Including CWE information

bandit/core/blacklisting.py

@@ -7,13 +7,15 @@
 import ast
 import fnmatch
 
+from bandit.core.cwemap import CWEMAP
 from bandit.core import issue
 
 
 def report_issue(check, name):
     return issue.Issue(
         severity=check.get('level', 'MEDIUM'), confidence='HIGH',
         text=check['message'].replace('{name}', name),
+        cwe=CWEMAP[check.get("id", 'LEGACY')],
         ident=name, test_id=check.get("id", 'LEGACY'))
 
 

bandit/core/cwemap.py

@@ -0,0 +1,89 @@
+# -*- coding:utf-8 -*-
+#
+# SPDX-License-Identifier: Apache-2.0
+
+from bandit.core.issue import Cwe as Cwe
+
+CWEMAP = {
+    "B000": Cwe.NOTSET,
+    "LEGACY": Cwe.NOTSET,
+
+    # Plugins
+    "B101": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
+    "B102": Cwe.OS_COMMAND_INJECTION,
+    "B103": Cwe.INCORRECT_PERMISSION_ASSIGNMENT,
+    "B104": Cwe.MULTIPLE_BINDS,
+    "B105": Cwe.HARD_CODED_PASSWORD,
+    "B108": Cwe.INSECURE_TEMP_FILE,
+    "B110": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
+    "B112": Cwe.IMPROPER_CHECK_OF_EXCEPT_COND,
+
+    "B201": Cwe.CODE_INJECTION,
+
+    "B324": Cwe.BROKEN_CRYPTO,
+
+    "B501": Cwe.IMPROPER_CERT_VALIDATION,
+    "B502": Cwe.BROKEN_CRYPTO,
+    "B503": Cwe.BROKEN_CRYPTO,
+    "B504": Cwe.BROKEN_CRYPTO,
+    "B505": Cwe.INADEQUATE_ENCRYPTION_STRENGTH,
+    "B506": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B507": Cwe.IMPROPER_CERT_VALIDATION,
+
+    "B601": Cwe.OS_COMMAND_INJECTION,
+    "B602": Cwe.OS_COMMAND_INJECTION,
+    "B603": Cwe.OS_COMMAND_INJECTION,
+    "B604": Cwe.OS_COMMAND_INJECTION,
+    "B605": Cwe.OS_COMMAND_INJECTION,
+    "B606": Cwe.OS_COMMAND_INJECTION,
+    "B607": Cwe.OS_COMMAND_INJECTION,
+    "B608": Cwe.SQL_INJECTION,
+    "B609": Cwe.IMPROPER_WILDCARD_NEUTRALIZATION,
+    "B611": Cwe.SQL_INJECTION,
+
+    "B701": Cwe.CODE_INJECTION,
+    "B702": Cwe.BASIC_XSS,
+    "B703": Cwe.BASIC_XSS,
+
+    # Calls
+    "B301": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
+    "B302": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
+    "B303": Cwe.BROKEN_CRYPTO,
+    "B304": Cwe.BROKEN_CRYPTO,
+    "B305": Cwe.BROKEN_CRYPTO,
+    "B306": Cwe.INSECURE_TEMP_FILE,
+    "B307": Cwe.OS_COMMAND_INJECTION,
+    "B308": Cwe.XSS,
+    "B309": Cwe.CLEARTEXT_TRANSMISSION,
+    "B310": Cwe.PATH_TRAVERSAL,
+    "B311": Cwe.INSUFFICIENT_RANDOM_VALUES,
+    "B312": Cwe.CLEARTEXT_TRANSMISSION,
+    "B313": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B314": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B315": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B316": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B317": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B318": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B319": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B320": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B321": Cwe.CLEARTEXT_TRANSMISSION,
+    "B322": Cwe.OS_COMMAND_INJECTION,
+    "B323": Cwe.IMPROPER_CERT_VALIDATION,
+    "B325": Cwe.INSECURE_TEMP_FILE,
+
+    # Imports
+    "B401": Cwe.CLEARTEXT_TRANSMISSION,
+    "B402": Cwe.CLEARTEXT_TRANSMISSION,
+    "B403": Cwe.DESERIALIZATION_OF_UNTRUSTED_DATA,
+    "B404": Cwe.OS_COMMAND_INJECTION,
+    "B405": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B406": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B407": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B408": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B409": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B410": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B411": Cwe.IMPROPER_INPUT_VALIDATION,
+    "B412": Cwe.IMPROPER_ACCESS_CONTROL,
+    "B413": Cwe.BROKEN_CRYPTO,
+    "B414": Cwe.BROKEN_CRYPTO,
+}

