Bandit JSON output

1. {
2.  "errors": [],
3.  "generated_at": "2023-01-12T07:40:38Z",
4.  "metrics": {
5.    "_totals": {
6.      "CONFIDENCE.HIGH": 6,
7.      "CONFIDENCE.LOW": 1,
8.      "CONFIDENCE.MEDIUM": 1,
9.      "CONFIDENCE.UNDEFINED": 0,
10.      "SEVERITY.HIGH": 3,
11.      "SEVERITY.LOW": 3,
12.      "SEVERITY.MEDIUM": 2,
13.      "SEVERITY.UNDEFINED": 0,
14.      "loc": 19,
15.      "nosec": 0,
16.      "skipped_tests": 0
17.    },
18.    "issues.py": {
19.      "CONFIDENCE.HIGH": 6,
20.      "CONFIDENCE.LOW": 1,
21.      "CONFIDENCE.MEDIUM": 1,
22.      "CONFIDENCE.UNDEFINED": 0,
23.      "SEVERITY.HIGH": 3,
24.      "SEVERITY.LOW": 3,
25.      "SEVERITY.MEDIUM": 2,
26.      "SEVERITY.UNDEFINED": 0,
27.      "loc": 19,
28.      "nosec": 0,
29.      "skipped_tests": 0
30.    }
31.  },
32.  "results": [
33.    {
34.      "code": "1 import subprocess\n2 import os\n3 import sys\n",
35.      "col_offset": 0,
36.      "filename": "issues.py",
37.      "issue_confidence": "HIGH",
38.      "issue_cwe": {
39.        "id": 78,
40.        "link": "https://cwe.mitre.org/data/definitions/78.html"
41.      },
42.      "issue_severity": "LOW",
43.      "issue_text": "Consider possible security implications associated with the subprocess module.",
44.      "line_number": 1,
45.      "line_range": [
46.        1
47.      ],
48.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b404-import-subprocess",
49.      "test_id": "B404",
50.      "test_name": "blacklist"
51.    },
52.    {
53.      "code": "7     # This code uses a command injection vulnerability\n8     subprocess.call(\"touch \" + sys.argv[1], shell=True)\n9 \n",
54.      "col_offset": 4,
55.      "filename": "issues.py",
56.      "issue_confidence": "HIGH",
57.      "issue_cwe": {
58.        "id": 78,
59.        "link": "https://cwe.mitre.org/data/definitions/78.html"
60.      },
61.      "issue_severity": "HIGH",
62.      "issue_text": "subprocess call with shell=True identified, security issue.",
63.      "line_number": 8,
64.      "line_range": [
65.        8
66.      ],
67.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/plugins/b602_subprocess_popen_with_shell_equals_true.html",
68.      "test_id": "B602",
69.      "test_name": "subprocess_popen_with_shell_equals_true"
70.    },
71.    {
72.      "code": "10     # This code uses a hardcoded password\n11     password = \"secretpassword\"\n12     os.system(\"echo \" + password + \" | sudo -S apt-get update\")\n",
73.      "col_offset": 15,
74.      "filename": "issues.py",
75.      "issue_confidence": "MEDIUM",
76.      "issue_cwe": {
77.        "id": 259,
78.        "link": "https://cwe.mitre.org/data/definitions/259.html"
79.      },
80.      "issue_severity": "LOW",
81.      "issue_text": "Possible hardcoded password: 'secretpassword'",
82.      "line_number": 11,
83.      "line_range": [
84.        11
85.      ],
86.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html",
87.      "test_id": "B105",
88.      "test_name": "hardcoded_password_string"
89.    },
90.    {
91.      "code": "11     password = \"secretpassword\"\n12     os.system(\"echo \" + password + \" | sudo -S apt-get update\")\n13 \n",
92.      "col_offset": 4,
93.      "filename": "issues.py",
94.      "issue_confidence": "HIGH",
95.      "issue_cwe": {
96.        "id": 78,
97.        "link": "https://cwe.mitre.org/data/definitions/78.html"
98.      },
99.      "issue_severity": "HIGH",
100.      "issue_text": "Starting a process with a shell, possible injection detected, security issue.",
101.      "line_number": 12,
102.      "line_range": [
103.        12
104.      ],
105.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html",
106.      "test_id": "B605",
107.      "test_name": "start_process_with_a_shell"
108.    },
109.    {
110.      "code": "15     user_input = input(\"Enter a value:\")\n16     sql_query = \"SELECT * FROM users WHERE name='\" + user_input + \"';\"\n17     os.system(\"mysql -e '\" + sql_query + \"'\")\n",
111.      "col_offset": 16,
112.      "filename": "issues.py",
113.      "issue_confidence": "LOW",
114.      "issue_cwe": {
115.        "id": 89,
116.        "link": "https://cwe.mitre.org/data/definitions/89.html"
117.      },
118.      "issue_severity": "MEDIUM",
119.      "issue_text": "Possible SQL injection vector through string-based query construction.",
120.      "line_number": 16,
121.      "line_range": [
122.        16
123.      ],
124.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/plugins/b608_hardcoded_sql_expressions.html",
125.      "test_id": "B608",
126.      "test_name": "hardcoded_sql_expressions"
127.    },
128.    {
129.      "code": "16     sql_query = \"SELECT * FROM users WHERE name='\" + user_input + \"';\"\n17     os.system(\"mysql -e '\" + sql_query + \"'\")\n18 \n",
130.      "col_offset": 4,
131.      "filename": "issues.py",
132.      "issue_confidence": "HIGH",
133.      "issue_cwe": {
134.        "id": 78,
135.        "link": "https://cwe.mitre.org/data/definitions/78.html"
136.      },
137.      "issue_severity": "HIGH",
138.      "issue_text": "Starting a process with a shell, possible injection detected, security issue.",
139.      "line_number": 17,
140.      "line_range": [
141.        17
142.      ],
143.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html",
144.      "test_id": "B605",
145.      "test_name": "start_process_with_a_shell"
146.    },
147.    {
148.      "code": "25     # This code uses a XML External Entity (XXE) vulnerability\n26     import xml.etree.ElementTree as ET\n27     xtree = ET.parse(input(\"Enter the xml file:\"))\n",
149.      "col_offset": 4,
150.      "filename": "issues.py",
151.      "issue_confidence": "HIGH",
152.      "issue_cwe": {
153.        "id": 20,
154.        "link": "https://cwe.mitre.org/data/definitions/20.html"
155.      },
156.      "issue_severity": "LOW",
157.      "issue_text": "Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.",
158.      "line_number": 26,
159.      "line_range": [
160.        26
161.      ],
162.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree",
163.      "test_id": "B405",
164.      "test_name": "blacklist"
165.    },
166.    {
167.      "code": "26     import xml.etree.ElementTree as ET\n27     xtree = ET.parse(input(\"Enter the xml file:\"))\n28     xroot = xtree.getroot()\n",
168.      "col_offset": 12,
169.      "filename": "issues.py",
170.      "issue_confidence": "HIGH",
171.      "issue_cwe": {
172.        "id": 20,
173.        "link": "https://cwe.mitre.org/data/definitions/20.html"
174.      },
175.      "issue_severity": "MEDIUM",
176.      "issue_text": "Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called",
177.      "line_number": 27,
178.      "line_range": [
179.        27
180.      ],
181.      "more_info": "https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree",
182.      "test_id": "B314",
183.      "test_name": "blacklist"
184.    }
185.  ]
186. }
187.