Whitelist lines ending in # nosec

pyt/__main__.py

@@ -142,6 +142,9 @@ def parse_args(args):
                              '(only JSON-formatted files are accepted)',
                         type=str,
                         default=False)
+    parser.add_argument('-in', '--ignore-nosec',
+                        help='Ignoring nosec commands',
+                        action='store_true')    
 
     save_parser = subparsers.add_parser('save', help='Save menu.')
     save_parser.set_defaults(which='save')
@@ -298,15 +301,38 @@ def main(command_line_args=sys.argv[1:]):
 
     analyse(cfg_list, analysis_type=analysis)
 
+    nosec_lines = set()
     vulnerabilities = find_vulnerabilities(
         cfg_list,
         analysis,
         ui_mode,
         VulnerabilityFiles(
             args.blackbox_mapping_file,
             args.trigger_word_file
-        )
+        ),
+        nosec_lines
     )
+
+    if args.ignore_nosec:
+        nosec_lines = set()
+    else:
+        file = open(path, "r")
+        lines = file.readlines()
+        nosec_lines = set(
+                    lineno for
+                    (lineno, line) in enumerate(lines, start=1)
+                    if '#nosec' in line or '# nosec' in line)   
+        vulnerabilities = find_vulnerabilities(
+            cfg_list,
+            analysis,
+            ui_mode,
+            VulnerabilityFiles(
+                args.blackbox_mapping_file,
+                args.trigger_word_file
+            ),
+            nosec_lines
+        )
+
     if args.baseline:
             vulnerabilities = get_vulnerabilities_not_in_baseline(vulnerabilities, args.baseline)
 

pyt/vulnerabilities.py

@@ -73,7 +73,8 @@ def identify_triggers(
     cfg,
     sources,
     sinks,
-    lattice
+    lattice,
+    nosec_lines
 ):
     """Identify sources, sinks and sanitisers in a CFG.
 
@@ -89,12 +90,12 @@ def identify_triggers(
     tainted_nodes = filter_cfg_nodes(cfg, TaintedNode)
     tainted_trigger_nodes = [TriggerNode('Framework function URL parameter', None,
                                          node) for node in tainted_nodes]
-    sources_in_file = find_triggers(assignment_nodes, sources)
+    sources_in_file = find_triggers(assignment_nodes, sources, nosec_lines)
     sources_in_file.extend(tainted_trigger_nodes)
 
     find_secondary_sources(assignment_nodes, sources_in_file, lattice)
 
-    sinks_in_file = find_triggers(cfg.nodes, sinks)
+    sinks_in_file = find_triggers(cfg.nodes, sinks, nosec_lines)
 
     sanitiser_node_dict = build_sanitiser_node_dict(cfg, sinks_in_file)
 
@@ -170,7 +171,8 @@ def append_node_if_reassigned(
 
 def find_triggers(
     nodes,
-    trigger_words
+    trigger_words,
+    nosec_lines
 ):
     """Find triggers from the trigger_word_list in the nodes.
 
@@ -183,7 +185,10 @@ def find_triggers(
     """
     trigger_nodes = list()
     for node in nodes:
-        trigger_nodes.extend(iter(label_contains(node, trigger_words)))
+        if node.line_number not in nosec_lines:
+            trigger_nodes.extend(iter(label_contains(node, trigger_words)))
+        else:
+            pass
     return trigger_nodes
 
 
@@ -466,7 +471,8 @@ def find_vulnerabilities_in_cfg(
     lattice,
     ui_mode,
     blackbox_mapping,
-    vulnerabilities_list
+    vulnerabilities_list,
+    nosec_lines
 ):
     """Find vulnerabilities in a cfg.
 
@@ -482,7 +488,8 @@ def find_vulnerabilities_in_cfg(
         cfg,
         definitions.sources,
         definitions.sinks,
-        lattice
+        lattice,
+        nosec_lines
     )
     for sink in triggers.sinks:
         for source in triggers.sources:
@@ -503,7 +510,8 @@ def find_vulnerabilities(
     cfg_list,
     analysis_type,
     ui_mode,
-    vulnerability_files
+    vulnerability_files,
+    nosec_lines
 ):
     """Find vulnerabilities in a list of CFGs from a trigger_word_file.
 
@@ -518,19 +526,19 @@ def find_vulnerabilities(
     """
     vulnerabilities = list()
     definitions = parse(vulnerability_files.triggers)
-
     with open(vulnerability_files.blackbox_mapping) as infile:
         blackbox_mapping = json.load(infile)
     for cfg in cfg_list:
+
         find_vulnerabilities_in_cfg(
             cfg,
             definitions,
             Lattice(cfg.nodes, analysis_type),
             ui_mode,
             blackbox_mapping,
-            vulnerabilities
+            vulnerabilities,
+            nosec_lines
         )
     with open(vulnerability_files.blackbox_mapping, 'w') as outfile:
         json.dump(blackbox_mapping, outfile, indent=4)
-
     return vulnerabilities