bandit/core/issue.py

@@ -14,10 +14,77 @@
 from bandit.core import constants
 
 
+class Cwe(object):
+    NOTSET = 0
+    IMPROPER_INPUT_VALIDATION = 20
+    PATH_TRAVERSAL = 22
+    OS_COMMAND_INJECTION = 78
+    XSS = 79
+    BASIC_XSS = 80
+    SQL_INJECTION = 89
+    CODE_INJECTION = 94
+    IMPROPER_WILDCARD_NEUTRALIZATION = 155
+    HARD_CODED_PASSWORD = 259
+    IMPROPER_ACCESS_CONTROL = 284
+    IMPROPER_CERT_VALIDATION = 295
+    CLEARTEXT_TRANSMISSION = 319
+    INADEQUATE_ENCRYPTION_STRENGTH = 326
+    BROKEN_CRYPTO = 327
+    INSUFFICIENT_RANDOM_VALUES = 330
+    INSECURE_TEMP_FILE = 377
+    DESERIALIZATION_OF_UNTRUSTED_DATA = 502
+    MULTIPLE_BINDS = 605
+    IMPROPER_CHECK_OF_EXCEPT_COND = 703
+    INCORRECT_PERMISSION_ASSIGNMENT = 732
+
+    MITRE_URL_PATTERN = "https://cwe.mitre.org/data/definitions/%s.html"
+
+    def __init__(self, id=NOTSET):
+        self.id = id
+
+    def link(self):
+        if self.id == Cwe.NOTSET:
+            return ""
+
+        return Cwe.MITRE_URL_PATTERN % str(self.id)
+
+    def __str__(self):
+        if self.id == Cwe.NOTSET:
+            return ""
+
+        return "CWE-%i (%s)" % (self.id, self.link())
+
+    def as_dict(self):
+        return {
+            "id": self.id,
+            "link": self.link()
+        } if self.id != Cwe.NOTSET else {}
+
+    def as_jsons(self):
+        return str(self.as_dict())
+
+    def from_dict(self, data):
+        if 'id' in data:
+            self.id = int(data['id'])
+        else:
+            self.id = Cwe.NOTSET
+
+    def __eq__(self, other):
+        return self.id == other.id
+
+    def __ne__(self, other):
+        return self.id != other.id
+
+    def __hash__(self):
+        return id(self)
+
+
 class Issue(object):
-    def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
+    def __init__(self, severity, cwe=0,
+                 confidence=constants.CONFIDENCE_DEFAULT,
                  text="", ident=None, lineno=None, test_id=""):
         self.severity = severity
+        self.cwe = Cwe(cwe)
         self.confidence = confidence
         if isinstance(text, bytes):
             text = text.decode('utf-8')
@@ -30,16 +97,17 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
         self.linerange = []
 
     def __str__(self):
-        return ("Issue: '%s' from %s:%s: Severity: %s Confidence: "
+        return ("Issue: '%s' from %s:%s: CWE: %s, Severity: %s Confidence: "
                 "%s at %s:%i") % (self.text, self.test_id,
-                                  (self.ident or self.test), self.severity,
-                                  self.confidence, self.fname, self.lineno)
+                                  (self.ident or self.test), str(self.cwe),
+                                  self.severity, self.confidence, self.fname,
+                                  self.lineno)
 
     def __eq__(self, other):
         # if the issue text, severity, confidence, and filename match, it's
         # the same issue from our perspective
-        match_types = ['text', 'severity', 'confidence', 'fname', 'test',
-                       'test_id']
+        match_types = ['text', 'severity', 'cwe', 'confidence', 'fname',
+                       'test', 'test_id']
         return all(getattr(self, field) == getattr(other, field)
                    for field in match_types)
 
