pardon, not sure, this thread proper or not here, tested web2py and web3py with bandit *steps* pip3 install bandit cd git clone https://github.com/web2py/web3py git clone https://github.com/web2py/web2py
$ bandit web3py/*.py -r [main] INFO profile include tests: None [main] INFO profile exclude tests: None [main] INFO cli include tests: None [main] INFO cli exclude tests: None [main] INFO running on Python 3.5.3 Run started:2019-05-22 15:04:53.288693 Test results: >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module. Severity: Low Confidence: High Location: web3py/setup.py:4 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 3 """ 4 import subprocess 5 import re -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution ofuntrusted input. Severity: Low Confidence: High Location: web3py/setup.py:13 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 12 def get_hash(): 13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8') -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: web3py/setup.py:13 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 12 def get_hash(): 13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8') -------------------------------------------------- Code scanned: Total lines of code: 52 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0.0 Low: 3.0 Medium: 0.0 High: 0.0 Total issues (by confidence): Undefined: 0.0 Low: 0.0 Medium: 0.0 High: 3.0 Files skipped (0): $ bandit web2py/*.py -r [main] INFO profile include tests: None [main] INFO profile exclude tests: None [main] INFO cli include tests: None [main] INFO cli exclude tests: None [main] INFO running on Python 3.5.3 Run started:2019-05-22 15:06:10.007801 Test results: >> Issue: [B412:blacklist] Consider possible security implications associated with CGIHandler module. Severity: High Confidence: High Location: web2py/anyserver.py:25 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b412-import-httpoxy 24 def cgi(app, address=None, **options): 25 from wsgiref.handlers import CGIHandler 26 CGIHandler().run(app) # Just ignore host and port here -------------------------------------------------- >> Issue: [B412:blacklist] Consider possible security implications associated with wsgiref.handlers.CGIHandler module. Severity: High Confidence: High Location: web2py/anyserver.py:26 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b412-import-httpoxy 25 from wsgiref.handlers import CGIHandler 26 CGIHandler().run(app) # Just ignore host and port here -------------------------------------------------- Code scanned: Total lines of code: 540 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0.0 Low: 0.0 Medium: 0.0 High: 2.0 Total issues (by confidence): Undefined: 0.0 Low: 0.0 Medium: 0.0 High: 2.0 Files skipped (1): web2py/fabfile.py (syntax error while parsing AST from file) best regards, stifan -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/7fe5a718-a2b8-4c07-a791-74826fb2cec5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
