prev message, not scan recursively, tried to scan web2py take longer time, n think it can ignore the result under apps folder since it's just a scaffolding or examples, but can be a reminder when deploy in production $ bandit ./web3py/ -r [main] INFO profile include tests: None [main] INFO profile exclude tests: None [main] INFO cli include tests: None [main] INFO cli exclude tests: None [main] INFO running on Python 3.6.7 Run started:2019-05-23 04:29:35.118424 Test results: >> Issue: [B105:hardcoded_password_string] Possible hardcoded password: '<my secret key>' Severity: Low Confidence: Medium Location: ./web3py/apps/_scaffold/settings.py:17 More Info: https: //bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html 16 SESSION_TYPE = 'cookies' 17 SESSION_SECRET_KEY = '<my secret key>' 18 MEMCACHE_CLIENTS = ['127.0.0.1:11211'] -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'myscret' Severity: Low Confidence: Medium Location: ./web3py/apps/examples/__init__.py:12 More Info: https: //bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 11 db.commit() 12 session = Session(secret='myscret') 13 -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'some secret' Severity: Low Confidence: Medium Location: ./web3py/apps/todo/__init__.py:5 More Info: https: //bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 4 # define session and cache objects 5 session = Session(secret='some secret') 6 cache = Cache(size=1000) -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module. Severity: Low Confidence: High Location: ./web3py/setup.py:4 More Info: https: //bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 3 """ 4 import subprocess 5 import re -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: ./web3py/setup.py:13 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 12 def get_hash(): 13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8') 14 -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution ofuntrusted input. Severity: Low Confidence: High Location: ./web3py/setup.py:13 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 12 def get_hash(): 13 return subprocess.check_output(['git', 'rev-parse', 'HEAD']).strip().decode('utf8') 14 -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: ./web3py/web3py/core.py:255 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 254 if self.expiration is not None and self.storage is None: 255 assert self.local.data['timestamp'] > time.time() - int(self.expiration) 256 assert self.local.data.get('secure') == self.local.secure -------------------------------------------------- >> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. Severity: Low Confidence: High Location: ./web3py/web3py/core.py:256 More Info: https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html 255 assert self.local.data['timestamp'] > time.time() - int(self.expiration) 256 assert self.local.data.get('secure') == self.local.secure 257 except (jwt.exceptions.InvalidSignatureError, AssertionError, ValueError): -------------------------------------------------- >> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium Location: ./web3py/web3py/core.py:648 More Info: https://bandit.readthedocs.io/en/latest/plugins/b108_hardcoded_tmp_directory.html 647 parser.add_argument('--service_db_uri', default='sqlite://service.storage', type=str, help='db uri for logging') 648 parser.add_argument('--service_folder', default='/tmp/web3py', type=str, help='db uri for logging') 649 action.args = args = parser.parse_args() -------------------------------------------------- >> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory. Severity: Medium Confidence: Medium Location: ./web3py/web3py/tests/test_action.py:14 More Info: https://bandit.readthedocs.io/en/latest/plugins/b108_hardcoded_tmp_directory.html 13 14 db = DAL('sqlite://storage_%s' % uuid.uuid4(), folder='/tmp/') 15 db.define_table('thing', Field('name')) -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'my secret' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_action.py:16 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 15 db.define_table('thing', Field('name')) 16 session = Session(secret='my secret') 17 cache = Cache() -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_auth.py:12 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 11 self.db = DAL('sqlite:memory') 12 self.session = Session(secret="a", expiration=10) 13 self.session.local.data = {} -------------------------------------------------- >> Issue: [B311:blacklist] Standard pseudo-random generators are not suitable for security/cryptographic purposes. Severity: Low Confidence: High Location: ./web3py/web3py/tests/test_cache.py:51 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random 50 def f(x): 51 return x + random.random() 52 -------------------------------------------------- >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module. Severity: Low Confidence: High Location: ./web3py/web3py/tests/test_session.py:4 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess 3 import memcache 4 import subprocess 5 6 from web3py import request, response, Session, DAL -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_session.py:13 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 12 request.app_name = 'myapp' 13 session = Session(secret="a", expiration=10) 14 session.on_request() -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'b' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_session.py:24 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 23 24 session = Session(secret="b", expiration=10) 25 session.on_request() -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_session.py:28 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 27 28 session = Session(secret="a", expiration=10) 29 session.on_request() -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_session.py:35 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 34 db = DAL('sqlite:memory') 35 session = Session(secret="a", expiration=10, storage=DBStore(db)) 36 request.cookies.clear() -------------------------------------------------- >> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path Severity: Low Confidence: High Location: ./web3py/web3py/tests/test_session.py:59 More Info: https://bandit.readthedocs.io/en/latest/plugins/b607_start_process_with_partial_path.html 58 try: 59 memcache_process = subprocess.Popen(['memcached', '-p', '11211']) 60 time.sleep(1) -------------------------------------------------- >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution ofuntrusted input. Severity: Low Confidence: High Location: ./web3py/web3py/tests/test_session.py:59 More Info: https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html 58 try: 59 memcache_process = subprocess.Popen(['memcached', '-p', '11211']) 60 time.sleep(1) -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'a' Severity: Low Confidence: Medium Location: ./web3py/web3py/tests/test_session.py:63 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 62 conn = memcache.Client(['127.0.0.1:11211'], debug=0) 63 session = Session(secret="a", expiration=10, storage=conn) 64 request.cookies.clear() -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. Severity: Medium Confidence: High Location: ./web3py/web3py/utils/auth.py:211 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5 210 id = user['id'] 211 token = hashlib.sha1(user['email'].lower()).hexdigest() 212 db = self.db -------------------------------------------------- >> Issue: [B106:hardcoded_password_funcarg] Possible hardcoded password: 'gdpr-unsubscribed' Severity: Low Confidence: Medium Location: ./web3py/web3py/utils/auth.py:213 More Info: https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html 212 db = self.db 213 db(db.auth_user.id==id).update( 214 email="%[email protected]" % token, 215 password=None, 216 first_name='anonymous', 217 last_name='anonymous', 218 sso_id=None, 219 action_token='gdpr-unsubscribed') 220 if send: -------------------------------------------------- >> Issue: [B303:blacklist] Use of insecure MD2, MD4, MD5, or SHA1 hash function. Severity: Medium Confidence: High Location: ./web3py/web3py/utils/auth.py:225 More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5 224 db = self.db 225 token = hashlib.sha1(email.lower()).hexdigest() 226 email="%[email protected]" % token -------------------------------------------------- Code scanned: Total lines of code: 2701 Total lines skipped (#nosec): 0 Run metrics: Total issues (by severity): Undefined: 0.0 Low: 20.0 Medium: 4.0 High: 0.0 Total issues (by confidence): Undefined: 0.0 Low: 0.0 Medium: 13.0 High: 11.0 Files skipped (0):
best regards, stifan -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/2ea7f720-f1ec-4275-92bb-23b8ca07ab99%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