@@ -101,11 +169,12 @@ def as_dict(self, with_code=True):
             'test_name': self.test,
             'test_id': self.test_id,
             'issue_severity': self.severity,
+            'issue_cwe': self.cwe.as_dict(),
             'issue_confidence': self.confidence,
             'issue_text': self.text.encode('utf-8').decode('utf-8'),
             'line_number': self.lineno,
             'line_range': self.linerange,
-            }
+        }
 
         if with_code:
             out['code'] = self.get_code()
@@ -115,6 +184,7 @@ def from_dict(self, data, with_code=True):
         self.code = data["code"]
         self.fname = data["filename"]
         self.severity = data["issue_severity"]
+        self.cwe = cwe_from_dict(data["issue_cwe"])
         self.confidence = data["issue_confidence"]
         self.text = data["issue_text"]
         self.test = data["test_name"]
@@ -123,6 +193,12 @@ def from_dict(self, data, with_code=True):
         self.linerange = data["line_range"]
 
 
+def cwe_from_dict(data):
+    cwe = Cwe()
+    cwe.from_dict(data)
+    return cwe
+
+
 def issue_from_dict(data):
     i = Issue(severity=data["issue_severity"])
     i.from_dict(data)

bandit/formatters/csv.py

@@ -56,6 +56,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
                       'test_name',
                       'test_id',
                       'issue_severity',
+                      'issue_cwe',
                       'issue_confidence',
                       'issue_text',
                       'line_number',
@@ -67,6 +68,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         writer.writeheader()
         for result in results:
             r = result.as_dict(with_code=False)
+            r['issue_cwe'] = r['issue_cwe']['link']
             r['more_info'] = docs_utils.get_url(r['test_id'])
             writer.writerow(r)
 

bandit/formatters/html.py

@@ -266,6 +266,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
     <b>{test_name}: </b> {test_text}<br>
     <b>Test ID:</b> {test_id}<br>
     <b>Severity: </b>{severity}<br>
+    <b>CWE: </b>{cwe}<br>
     <b>Confidence: </b>{confidence}<br>
     <b>File: </b><a href="{path}" target="_blank">{path}</a> <br>
     <b>More info: </b><a href="{url}" target="_blank">{url}</a><br>
@@ -360,6 +361,7 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
                                           test_id=issue.test_id,
                                           test_text=issue.text,
                                           severity=issue.severity,
+                                          cwe=issue.cwe,
                                           confidence=issue.confidence,
                                           path=issue.fname, code=code,
                                           candidates=candidates,

bandit/formatters/screen.py

@@ -97,10 +97,12 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
     # returns a list of lines that should be added to the existing lines list
     bits = []
     bits.append("%s%s>> Issue: [%s:%s] %s" % (
-        indent, COLOR[issue.severity], issue.test_id, issue.test, issue.text))
+        indent, COLOR[issue.severity], issue.test_id, issue.test,
+        issue.text))
 
-    bits.append("%s   Severity: %s   Confidence: %s" % (
-        indent, issue.severity.capitalize(), issue.confidence.capitalize()))
+    bits.append("%s   Severity: %s CWE: %s Confidence: %s" % (
+        indent, issue.severity.capitalize(), str(issue.cwe),
+        issue.confidence.capitalize()))
 
     bits.append("%s   Location: %s:%s" % (
         indent, issue.fname,

bandit/formatters/text.py

@@ -73,8 +73,9 @@ def _output_issue_str(issue, indent, show_lineno=True, show_code=True,
     bits.append("%s>> Issue: [%s:%s] %s" % (
         indent, issue.test_id, issue.test, issue.text))
 
