Bandit On Bandit

Python
Security
Information Security
Bandit
Author

Galen Seilis

Published

March 9, 2023

Bandit is a Python package for checking for security issues in Python code. I have been thinking about using Bandit to check for security risks in my own sofware as well as 3rd party packages that I use. I couldn’t help but venture to the potentially ironic situation of Bandit evaluating that Bandit itself is insecure.

We can find the version of Bandit we are using like this:

import bandit
print(bandit.__version__)
1.7.9

The path that the __init__.py file for Bandit is located on your system can be found in bandit.__file__. We can call Bandit from the command line on itself.

from pathlib import Path
import subprocess

init_path = Path(bandit.__file__).parent

print(subprocess.run(['bandit', '-r', init_path], capture_output=True, text=True).stdout)

Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━   0% -:--:--
Working... ━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━  14% -:--:--
Working... ━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━  14% -:--:--
Working... ━━━━━━━━━━━╸━━━━━━━━━━━━━━━━━━━━━━━━━━━━  29% 0:00:01
Working... ━━━━━━━━━━━━━━━━━━━╺━━━━━━━━━━━━━━━━━━━━  48% 0:00:01
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Working... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Run started:2024-08-11 05:16:57.106814

Test results:
    No issues identified.

Code scanned:
    Total lines of code: 8340
    Total lines skipped (#nosec): 0
    Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 10

Run metrics:
    Total issues (by severity):
        Undefined: 0
        Low: 0
        Medium: 0
        High: 0
    Total issues (by confidence):
        Undefined: 0
        Low: 0
        Medium: 0
        High: 0
Files skipped (0):

At a quick glance you might misread the above output as saying that there are no issues. There actually are, but the authors of Bandit have disabled them using the #nosec comment. This is indicated by the Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 10. Why the output also says Total lines skipped (#nosec): 0 I am not sure.

We can find the locations of these lines.

print(subprocess.run(['grep', '-rin', '\\#\\snosec',  init_path], capture_output=True, text=True).stdout)
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/plugins/general_hardcoded_tmp.py:62:        return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]}  # nosec: B108
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/plugins/general_hardcoded_tmp.py:72:        tmp_dirs = ["/tmp", "/var/tmp", "/dev/shm"]  # nosec: B108
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/plugins/general_bind_all_interfaces.py:46:    if context.string_val == "0.0.0.0":  # nosec: B104
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/cli/baseline.py:18:import subprocess  # nosec: B404
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/cli/baseline.py:107:                output = subprocess.check_output(bandit_command)  # nosec: B603
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/cli/main.py:332:        help="do not skip lines with # nosec comments",
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/cli/main.py:586:            "do not skip lines with # nosec",
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/formatters/xml.py:38:from xml.etree import ElementTree as ET  # nosec: B405
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/core/manager.py:308:            # nosec_lines is a dict of line number -> set of tests to ignore
/home/galen/.rye/py/cpython@3.12.3/lib/python3.12/site-packages/bandit/core/utils.py:367:    except AttributeError:  # nosec(tkelsey): catching expected exception

This is always something important to keep in mind about Bandit. It can tell you about potential security issues, but it also reports when it has been told to ignore some line of code.