer

Run bash-command via subprocess in python without bandit Warning B404 and B603

Since the pre-commit hook does not allow even warnings and commits issued by bandit, I need to find a way to execute bash commands from python scripts without bandit complaining. Using the subprocess python package, bandit has always complained so…
Andreas L.
  • 3,239
  • 5
  • 26
  • 65
4
votes
3 answers

Pybandit to allow B311: pseudo-random generators to be used in tests

I've used random.choice for tests. And Bandit is showing warnings. x = random.choice(lists) I know I could use # nosec comment to suppress the warning. But it would be inconvinent to do it in all lines x = random.choice(lists) # nosec I want to…
PaxPrz
  • 1,778
  • 1
  • 13
  • 29
3
votes
1 answer

Python code for security analysis using Bandit

I would like to get python code for an analysis using Bandit static analyzer. The main emphasis is security, for python 2.7. Can anyone help ?
Marius Poiata
  • 43
  • 1
  • 8
2
votes
0 answers

audit url open for permitted schemes. allowing use of file / or custom schemes is often unexpected

I am using the below code in python for sending request def get(self, url): response = None try: ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_1 | ssl.PROTOCOL_TLSv1_2) if url.lower().startswith('https'): response = ur.urlopen(url,…
User123
  • 793
  • 4
  • 10
  • 28
1
vote
1 answer

pyproject.toml : toml parser not available, reinstall with toml extra

I am configuring my pyproject.toml so that bandit excludes the test files but it gives me the error ERROR pyproject.toml : toml parser not available, reinstall with toml extra this is my pyproject.toml [tool.bandit] exclude_dirs = ["*/test/*"] tests…
Aldo Matus
  • 61
  • 6
1
vote
2 answers

Copy file from dockerfile build to host - bandit

I just started learning docker. To teach myself, I managed to containerize bandit (a python code scanner) but I'm not able to see the output of the scan before the container destroys itself. How can I copy the output file from inside the container…
Steve
  • 11
  • 2
1
vote
1 answer

How to skip bandit on multi line queries

I am trying to skip multiple line queries using bandit in my python query. I have tried to use #nosec but still there is bandit issue showing Example: """#nosec""" ;Query = f"""Select username,id,email_id,address from User where username ='John'"""
user19884738
  • 11
  • 3
1
vote
1 answer

Fix Bandit SQL injection issue in pandas.read_sql()

I am working on a project which has a lot of queries that are being run in python. When I performed the bandit check, I saw the issue - Test results: >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query…
shikhar mishra
  • 78
  • 1
  • 8
1
vote
1 answer

Solving multi-armed bandit problems with continuous action space

My problem has a single state and an infinite amount of actions on a certain interval (0,1). After quite some time of googling I found a few paper about an algorithm called zooming algorithm which can solve problems with a continous action space.…
Peter
  • 11
  • 3
1
2 3