Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [main] INFO profile include tests: None
- [main] INFO profile exclude tests: None
- [main] INFO cli include tests: None
- [main] INFO cli exclude tests: None
- [main] INFO running on Python 3.9.5
- [node_visitor] WARNING Unable to find qualified name for module: issues.py
- Run started:2023-01-11 23:22:20.814375
- Test results:
- >> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
- Severity: Low Confidence: High
- CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
- Location: issues.py:1:0
- More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b404-import-subprocess
- 1 import subprocess
- 2 import os
- 3 import sys
- --------------------------------------------------
- >> Issue: [B602:subprocess_popen_with_shell_equals_true] subprocess call with shell=True identified, security issue.
- Severity: High Confidence: High
- CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
- Location: issues.py:8:4
- More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b602_subprocess_popen_with_shell_equals_true.html
- 7 # This code uses a command injection vulnerability
- 8 subprocess.call("touch " + sys.argv[1], shell=True)
- 9
- --------------------------------------------------
- >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'secretpassword'
- Severity: Low Confidence: Medium
- CWE: CWE-259 (https://cwe.mitre.org/data/definitions/259.html)
- Location: issues.py:11:15
- More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html
- 10 # This code uses a hardcoded password
- 11 password = "secretpassword"
- 12 os.system("echo " + password + " | sudo -S apt-get update")
- --------------------------------------------------
- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
- Severity: High Confidence: High
- CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
- Location: issues.py:12:4
- More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
- 11 password = "secretpassword"
- 12 os.system("echo " + password + " | sudo -S apt-get update")
- 13
- --------------------------------------------------
- >> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
- Severity: Medium Confidence: Low
- CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
- Location: issues.py:16:16
- More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html
- 15 user_input = input("Enter a value:")
- 16 sql_query = "SELECT * FROM users WHERE name='" + user_input + "';"
- 17 os.system("mysql -e '" + sql_query + "'")
- --------------------------------------------------
- >> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
- Severity: High Confidence: High
- CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
- Location: issues.py:17:4
- More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
- 16 sql_query = "SELECT * FROM users WHERE name='" + user_input + "';"
- 17 os.system("mysql -e '" + sql_query + "'")
- 18
- --------------------------------------------------
- >> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib
- () is called.
- Severity: Low Confidence: High
- CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
- Location: issues.py:26:4
- More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
- 25 # This code uses a XML External Entity (XXE) vulnerability
- 26 import xml.etree.ElementTree as ET
- 27 xtree = ET.parse(input("Enter the xml file:"))
- --------------------------------------------------
- >> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.d
- efuse_stdlib() is called
- Severity: Medium Confidence: High
- CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
- Location: issues.py:27:12
- More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
- 26 import xml.etree.ElementTree as ET
- 27 xtree = ET.parse(input("Enter the xml file:"))
- 28 xroot = xtree.getroot()
- --------------------------------------------------
- Code scanned:
- Total lines of code: 19
- Total lines skipped (#nosec): 0
- Run metrics:
- Total issues (by severity):
- Undefined: 0
- Low: 3
- Medium: 2
- High: 3
- Total issues (by confidence):
- Undefined: 0
- Low: 1
- Medium: 1
- High: 6
- Files skipped (0):
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement