Bandit这款工具可以用来搜索Python代码中常见的安全问题,在检测过程中,Bandit会对每一份Python代码文件进行处理,并构建AST,然后针对每一个AST节点运行相应的检测插件。完成安全扫描之后,Bandit会直接给用户生成检测报告。
Bandit使用PyPI来进行分发,建议广大用户直接使用pip来安装Bandit。
创建虚拟环境(可选):
virtualenv bandit-env
安装Bandit:
pip install bandit# Or if you're working with a Python 3 projectpip3 install bandit
运行Bandit:
bandit -r path/to/your/code
用户还可以使用源码文件直接安装Bandit,先从PyPI下载原tarball,然后运行下列命令:
python setup.py install
节点树使用样例:
bandit -r ~/your_repos/project
examples/目录遍历使用样例,显示三行内容,并只报告高危问题:
bandit examples/*.py -n 3 –lll
Bandit还能够结合配置参数一起运行,运行下列命令即可使用ShellInjection来对examples目录运行安全扫描:
bandit examples/*.py -p ShellInjection
Bandit还支持使用标准输入模式来扫描指定行数的代码:
cat examples/imports.py | bandit –
$bandit -h
usage:bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
[-p PROFILE] [-t TESTS] [-sSKIPS] [-l] [-i]
[-f{csv,custom,html,json,screen,txt,xml,yaml}]
[--msg-template MSG_TEMPLATE] [-o[OUTPUT_FILE]] [-v] [-d] [-q]
[--ignore-nosec] [-x EXCLUDED_PATHS] [-bBASELINE]
[--ini INI_PATH] [--version]
[targets [targets ...]]
Bandit- a Python source code security analyzer
positionalarguments:
targets source file(s) or directory(s)to be tested
optionalarguments:
-h, --help show this help message and exit
-r, --recursive find and process files in subdirectories
-a {file,vuln}, --aggregate {file,vuln}
aggregate output byvulnerability (default) or by
filename
-n CONTEXT_LINES, --number CONTEXT_LINES
maximum number of codelines to output for each issue
-c CONFIG_FILE, --configfile CONFIG_FILE
optional config file touse for selecting plugins and
overriding defaults
-p PROFILE, --profile PROFILE
profile to use(defaults to executing all tests)
-t TESTS, --tests TESTS
comma-separated list oftest IDs to run
-s SKIPS, --skip SKIPS
comma-separated list oftest IDs to skip
-l, --level report only issues of a givenseverity level or higher
(-l for LOW, -ll for MEDIUM, -lll forHIGH)
-i, --confidence report only issues of a given confidencelevel or
higher (-i for LOW, -iifor MEDIUM, -iii for HIGH)
-f{csv,custom,html,json,screen,txt,xml,yaml}, --format{csv,custom,html,json,screen,txt,xml,yaml}
specify output format
--msg-template MSG_TEMPLATE
specify output messagetemplate (only usable with
--format custom), seeCUSTOM FORMAT section for list
of available values
-o [OUTPUT_FILE], --output [OUTPUT_FILE]
write report tofilename
-v, --verbose output extra information like excludedand included
files
-d, --debug turn on debug mode
-q, --quiet, --silent
only show output in thecase of an error
--ignore-nosec do not skip lines with # nosec comments
-x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
comma-separated list ofpaths (glob patterns supported)
to exclude from scan(note that these are in addition
to the excluded pathsprovided in the config file)
-b BASELINE, --baseline BASELINE
path of a baselinereport to compare against (only
JSON-formatted filesare accepted)
--ini INI_PATH path to a .bandit file that suppliescommand line
arguments
--version show program's version number andexit
CUSTOMFORMATTING
-----------------
Availabletags:
{abspath}, {relpath}, {line}, {test_id},
{severity}, {msg}, {confidence}, {range}
Exampleusage:
Default template:
bandit -r examples/ --format custom--msg-template \
"{abspath}:{line}: {test_id}[bandit]:{severity}: {msg}"
Provides same output as:
bandit -r examples/ --format custom
Tags can also be formatted in python string.format()style:
bandit -r examples/ --format custom--msg-template \
