Merge branch 'main' into plugin_unit_tests

Signed-off-by: Eric Brown <[email protected]>

Author: ericwb

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -44,7 +44,8 @@ body:
       label: Bandit version
       description: Run "bandit --version" if unsure of version number
       options:
-        - 1.7.4 (Default)
+        - 1.7.5 (Default)
+        - 1.7.4
         - 1.7.3
         - 1.7.2
         - 1.7.1
@@ -67,12 +68,13 @@ body:
       label: Python version
       description: Run "bandit --version" if unsure of version number
       options:
-        - 3.10 (Default)
-        - 3.9
-        - 3.8
-        - 3.7
-        - 3.6
-        - 3.5
+        - "3.11 (Default)"
+        - "3.10"
+        - "3.9"
+        - "3.8"
+        - "3.7"
+        - "3.6"
+        - "3.5"
     validations:
       required: true
 

.github/dependabot.yml

@@ -0,0 +1,7 @@
+---
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    interval:
+      schedule: "monthly"

.github/workflows/pythonpackage.yml

@@ -51,7 +51,7 @@ jobs:
     strategy:
       matrix:
         python-version: [
-          ["3.7", "37"], ["3.8", "38"], ["3.9", "39"], ["3.10", "310"], ["3.11.0-a - 3.11", "311"]
+          ["3.7", "37"], ["3.8", "38"], ["3.9", "39"], ["3.10", "310"], ["3.11", "311"]
         ]
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}

README.rst

@@ -3,8 +3,8 @@
 
 ======
 
-.. image:: https://github.com/PyCQA/bandit/workflows/Build%20and%20Test%20Bandit/badge.svg
-    :target: https://github.com/PyCQA/bandit/actions?query=workflow%3A%22Build+and+Test+Bandit%22
+.. image:: https://github.com/PyCQA/bandit/actions/workflows/pythonpackage.yml/badge.svg?branch=main
+    :target: https://github.com/PyCQA/bandit/actions?query=workflow%3A%22Build+and+Test+Bandit%22+branch%3Amain
     :alt: Build Status
 
 .. image:: https://readthedocs.org/projects/bandit/badge/?version=latest

bandit/blacklists/calls.py

@@ -9,7 +9,7 @@
 
 This blacklist data checks for a number of Python calls known to have possible
 security implications. The following blacklist tests are run against any
-function calls encoutered in the scanned code base, triggered by encoutering
+function calls encountered in the scanned code base, triggered by encoutering
 ast.Call nodes.
 
 B301: pickle

bandit/core/node_visitor.py

@@ -200,13 +200,6 @@ def pre_visit(self, node):
         if hasattr(node, "lineno"):
             self.context["lineno"] = node.lineno
 
-            # explicitly check for empty set to skip all tests for a line
-            nosec_tests = self.nosec_lines.get(node.lineno)
-            if nosec_tests is not None and not len(nosec_tests):
-                LOG.debug("skipped, nosec without test number")
-                self.metrics.note_nosec()
-                return False
-
         if hasattr(node, "col_offset"):
             self.context["col_offset"] = node.col_offset
         if hasattr(node, "end_col_offset"):

bandit/core/tester.py

@@ -76,12 +76,15 @@ def run_tests(self, raw_context, checktype):
 
                     # don't skip the test if there was no nosec comment
                     if nosec_tests_to_skip is not None:
-                        # if the set is empty or the test id is in the set of
-                        # tests to skip, log and increment the skip by test
-                        # count
-                        if not nosec_tests_to_skip or (
-                            result.test_id in nosec_tests_to_skip
-                        ):
+                        # If the set is empty then it means that nosec was
+                        # used without test number -> update nosecs counter.
+                        # If the test id is in the set of tests to skip,
+                        # log and increment the skip by test count.
+                        if not nosec_tests_to_skip:
+                            LOG.debug("skipped, nosec without test number")
+                            self.metrics.note_nosec()
+                            continue
+                        elif result.test_id in nosec_tests_to_skip:
                             LOG.debug(
                                 "skipped, nosec for test %s" % result.test_id
                             )
@@ -129,7 +132,7 @@ def _get_nosecs_from_contexts(self, context, test_result=None):
             if test_result
             else None
         )
-        context_tests = self.nosec_lines.get(context["lineno"], None)
+        context_tests = utils.get_nosec(self.nosec_lines, context)
 
         # if both are none there were no comments
         # this is explicitly different from being empty.

bandit/core/utils.py

@@ -370,3 +370,11 @@ def check_ast_node(name):
         pass
 
     raise TypeError("Error: %s is not a valid node type in AST" % name)
+
+
+def get_nosec(nosec_lines, context):
+    for lineno in context["linerange"]:
+        nosec = nosec_lines.get(lineno, None)
+        if nosec is not None:
+            return nosec
+    return None

bandit/formatters/xml.py

@@ -33,8 +33,6 @@
     New field `CWE` added to output
 
 """
-# This future import is necessary here due to the xml import below on Python
-# 2.7
 import logging
 import sys
 from xml.etree import cElementTree as ET

bandit/plugins/exec.py

@@ -19,7 +19,7 @@
        CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
        Location: ./examples/exec.py:2
     1 exec("do evil")
-    2 exec "do evil"
+
 
 .. seealso::
 

bandit/plugins/injection_sql.py

@@ -92,8 +92,18 @@ def _evaluate_ast(node):
     elif hasattr(ast, "JoinedStr") and isinstance(
         node._bandit_parent, ast.JoinedStr
     ):
-        statement = node.s
-        wrapper = node._bandit_parent._bandit_parent
+        substrings = [
+            child
+            for child in node._bandit_parent.values
+            if isinstance(child, ast.Str)
+        ]
+        # JoinedStr consists of list of Constant and FormattedValue
+        # instances. Let's perform one test for the whole string
+        # and abandon all parts except the first one to raise one
+        # failed test instead of many for the same SQL statement.
+        if substrings and node == substrings[0]:
+            statement = "".join([str(child.s) for child in substrings])
+            wrapper = node._bandit_parent._bandit_parent
 
     if isinstance(wrapper, ast.Call):  # wrapped in "execute" call?
         names = ["execute", "executemany"]