Bandit Scan Result

1. [main]  INFO    profile include tests: None
2. [main]  INFO    profile exclude tests: None
3. [main]  INFO    cli include tests: None
4. [main]  INFO    cli exclude tests: None
5. [main]  INFO    running on Python 3.9.5
6. [node_visitor]  WARNING Unable to find qualified name for module: issues.py
7. Run started:2023-01-11 23:22:20.814375
8.  
9. Test results:
10. >> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
11.    Severity: Low   Confidence: High
12.    CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
13.    Location: issues.py:1:0
14.    More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b404-import-subprocess
15. 1       import subprocess
16. 2       import os
17. 3       import sys
18.  
19. --------------------------------------------------
20. >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
21.    Severity: High   Confidence: High
22.    CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
23.    Location: issues.py:8:4
24.    More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b602_subprocess_popen_with_shell_equals_true.html
25. 7           # This code uses a command injection vulnerability
26. 8           subprocess.call("touch " + sys.argv[1], shell=True)
27. 9
28.  
29. --------------------------------------------------
30. >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'secretpassword'
31.    Severity: Low   Confidence: Medium
32.    CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
33.    Location: issues.py:11:15
34.    More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html
35. 10          # This code uses a hardcoded password
36. 11          password = "secretpassword"
37. 12          os.system("echo " + password + " | sudo -S apt-get update")
38.  
39. --------------------------------------------------
40. >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
41.    Severity: High   Confidence: High
42.    CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
43.    Location: issues.py:12:4
44.    More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
45. 11          password = "secretpassword"
46. 12          os.system("echo " + password + " | sudo -S apt-get update")
47. 13
48.  
49. --------------------------------------------------
50. >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
51.    Severity: Medium   Confidence: Low
52.    CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
53.    Location: issues.py:16:16
54.    More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
55. 15          user_input = input("Enter a value:")
56. 16          sql_query = "SELECT * FROM users WHERE name='" + user_input + "';"
57. 17          os.system("mysql -e '" + sql_query + "'")
58.  
59. --------------------------------------------------
60. >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
61.    Severity: High   Confidence: High
62.    CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
63.    Location: issues.py:17:4
64.    More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
65. 16          sql_query = "SELECT * FROM users WHERE name='" + user_input + "';"
66. 17          os.system("mysql -e '" + sql_query + "'")
67. 18
68.  
69. --------------------------------------------------
70. >> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib
71. () is called.
72.    Severity: Low   Confidence: High
73.    CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
74.    Location: issues.py:26:4
75.    More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
76. 25          # This code uses a XML External Entity (XXE) vulnerability
77. 26          import xml.etree.ElementTree as ET
78. 27          xtree = ET.parse(input("Enter the xml file:"))
79.  
80. --------------------------------------------------
81. >> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.d
82. efuse_stdlib() is called
83.    Severity: Medium   Confidence: High
84.    CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
85.    Location: issues.py:27:12
86.    More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
87. 26          import xml.etree.ElementTree as ET
88. 27          xtree = ET.parse(input("Enter the xml file:"))
89. 28          xroot = xtree.getroot()
90.  
91. --------------------------------------------------
92.  
93. Code scanned:
94.         Total lines of code: 19
95.         Total lines skipped (#nosec): 0
96.  
97. Run metrics:
98.         Total issues (by severity):
99.                 Undefined: 0
100.                 Low: 3
101.                 Medium: 2
102.                 High: 3
103.         Total issues (by confidence):
104.                 Undefined: 0
105.                 Low: 1
106.                 Medium: 1
107.                 High: 6
108. Files skipped (0):
109.  
110.