"{relpath:20.20s}: {line:03}:{test_id:^8}: DEFECT: {msg:>20}"
See python documentation for moreinformation about formatting style:
https://docs.python.org/3.4/library/string.html
Thefollowing tests were discovered and loaded:
-----------------------------------------------
B101 assert_used
B102 exec_used
B103 set_bad_file_permissions
B104 hardcoded_bind_all_interfaces
B105 hardcoded_password_string
B106 hardcoded_password_funcarg
B107 hardcoded_password_default
B108 hardcoded_tmp_directory
B110 try_except_pass
B112 try_except_continue
B201 flask_debug_true
B301 pickle
B302 marshal
B303 md5
B304 ciphers
B305 cipher_modes
B306 mktemp_q
B307 eval
B308 mark_safe
B309 httpsconnection
B310 urllib_urlopen
B311 random
B312 telnetlib
B313 xml_bad_cElementTree
B314 xml_bad_ElementTree
B315 xml_bad_expatreader
B316 xml_bad_expatbuilder
B317 xml_bad_sax
B318 xml_bad_minidom
B319 xml_bad_pulldom
B320 xml_bad_etree
B321 ftplib
B322 input
B323 unverified_context
B324 hashlib_new_insecure_functions
B325 tempnam
B401 import_telnetlib
B402 import_ftplib
B403 import_pickle
B404 import_subprocess
B405 import_xml_etree
B406 import_xml_sax
B407 import_xml_expat
B408 import_xml_minidom
B409 import_xml_pulldom
B410 import_lxml
B411 import_xmlrpclib
B412 import_httpoxy
B413 import_pycrypto
B501 request_with_no_cert_validation
B502 ssl_with_bad_version
B503 ssl_with_bad_defaults
B504 ssl_with_no_version
B505 weak_cryptographic_key
B506 yaml_load
B507 ssh_no_host_key_verification
B601 paramiko_calls
B602 subprocess_popen_with_shell_equals_true
B603 subprocess_without_shell_equals_true
B604 any_other_function_with_shell_equals_true
B605 start_process_with_a_shell
B606 start_process_with_no_shell
B607 start_process_with_partial_path
B608 hardcoded_sql_expressions
B609 linux_commands_wildcard_injection
B610 django_extra_used
B611 django_rawsql_used
B701 jinja2_autoescape_false
B702 use_of_mako_templates
B703 django_mark_safe
基准线
Bandit允许用户指定需要进行比对的基线报告路径:
bandit -b BASELINE
这样可以帮助大家忽略某些已知问题,或者是那些你不认为是问题的“问题”。大家可以使用下列命令生成基线报告:
bandit -f json -o PATH_TO_OUTPUT_FILE
安装并使用pre-commit,将下列内容添加至代码库的.pre-commit-config.yaml文件中:
repos:- repo: https://github.com/PyCQA/bandit rev: '' # Update me! hooks:- id: bandit
然后运行pre-commit即可。
Bandit允许用户编写和注册扩展以实现自定义检测或格式化(Formatter)功能。Bandit可以从下列两个节点加载插件:
bandit.formattersbandit.plugins
Formatter需要接收下列四种输入参数:
result_store:一个bandit.core.BanditResultStore实例
file_list:需要扫描检测的文件列表
scores:每个文件的扫描评分
excluded_files:列表中不需要扫描的文件
利用bandit.checks来对特定类型的AST节点进行检测扫描:
@bandit.checks('Call')
defprohibit_unsafe_deserialization(context):
if 'unsafe_load' incontext.call_function_name_qual:
return bandit.Issue(
severity=bandit.HIGH,
confidence=bandit.HIGH,
text="Unsafe deserializationdetected."
)
1、 如果你直接使用了安装工具(setuptools),我们需要在setup调用中添加下列信息:
# Ifyou have an imaginary bson formatter in the bandit_bson module
# anda function called `formatter`.
entry_points={'bandit.formatters':['bson = bandit_bson:formatter']}
# Ora check for using mako templates in bandit_mako that
entry_points={'bandit.plugins':['mako = bandit_mako']}
2、 如果你使用的是pbr,你需要在setup.cfg文件中添加下列信息:
[entry_points]
bandit.formatters=
bson= bandit_bson:formatter
bandit.plugins=
mako = bandit_mako
参考文档:https://bandit.readthedocs.io/en/latest/
Bandit:https://github.com/PyCQA/bandit
漏洞提交:https://github.com/PyCQA/bandit/issues
本项目遵循Apache开源许可证协议。
*参考来源:bandit,FB小编Alpha_h4ck编译,转载请注明来自FreeBuf.COM