Whitelist lines ending in # nosec #121
Conversation
Added args and nosec_lines
|
You can pass in nosec_lines to https://github.com/omergunal/pyt/blob/4cd3ea596e2ef0c834e206938af6963bbd08130d/pyt/__main__.py#L304 and https://github.com/omergunal/pyt/blob/4cd3ea596e2ef0c834e206938af6963bbd08130d/pyt/__main__.py#L246, you'll just have to move it up in the file. |
|
Can you check main.py and vulnerabilities.py ? |
| nosec_lines = set() | ||
| else: | ||
| file = open(path, "r") | ||
| lines = file.readlines() |
There was a problem hiding this comment.
Nice, I like this even more than .read()->.splitlines.
pyt/__main__.py
Outdated
| @@ -142,6 +142,9 @@ def parse_args(args): | |||
| '(only JSON-formatted files are accepted)', | |||
| type=str, | |||
| default=False) | |||
| parser.add_argument('-in', '--ignore-nosec', | |||
There was a problem hiding this comment.
I kind of like how Bandit does this a little more https://github.com/openstack/bandit/blob/master/bandit/cli/main.py#L230
There was a problem hiding this comment.
i.e.
parser.add_argument(
'--ignore-nosec', dest='ignore_nosec', action='store_true',
help='do not skip lines with # nosec comments'
)
looks really nice.
pyt/vulnerabilities.py
Outdated
| trigger_nodes.extend(iter(label_contains(node, trigger_words))) | ||
| if node.line_number not in nosec_lines: | ||
| trigger_nodes.extend(iter(label_contains(node, trigger_words))) | ||
| else: |
There was a problem hiding this comment.
The else: pass isn't needed
pyt/vulnerabilities.py
Outdated
| with open(vulnerability_files.blackbox_mapping) as infile: | ||
| blackbox_mapping = json.load(infile) | ||
| for cfg in cfg_list: | ||
|
|
There was a problem hiding this comment.
Nit: I kind of liked how the newlines were in this function.
pyt/__main__.py
Outdated
| @@ -298,15 +301,38 @@ def main(command_line_args=sys.argv[1:]): | |||
|
|
|||
| analyse(cfg_list, analysis_type=analysis) | |||
|
|
|||
| nosec_lines = set() | |||
There was a problem hiding this comment.
Can you move this code
if args.ignore_nosec:
nosec_lines = set()
else:
file = open(path, "r")
lines = file.readlines()
nosec_lines = set(
lineno for
(lineno, line) in enumerate(lines, start=1)
if '#nosec' in line or '# nosec' in line) to near the top, so we take into account nosec_lines at both call-sites to find_vulnerabilities.
https://github.com/omergunal/pyt/blob/fb88051e1d988d5890127ef3aa6867adf0db07de/pyt/__main__.py#L240
is a good spot, the same way UImode is set once and then passed to both call-sites https://github.com/python-security/pyt/blob/master/pyt/__main__.py#L232-L236
edited argument, moved code place
pyt/__main__.py
Outdated
| cfg_list = list() | ||
| if args.ignore_nosec: |
There was a problem hiding this comment.
i moved the code this place and deleted nosec_lines = set() .Because its already created in if-else statement.
pyt/__main__.py
Outdated
| @@ -235,7 +238,28 @@ def main(command_line_args=sys.argv[1:]): | |||
| elif args.trim_reassigned_in: | |||
| ui_mode = UImode.TRIM | |||
|
|
|||
| path = os.path.normpath(args.filepath) | |||
There was a problem hiding this comment.
Its necessary for learning filename. i moved to above the ignore_nosec argument
|
@KevinHock can you check it again? |
|
So there are just a few things left, vulnerabilities.py looks good. Can you pass nosec_lines to analyse_repo and then also to the call to find_vulnerabilities inside of that function? |
unnecessary codes deleted, passed nosec_lines on analyse_repo
|
Like that? |
|
Yup, shall I merge? 😀 |
|
Why not :) |
|
Oh whoops, it seems like tests are failing https://travis-ci.org/python-security/pyt/builds/371295436?utm_source=github_status&utm_medium=notification |
Added empty nosec_lines for tests
|
Looks like ok now. |
|
Sorry by Before: def find_vulnerabilities(
cfg_list,
analysis_type,
ui_mode,
vulnerability_files,
nosec_lines
):After: def find_vulnerabilities(
cfg_list,
analysis_type,
ui_mode,
vulnerability_files,
nosec_lines=set()
):So that you won't have to manually pass an empty set to every |
|
You are right, my bad :) |
|
I think its ok now. |
pyt/vulnerabilities.py
Outdated
| @@ -170,7 +171,8 @@ def append_node_if_reassigned( | |||
|
|
|||
| def find_triggers( | |||
| nodes, | |||
| trigger_words | |||
| trigger_words, | |||
| nosec_lines = set() | |||
There was a problem hiding this comment.
Can you please do nosec_lines=set() instead of nosec_lines = set()? I thought find_vulnerabilities was the only function that needed this, but you're right since we do call find_triggers once from a test here
pyt/tests/vulnerabilities_test.py
Line 96 in a3b9951
There was a problem hiding this comment.
You can see some of these in the https://codeclimate.com/github/python-security/pyt/pull/121 output.
pyt/vulnerabilities.py
Outdated
| @@ -466,7 +469,8 @@ def find_vulnerabilities_in_cfg( | |||
| lattice, | |||
| ui_mode, | |||
| blackbox_mapping, | |||
| vulnerabilities_list | |||
| vulnerabilities_list, | |||
| nosec_lines = set() | |||
There was a problem hiding this comment.
So this shouldn't be necessary, (to make it default to empty set), we can just leave it as nosec_lines. This is b/c we only call find_vulnerabilities from tests, not this function.
| @@ -15,7 +15,6 @@ | |||
| from pyt.reaching_definitions_taint import ReachingDefinitionsTaintAnalysis | |||
| from pyt.vulnerabilities import find_vulnerabilities | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
We normally leave 2 lines between the imports and other code.
tests/vulnerabilities_test.py
Outdated
| @@ -23,7 +23,6 @@ | |||
| from pyt.node_types import Node | |||
| from pyt.reaching_definitions_taint import ReachingDefinitionsTaintAnalysis | |||
|
|
|||
|
|
|||
pyt/vulnerabilities.py
Outdated
| @@ -73,7 +73,8 @@ def identify_triggers( | |||
| cfg, | |||
| sources, | |||
| sinks, | |||
| lattice | |||
| lattice, | |||
| nosec_lines=set() | |||
There was a problem hiding this comment.
So identify_triggers( is never called in tests, so I don't think a default arg is needed.
|
Thanks @omergunal! |
|
You are welcome 👍 |
Issue #108
I built nosec_lines but im not sure how to send to
find_triggersandfind_vulnerabilities