Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Whitelist lines ending in # nosec #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
KevinHock merged 22 commits into from
Apr 28, 2018
Merged

Whitelist lines ending in # nosec #121

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
4cd3ea5
nosec_lines for #108's issue
omergunal Apr 22, 2018
ae9e8e9
nosec_lines
omergunal Apr 23, 2018
1735db7
added nosec_lines parameter
omergunal Apr 23, 2018
fb88051
Update vulnerabilities.py
omergunal Apr 23, 2018
d0e8ef0
Code edited
omergunal Apr 24, 2018
8569aa4
unnecessary codes deleted
omergunal Apr 24, 2018
e8cddd0
passed nosec_lines on analyse_repo
omergunal Apr 25, 2018
3d5867b
Added nosec_lines
omergunal Apr 26, 2018
1502ee7
added empty nosec lines for tests
omergunal Apr 26, 2018
bed2f77
added nosec_lines
omergunal Apr 26, 2018
69d0193
added empty nosec_lines for tests
omergunal Apr 26, 2018
3cb5186
Added ignore-nosec argument
omergunal Apr 26, 2018
ec6d23a
Update vulnerabilities_test.py
omergunal Apr 26, 2018
6f09912
unnecessary codes removed
omergunal Apr 26, 2018
9c4dea6
added default nosec_lines
omergunal Apr 26, 2018
f4ebbff
Update vulnerabilities.py
omergunal Apr 27, 2018
7c872a0
Update vulnerabilities.py
omergunal Apr 27, 2018
b943310
removed spaces
omergunal Apr 28, 2018
175c235
new line between imports and codes
omergunal Apr 28, 2018
c79161c
Update __main__.py
omergunal Apr 28, 2018
ed13514
new line between imports and codes
omergunal Apr 28, 2018
0928700
removed set() from nosec_lines
omergunal Apr 28, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 21 additions & 6 deletions pyt/__main__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,6 +142,9 @@ def parse_args(args):
'(only JSON-formatted files are accepted)',
type=str,
default=False)
parser.add_argument('--ignore-nosec', dest='ignore_nosec', action='store_true',
help='do not skip lines with # nosec comments'
)

save_parser = subparsers.add_parser('save', help='Save menu.')
save_parser.set_defaults(which='save')
Expand Down Expand Up @@ -192,7 +195,7 @@ def parse_args(args):
return parser.parse_args(args)


def analyse_repo(args, github_repo, analysis_type, ui_mode):
def analyse_repo(args, github_repo, analysis_type, ui_mode, nosec_lines):
cfg_list = list()
directory = os.path.dirname(github_repo.path)
project_modules = get_modules(directory)
Expand All @@ -215,7 +218,8 @@ def analyse_repo(args, github_repo, analysis_type, ui_mode):
VulnerabilityFiles(
args.blackbox_mapping_file,
args.trigger_word_file
)
),
nosec_lines
)
return vulnerabilities

Expand All @@ -235,12 +239,23 @@ def main(command_line_args=sys.argv[1:]):
elif args.trim_reassigned_in:
ui_mode = UImode.TRIM

path = os.path.normpath(args.filepath)
Copy link
Copy Markdown
Contributor Author

@omergunal omergunal Apr 24, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its necessary for learning filename. i moved to above the ignore_nosec argument

cfg_list = list()
if args.ignore_nosec:
Copy link
Copy Markdown
Contributor Author

@omergunal omergunal Apr 24, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i moved the code this place and deleted nosec_lines = set() .Because its already created in if-else statement.

