tessl/pypi-bandit
Security oriented static analyser for python code.
—
Pending
Quality
Pending
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
issue-reporting.mddocs/
Issue Reporting
Comprehensive security issue representation with structured metadata, severity classification, and Common Weakness Enumeration (CWE) mapping. The issue reporting system provides detailed vulnerability information for integration with security tools and development workflows.
Capabilities
Issue
Represents a security vulnerability or weakness found during code analysis. Issues include severity levels, confidence ratings, source code context, and structured metadata.
class Issue:
def __init__(self, severity, cwe=0, confidence=constants.CONFIDENCE_DEFAULT, text="", ident=None, lineno=None, test_id="", col_offset=-1, end_col_offset=0):
"""
Create a new security issue.
Parameters:
- severity: str, severity level ('LOW', 'MEDIUM', 'HIGH')
- cwe: int or Cwe, Common Weakness Enumeration identifier
- confidence: str, confidence level ('LOW', 'MEDIUM', 'HIGH', 'UNDEFINED')
- text: str, human-readable issue description
- ident: str, optional unique identifier
- lineno: int, source code line number
- test_id: str, security test identifier (e.g., 'B101')
- col_offset: int, column start position
- end_col_offset: int, column end position
"""
def filter(self, severity, confidence):
"""
Check if issue meets severity and confidence thresholds.
Parameters:
- severity: str, minimum severity level
- confidence: str, minimum confidence level
Returns:
bool: True if issue meets thresholds
"""
def get_code(self, max_lines=3, tabbed=False):
"""
Get source code context for the issue.
Parameters:
- max_lines: int, maximum lines of context to include
- tabbed: bool, use tabs instead of spaces for indentation
Returns:
str: Source code context around the issue
"""
def as_dict(self, with_code=True, max_lines=3):
"""
Convert issue to dictionary representation.
Parameters:
- with_code: bool, include source code context
- max_lines: int, maximum lines of code context
Returns:
dict: Issue data as dictionary
"""
@staticmethod
def from_dict(data, with_code=True):
"""
Create Issue instance from dictionary data.
Parameters:
- data: dict, issue data dictionary
- with_code: bool, include code context if available
Returns:
Issue: Issue instance
"""Cwe
Common Weakness Enumeration support for mapping security issues to standardized weakness categories. Provides CWE identifiers and links to MITRE CWE database.
class Cwe:
def __init__(self, id=0):
"""
Initialize CWE with identifier.
Parameters:
- id: int, CWE identifier (default: 0 for NOTSET/unknown)
"""
def link(self):
"""
Get MITRE CWE URL for this weakness.
Returns:
str: MITRE CWE URL or empty string if no valid ID
"""
def as_dict(self):
"""
Convert CWE to dictionary representation.
Returns:
dict: CWE data as dictionary
"""
def as_jsons(self):
"""
Convert CWE to JSON string representation.
Returns:
str: CWE data as JSON string
"""
def from_dict(self, data):
"""
Update CWE instance from dictionary data.
Parameters:
- data: dict, CWE data dictionary with 'id' key
"""
@staticmethod
def from_dict_static(data):
"""
Create Cwe instance from dictionary data.
Parameters:
- data: dict, CWE data dictionary
Returns:
Cwe: CWE instance
"""CWE Constants
Predefined CWE identifiers for common security weaknesses detected by Bandit.
# CWE identifiers for common security issues
NOTSET = 0
IMPROPER_INPUT_VALIDATION = 20
PATH_TRAVERSAL = 22
OS_COMMAND_INJECTION = 78
XSS = 79
BASIC_XSS = 80
SQL_INJECTION = 89
CODE_INJECTION = 94
IMPROPER_WILDCARD_NEUTRALIZATION = 155
HARD_CODED_PASSWORD = 259
IMPROPER_ACCESS_CONTROL = 284
IMPROPER_CERT_VALIDATION = 295
WEAK_CRYPTO_KEY = 326
INADEQUATE_ENCRYPTION_STRENGTH = 326
SSL_WITH_NO_HOSTNAME_VERIFICATION = 295Utility Functions
Helper functions for creating Issue and CWE instances from structured data.
def issue_from_dict(data):
"""
Create Issue instance from dictionary data.
Parameters:
- data: dict, issue data dictionary
Returns:
Issue: Issue instance
"""
def cwe_from_dict(data):
"""
Create CWE instance from dictionary data.
Parameters:
- data: dict, CWE data dictionary
Returns:
Cwe: CWE instance
"""Usage Examples
Creating Security Issues
from bandit.core.issue import Issue, Cwe
import bandit
# Create a high-severity SQL injection issue
sql_injection = Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
cwe=Cwe(89), # CWE-89: SQL Injection
text="SQL string formatting on user input detected",
test_id="B608",
lineno=42
)
# Check if issue meets filtering criteria
if sql_injection.filter('MEDIUM', 'HIGH'):
print(f"Issue: {sql_injection.text}")
print(f"CWE Link: {sql_injection.cwe.link()}")Issue Dictionary Conversion
# Convert issue to dictionary for JSON serialization
issue_dict = sql_injection.as_dict(with_code=True, max_lines=5)
# Reconstruct issue from dictionary
reconstructed = Issue.from_dict(issue_dict)
print(f"Original: {sql_injection.test_id}")
print(f"Reconstructed: {reconstructed.test_id}")Working with CWE Classifications
# Create CWE for hardcoded password
password_cwe = Cwe(259) # CWE-259: Use of Hard-coded Password
print(f"CWE URL: {password_cwe.link()}")
print(f"CWE Dict: {password_cwe.as_dict()}")
# Create from dictionary
cwe_data = {"id": 78}
cmd_injection_cwe = Cwe.from_dict(cwe_data)Filtering Issues by Severity
def filter_critical_issues(issues):
"""Filter for high-severity, high-confidence issues."""
critical = []
for issue in issues:
if issue.filter('HIGH', 'HIGH'):
critical.append(issue)
return critical
# Usage with manager results
issues = b_mgr.get_issue_list()
critical_issues = filter_critical_issues(issues)
for issue in critical_issues:
print(f"{issue.fname}:{issue.lineno}")
print(f" {issue.text}")
print(f" Test: {issue.test_id}, CWE: {issue.cwe.id}")
print(f" Code Context:")
print(issue.get_code(max_lines=3))Install with Tessl CLI
npx tessl i tessl/pypi-bandit