Whitelist lines ending in # nosec#121
Conversation
Added args and nosec_lines
|
You can pass in nosec_lines to https://github.com/omergunal/pyt/blob/4cd3ea596e2ef0c834e206938af6963bbd08130d/pyt/__main__.py#L304 and https://github.com/omergunal/pyt/blob/4cd3ea596e2ef0c834e206938af6963bbd08130d/pyt/__main__.py#L246, you'll just have to move it up in the file. |
|
Can you check main.py and vulnerabilities.py ? |
| nosec_lines = set() | ||
| else: | ||
| file = open(path, "r") | ||
| lines = file.readlines() |
There was a problem hiding this comment.
Nice, I like this even more than .read()->.splitlines.
| '(only JSON-formatted files are accepted)', | ||
| type=str, | ||
| default=False) | ||
| parser.add_argument('-in', '--ignore-nosec', |
There was a problem hiding this comment.
I kind of like how Bandit does this a little more https://github.com/openstack/bandit/blob/master/bandit/cli/main.py#L230
There was a problem hiding this comment.
i.e.
parser.add_argument(
'--ignore-nosec', dest='ignore_nosec', action='store_true',
help='do not skip lines with # nosec comments'
)
looks really nice.
| trigger_nodes.extend(iter(label_contains(node, trigger_words))) | ||
| if node.line_number not in nosec_lines: | ||
| trigger_nodes.extend(iter(label_contains(node, trigger_words))) | ||
| else: |
There was a problem hiding this comment.
The else: pass isn't needed
| with open(vulnerability_files.blackbox_mapping) as infile: | ||
| blackbox_mapping = json.load(infile) | ||
| for cfg in cfg_list: | ||
|
|
There was a problem hiding this comment.
Nit: I kind of liked how the newlines were in this function.
|
|
||
| analyse(cfg_list, analysis_type=analysis) | ||
|
|
||
| nosec_lines = set() |
There was a problem hiding this comment.
Can you move this code
if args.ignore_nosec:
nosec_lines = set()
else:
file = open(path, "r")
lines = file.readlines()
nosec_lines = set(
lineno for
(lineno, line) in enumerate(lines, start=1)
if '#nosec' in line or '# nosec' in line) to near the top, so we take into account nosec_lines at both call-sites to find_vulnerabilities.
https://github.com/omergunal/pyt/blob/fb88051e1d988d5890127ef3aa6867adf0db07de/pyt/__main__.py#L240
is a good spot, the same way UImode is set once and then passed to both call-sites https://github.com/python-security/pyt/blob/master/pyt/__main__.py#L232-L236
edited argument, moved code place
|
|
||
| path = os.path.normpath(args.filepath) | ||
| cfg_list = list() | ||
| if args.ignore_nosec: |
There was a problem hiding this comment.
i moved the code this place and deleted nosec_lines = set() .Because its already created in if-else statement.
| elif args.trim_reassigned_in: | ||
| ui_mode = UImode.TRIM | ||
|
|
||
| path = os.path.normpath(args.filepath) |
There was a problem hiding this comment.
Its necessary for learning filename. i moved to above the ignore_nosec argument
|
@KevinHock can you check it again? |
|
So there are just a few things left, vulnerabilities.py looks good. Can you pass nosec_lines to analyse_repo and then also to the call to find_vulnerabilities inside of that function? |
unnecessary codes deleted, passed nosec_lines on analyse_repo
|
Like that? |
|
Yup, shall I merge? 😀 |
|
Why not :) |
|
Oh whoops, it seems like tests are failing https://travis-ci.org/python-security/pyt/builds/371295436?utm_source=github_status&utm_medium=notification |
Added empty nosec_lines for tests
|
Looks like ok now. |
|
Sorry by Before: def find_vulnerabilities(
cfg_list,
analysis_type,
ui_mode,
vulnerability_files,
nosec_lines
):After: def find_vulnerabilities(
cfg_list,
analysis_type,
ui_mode,
vulnerability_files,
nosec_lines=set()
):So that you won't have to manually pass an empty set to every |
|
You are right, my bad :) |
|
I think its ok now. |
| nodes, | ||
| trigger_words | ||
| trigger_words, | ||
| nosec_lines = set() |
There was a problem hiding this comment.
Can you please do nosec_lines=set() instead of nosec_lines = set()? I thought find_vulnerabilities was the only function that needed this, but you're right since we do call find_triggers once from a test here
pyt/tests/vulnerabilities_test.py
Line 96 in a3b9951
There was a problem hiding this comment.
You can see some of these in the https://codeclimate.com/github/python-security/pyt/pull/121 output.
| blackbox_mapping, | ||
| vulnerabilities_list | ||
| vulnerabilities_list, | ||
| nosec_lines = set() |
There was a problem hiding this comment.
So this shouldn't be necessary, (to make it default to empty set), we can just leave it as nosec_lines. This is b/c we only call find_vulnerabilities from tests, not this function.
| from pyt.reaching_definitions_taint import ReachingDefinitionsTaintAnalysis | ||
| from pyt.vulnerabilities import find_vulnerabilities | ||
|
|
||
|
|
There was a problem hiding this comment.
We normally leave 2 lines between the imports and other code.
| from pyt.node_types import Node | ||
| from pyt.reaching_definitions_taint import ReachingDefinitionsTaintAnalysis | ||
|
|
||
|
|
| sinks, | ||
| lattice | ||
| lattice, | ||
| nosec_lines=set() |
There was a problem hiding this comment.
So identify_triggers( is never called in tests, so I don't think a default arg is needed.
|
Thanks @omergunal! |
|
You are welcome 👍 |
Issue #108
I built nosec_lines but im not sure how to send to
find_triggersandfind_vulnerabilities