nosec_lines = set()
else:
file = open(path, "r")
lines = file.readlines()
nosec_lines = set(
lineno for
(lineno, line) in enumerate(lines, start=1)
if '#nosec' in line or '# nosec' in line)

if args.git_repos:
repos = get_repos(args.git_repos)
for repo in repos:
repo.clone()
vulnerabilities = analyse_repo(args, repo, analysis, ui_mode)
vulnerabilities = analyse_repo(args, repo, analysis, ui_mode, nosec_lines)
if args.json:
json.report(vulnerabilities, sys.stdout)
else:
Expand All @@ -263,8 +278,6 @@ def main(command_line_args=sys.argv[1:]):
)
exit()

path = os.path.normpath(args.filepath)

directory = None
if args.project_root:
directory = os.path.normpath(args.project_root)
Expand Down Expand Up @@ -305,8 +318,10 @@ def main(command_line_args=sys.argv[1:]):
VulnerabilityFiles(
args.blackbox_mapping_file,
args.trigger_word_file
)
),
nosec_lines
)

if args.baseline:
vulnerabilities = get_vulnerabilities_not_in_baseline(vulnerabilities, args.baseline)

Expand Down
27 changes: 16 additions & 11 deletions pyt/vulnerabilities.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,8 @@ def identify_triggers(
cfg,
sources,
sinks,
lattice
lattice,
nosec_lines
):
"""Identify sources, sinks and sanitisers in a CFG.

Expand All @@ -89,12 +90,12 @@ def identify_triggers(
tainted_nodes = filter_cfg_nodes(cfg, TaintedNode)
tainted_trigger_nodes = [TriggerNode('Framework function URL parameter', None,
node) for node in tainted_nodes]
sources_in_file = find_triggers(assignment_nodes, sources)
sources_in_file = find_triggers(assignment_nodes, sources, nosec_lines)
sources_in_file.extend(tainted_trigger_nodes)

find_secondary_sources(assignment_nodes, sources_in_file, lattice)

sinks_in_file = find_triggers(cfg.nodes, sinks)
sinks_in_file = find_triggers(cfg.nodes, sinks, nosec_lines)

sanitiser_node_dict = build_sanitiser_node_dict(cfg, sinks_in_file)

Expand Down Expand Up @@ -170,7 +171,8 @@ def append_node_if_reassigned(

def find_triggers(
nodes,
trigger_words
trigger_words,
nosec_lines
):
"""Find triggers from the trigger_word_list in the nodes.

Expand All @@ -183,7 +185,8 @@ def find_triggers(
"""
trigger_nodes = list()
for node in nodes:
trigger_nodes.extend(iter(label_contains(node, trigger_words)))
if node.line_number not in nosec_lines:
trigger_nodes.extend(iter(label_contains(node, trigger_words)))
return trigger_nodes


Expand Down Expand Up @@ -466,7 +469,8 @@ def find_vulnerabilities_in_cfg(
lattice,
ui_mode,
blackbox_mapping,
vulnerabilities_list
vulnerabilities_list,
nosec_lines
):
"""Find vulnerabilities in a cfg.

Expand All @@ -482,7 +486,8 @@ def find_vulnerabilities_in_cfg(
cfg,
definitions.sources,
definitions.sinks,
lattice
lattice,
nosec_lines
)
for sink in triggers.sinks:
for source in triggers.sources:
Expand All @@ -503,7 +508,8 @@ def find_vulnerabilities(
cfg_list,
analysis_type,
ui_mode,
vulnerability_files
vulnerability_files,
nosec_lines
):
"""Find vulnerabilities in a list of CFGs from a trigger_word_file.

Expand All @@ -518,7 +524,6 @@ def find_vulnerabilities(
"""
vulnerabilities = list()
definitions = parse(vulnerability_files.triggers)

with open(vulnerability_files.blackbox_mapping) as infile:
blackbox_mapping = json.load(infile)
for cfg in cfg_list:
Expand All @@ -528,9 +533,9 @@ def find_vulnerabilities(
Lattice(cfg.nodes, analysis_type),
ui_mode,
blackbox_mapping,
vulnerabilities
vulnerabilities,
nosec_lines
)
with open(vulnerability_files.blackbox_mapping, 'w') as outfile:
json.dump(blackbox_mapping, outfile, indent=4)

return vulnerabilities