工具介绍Bandit这款工具可以用来搜寻Python程式码中常见的安全问题,在检测过程中,Bandit会对每一份Python程式码档案进行处理,并构建AST,然后针对每一个AST节点执行相应的检测外挂。完成安全扫描之后,Bandit会直接给使用者生成检测报告。
工具安装Bandit使用PyPI来进行分发,建议广大使用者直接使用pip来安装Bandit。
建立虚拟环境(可选):
virtualenv bandit-env安装Bandit:
pip install bandit# Or if you\'re working with a Python 3 projectpip3 install bandit执行Bandit:
bandit -r path/to/your/code使用者还可以使用源代码档案直接安装Bandit,先从PyPI下载原tarball,然后执行下列命令:
pythonsetup.pyinstall工具使用节点树使用样例:
bandit -r ~/your_repos/projectexamples/目录遍历使用样例,显示三行内容,并只报告高危问题:
bandit examples/*.py -n 3 –lllBandit还能够结合配置引数一起执行,执行下列命令即可使用ShellInjection来对examples目录执行安全扫描:
bandit examples/*.py -p ShellInjectionBandit还支援使用标准输入模式来扫描指定行数的程式码:
cat examples/imports.py | bandit –使用样例:$bandit -husage:bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE] [-p PROFILE] [-t TESTS] [-sSKIPS] [-l] [-i] [-f{csv,custom,html,json,screen,txt,xml,yaml}] [--msg-template MSG_TEMPLATE] [-o[OUTPUT_FILE]] [-v] [-d] [-q] [--ignore-nosec] [-x EXCLUDED_PATHS] [-bBASELINE] [--ini INI_PATH] [--version] [targets [targets ...]] -h, --help show this help message andexit -r, --recursive find and process files in subdirectories -a {file,vuln}, --aggregate {file,vuln} aggregate output byvulnerability (default) or by filename -n CONTEXT_LINES, --number CONTEXT_LINES maximum number of codelines to output foreach issue -c CONFIG_FILE, --configfile CONFIG_FILE optional config file touse for selecting plugins and overriding defaults -p PROFILE, --profile PROFILE profile to use(defaults to executing all tests) -t TESTS, --tests TESTS comma-separated list oftest IDs to run -s SKIPS, --skip SKIPS comma-separated list oftest IDs to skip -l, --level report only issues of a givenseverity level or higher (-l for LOW, -ll for MEDIUM, -lll forHIGH) -i, --confidence report only issues of a given confidencelevel or higher (-i for LOW, -iifor MEDIUM, -iii for HIGH) -f{csv,custom,html,json,screen,txt,xml,yaml}, --format{csv,custom,html,json,screen,txt,xml,yaml} specify output format --msg-template MSG_TEMPLATE specify output messagetemplate (only usable with --format custom), seeCUSTOM FORMAT section for list of available values -o [OUTPUT_FILE], --output [OUTPUT_FILE]write report tofilename -v, --verbose output extra information like excludedand included files -d, --debug turn on debug mode -q, --quiet, --silent only show output in thecase of an error --ignore-nosec donot skip lines with # nosec comments -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS comma-separated list ofpaths (glob patterns supported) to exclude from scan(note that these are in addition to the excluded pathsprovided in the config file) -b BASELINE, --baseline BASELINE path of a baselinereport to compare against (only JSON-formatted filesare accepted) --ini INI_PATH path to a .bandit file that suppliescommand line arguments --version show program\'s version number andexitCUSTOMFORMATTING {abspath}, {relpath}, {line}, {test_id}, {severity}, {msg}, {confidence}, {range} bandit -r examples/ --format custom--msg-template \\ "{abspath}:{line}: {test_id}[bandit]:{severity}: {msg}" Tags can also be formatted in python string.formatstyle: "{relpath:20.20s}: {line:03}:{test_id:^8}: DEFECT: {msg:>20}" B101 assert_used B102 exec_used B103 set_bad_file_permissions B104 hardcoded_bind_all_interfaces B105 hardcoded_password_string B106 hardcoded_password_funcarg B107 hardcoded_password_default B108 hardcoded_tmp_directory B110 try_except_pass B112 try_except_continue B201 flask_debug_true B301 pickle B302 marshal B303 md5 B304 ciphers B305 cipher_modes B306 mktemp_q B307 eval B308 mark_safe B309 httpsconnection B310 urllib_urlopen B311 random B312 telnetlib B313 xml_bad_cElementTree B314 xml_bad_ElementTree B315 xml_bad_expatreader B316 xml_bad_expatbuilder B317 xml_bad_sax B318 xml_bad_minidom B319 xml_bad_pulldom B320 xml_bad_etree B321 ftplib B322 input B323 unverified_context B324 hashlib_new_insecure_functions B325 tempnam B401 import_telnetlib B402 import_ftplib B403 import_pickle B404 import_subprocess B405 import_xml_etree B406 import_xml_sax B407 import_xml_expat B408 import_xml_minidom B409 import_xml_pulldom B410 import_lxml B411 import_xmlrpclib B412 import_httpoxy B413 import_pycrypto B501 request_with_no_cert_validation B502 ssl_with_bad_version B503 ssl_with_bad_defaults B504 ssl_with_no_version B505 weak_cryptographic_key B506 yaml_load B507 ssh_no_host_key_verification B601 paramiko_calls B602 subprocess_popen_with_shell_equals_true B603 subprocess_without_shell_equals_true B604 any_other_function_with_shell_equals_true B605 start_process_with_a_shell B606 start_process_with_no_shell B607 start_process_with_partial_path B608 hardcoded_sql_expressions B609 linux_commands_wildcard_injection B610 django_extra_used B611 django_rawsql_used B701 jinja2_autoescape_false B702 use_of_mako_templates B703 django_mark_safe基准线
Bandit允许使用者指定需要进行比对的基线报告路径:
bandit -b BASELINE这样可以帮助大家忽略某些已知问题,或者是那些你不认为是问题的“问题”。大家可以使用下列命令生成基线报告:
bandit -f json -o PATH_TO_OUTPUT_FILE版本控制整合安装并使用pre-commit,将下列内容新增至程式码库的.pre-commit-config.yaml档案中:
repos:- repo:https://github.com/PyCQA/bandit rev:\'\'# Update me! hooks:- id: bandit然后执行pre-commit即可。
扩充套件BanditBandit允许使用者编写和注册扩充套件以实现自定义检测或格式化(Formatter)功能。Bandit可以从下列两个节点载入外挂:
bandit.formattersbandit.pluginsFormatter需要接收下列四种输入引数:
利用bandit.checks来对特定型别的AST节点进行检测扫描:
defprohibit_unsafe_deserialization(context):return bandit.Issue( severity=bandit.HIGH, confidence=bandit.HIGH, text="Unsafe deserializationdetected." )注册外挂时Bandit给使用者提供了两个选项:1、 如果你直接使用了安装工具(setuptools),我们需要在setup呼叫中新增下列资讯:
# Ifyou have an imaginary bson formatter in the bandit_bson module# anda function called `formatter`.entry_points={\'bandit.formatters\':[\'bson = bandit_bson:formatter\']}# Ora check for using mako templates in bandit_mako thatentry_points={\'bandit.plugins\':[\'mako = bandit_mako\']}2、 如果你使用的是pbr,你需要在setup.cfg档案中新增下列资讯:
bson= bandit_bson:formatterbandit.plugins= mako = bandit_mako专案地址参考文件:https://bandit.readthedocs.io/en/latest/
Bandit:https://github.com/PyCQA/bandit
漏洞提交:https://github.com/PyCQA/bandit/issues
许可证协议本专案遵循Apache开源许可证协议。
*参考来源:bandit,FB小编Alpha_h4ck编译,转载请注明来自FreeBuf.COM
精彩推荐