-    bits.append("%s   Severity: %s   Confidence: %s" % (
-        indent, issue.severity.capitalize(), issue.confidence.capitalize()))
+    bits.append("%s   Severity: %s CWE: %s Confidence: %s" % (
+        indent, issue.severity.capitalize(), str(issue.cwe),
+        issue.confidence.capitalize()))
 
     bits.append("%s   Location: %s:%s" % (
         indent, issue.fname, issue.lineno if show_lineno else ""))

bandit/formatters/xml.py

@@ -60,9 +60,11 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
         testcase = ET.SubElement(root, 'testcase',
                                  classname=issue.fname, name=test)
 
-        text = 'Test ID: %s Severity: %s Confidence: %s\n%s\nLocation %s:%s'
-        text = text % (issue.test_id, issue.severity, issue.confidence,
-                       issue.text, issue.fname, issue.lineno)
+        text = 'Test ID: %s Severity: %s CWE: %s ' \
+               'Confidence: %s\n%s\nLocation %s:%s'
+        text = text % (issue.test_id, issue.severity, issue.cwe,
+                       issue.confidence, issue.text, issue.fname,
+                       issue.lineno)
         ET.SubElement(testcase, 'error',
                       more_info=docs_utils.get_url(issue.test_id),
                       type=issue.severity,

bandit/plugins/app_debug.py

@@ -40,6 +40,7 @@
 """
 
 import bandit
+from bandit.core.cwemap import CWEMAP
 from bandit.core import test_properties as test
 
 
@@ -51,6 +52,7 @@ def flask_debug_true(context):
             if context.check_call_arg_value('debug', 'True'):
                 return bandit.Issue(
                     severity=bandit.HIGH,
+                    cwe=CWEMAP["B201"],
                     confidence=bandit.MEDIUM,
                     text="A Flask app appears to be run with debug=True, "
                          "which exposes the Werkzeug debugger and allows "

bandit/plugins/asserts.py

@@ -41,6 +41,7 @@
 """
 
 import bandit
+from bandit.core.cwemap import CWEMAP
 from bandit.core import test_properties as test
 
 
@@ -49,6 +50,7 @@
 def assert_used(context):
     return bandit.Issue(
         severity=bandit.LOW,
+        cwe=CWEMAP["B101"],
         confidence=bandit.HIGH,
         text=("Use of assert detected. The enclosed code "
               "will be removed when compiling to optimised byte code.")

bandit/plugins/crypto_request_no_cert_validation.py

@@ -42,6 +42,7 @@
 """
 
 import bandit
+from bandit.core.cwemap import CWEMAP
 from bandit.core import test_properties as test
 
 
@@ -54,6 +55,7 @@ def request_with_no_cert_validation(context):
         if context.check_call_arg_value('verify', 'False'):
             issue = bandit.Issue(
                 severity=bandit.HIGH,
+                cwe=CWEMAP["B501"],
                 confidence=bandit.HIGH,
                 text="Requests call with verify=False disabling SSL "
                      "certificate checks, security issue.",

bandit/plugins/django_sql_injection.py

@@ -8,6 +8,7 @@
 import ast
 
 import bandit
+from bandit.core.cwemap import CWEMAP
 from bandit.core import test_properties as test
 
 
@@ -77,6 +78,7 @@ def django_extra_used(context):
         if insecure:
             return bandit.Issue(
                 severity=bandit.MEDIUM,
+                cwe=CWEMAP["B611"],
                 confidence=bandit.MEDIUM,
                 text=description
             )
@@ -102,6 +104,7 @@ def django_rawsql_used(context):
             if not isinstance(sql, ast.Str):
                 return bandit.Issue(
                     severity=bandit.MEDIUM,
+                    cwe=CWEMAP["B611"],
                     confidence=bandit.MEDIUM,
                     text=description
                 )