Skip to content

Including CWE information#613

Merged
ericwb merged 22 commits into
PyCQA:masterfrom
julianthome:master
Jan 30, 2022
Merged

Including CWE information#613
ericwb merged 22 commits into
PyCQA:masterfrom
julianthome:master

Conversation

@julianthome
Copy link
Copy Markdown
Contributor

@julianthome julianthome commented May 13, 2020
edited
Loading

closes #612

This PR includes CWE mappings for every vulnerability.

@julianthome julianthome mentioned this pull request May 13, 2020
Closed
@julianthome julianthome changed the title Included CWE information WIP: Included CWE information May 13, 2020
@julianthome julianthome changed the title WIP: Included CWE information WIP: Including CWE information May 13, 2020
@julianthome julianthome changed the title WIP: Including CWE information Including CWE information May 14, 2020
ericwb
ericwb requested changes May 18, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than a hard-coded number for the CWE, I'd like to see a constant of some kind being defined and used. Also, users will find it very beneficial to have a URL link to the cwe.mitre.org site for the specific issue found. We do this for Bandit errors also, we refer to bandit docs.

ericwb
ericwb reviewed May 18, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@ericwb ericwb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please also elaborate the details of this feature in your PR/commit message. Typically, a feature issue is opened first and PR is linked to it. That will definitely help speed along the review for the approvers and make it much clearer to others.

@julianthome julianthome changed the title Including CWE information WIP: Including CWE information May 19, 2020
@julianthome
Copy link
Copy Markdown
Contributor Author

julianthome commented May 19, 2020

Thanks a lot @ericwb for your review 👍

I addressed your comments by replacing the integer parameters for the CWEs with variables; I have also integrated a Cwe class and added the url as meta-data. The class will make it easier to add more CWE meta-data in future if needed. In addition, I have linked the issue that corresponds to this PR.

@julianthome julianthome changed the title WIP: Including CWE information Including CWE information May 19, 2020
@julianthome julianthome requested a review from ericwb May 19, 2020 23:39
@dvyakimov
Copy link
Copy Markdown

dvyakimov commented Jun 24, 2020

@julianthome Thank you! Bug what about B301-B323, B325, B401-B413,B504, B603-B607 ?

@julianthome
Copy link
Copy Markdown
Contributor Author

julianthome commented Jun 30, 2020

@julianthome Thank you! Bug what about B301-B323, B325, B401-B413,B504, B603-B607 ?

Thanks for you response @dvyakimov. Yes, thanks for pointing this out. Going to update the MR soon 👍

@prabhu
Copy link
Copy Markdown

prabhu commented Jun 30, 2020

This is an awesome improvement. Looking forward to using this soon!

prabhu
prabhu reviewed Jun 30, 2020
View reviewed changes
Comment thread bandit/core/issue.py Outdated
prabhu
prabhu reviewed Jun 30, 2020
View reviewed changes
Comment thread bandit/core/issue.py Outdated
@julianthome
Copy link
Copy Markdown
Contributor Author

julianthome commented Jul 7, 2020

@dvyakimov I changed the MR according to your and @prabhu's comment. I put all the CWE mappings into a separate file cwemap.py to simplify the book-keeping.

I suppose the MR is ready for another round of review.

prabhu
prabhu reviewed Jul 7, 2020
View reviewed changes
Comment thread bandit/core/blacklisting.py Outdated
return issue.Issue(
severity=check.get('level', 'MEDIUM'), confidence='HIGH',
text=check['message'].replace('{name}', name),
cwe=CWEMAP[check.get("id", 'LEGACY')],
Copy link
Copy Markdown

@prabhu prabhu Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOTSET or UNDEF?

Copy link
Copy Markdown
Contributor Author

@julianthome julianthome Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes indeed NOTSET may be more clear. Just renamed the constant from UNDEF to NOTSET.

Copy link
Copy Markdown

@prabhu prabhu Jul 7, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename LEGACY to NOTSET as well?

Copy link
Copy Markdown
Contributor Author

@julianthome julianthome Jul 13, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we rename LEGACY to NOTSET as well?

Mhh, I suppose that this would be a question for @dvyakimov and/or @ericwb as the LEGACY key was not introduced by the current PR and I am not 100% sure if this change could have any undesirable side-effects.

Copy link
Copy Markdown
Member

@ericwb ericwb Jan 30, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think LEGACY is fine for now.

@prabhu
Copy link
Copy Markdown

prabhu commented Jul 16, 2020

Any thoughts on this PR? @ericwb @dvyakimov ?

This was referenced Feb 28, 2022
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
mgedmin
mgedmin reviewed Mar 1, 2022
View reviewed changes
Comment thread bandit/core/issue.py
self.code = data["code"]
self.fname = data["filename"]
self.severity = data["issue_severity"]
self.cwe = cwe_from_dict(data["issue_cwe"])
Copy link
Copy Markdown

@mgedmin mgedmin Mar 1, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this why bandit 1.7.3 fails to load baseline data from JSON created by older bandit releases?

[manager] WARNING Failed to load baseline data: 'issue_cwe'

This was referenced Mar 6, 2022
Closed
Closed
Open
Merged
Merged
This was referenced Mar 14, 2022
Merged
Merged
This was referenced Mar 26, 2022
Closed
Merged
@renovate renovate Bot mentioned this pull request Apr 26, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ericwb ericwb ericwb approved these changes

@ghugo ghugo Awaiting requested review from ghugo

@lukehinds lukehinds Awaiting requested review from lukehinds

@sigmavirus24 sigmavirus24 Awaiting requested review from sigmavirus24

+2 more reviewers

@prabhu prabhu prabhu left review comments

@mgedmin mgedmin mgedmin left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 1.7.3

Development

Successfully merging this pull request may close these issues.

Include CWE mappings for all bandit issues

6 participants

@julianthome @dvyakimov @prabhu @Jeeppler @mgedmin @ericwb