fix: improve bandit config (re-enable B608)

harshittiwariii · web-flow · commit 74b53ce65810 · 2024-03-13T16:59:42.000-07:00
* fixes #3830 Co-authored-by: harshittiwariii <harshittiwary05@gmail.com>
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -30,7 +30,7 @@ repos:
     rev: 7.0.0
     hooks:
     - id: flake8
-      exclude: ^fuzz/generated/
+      exclude: ^fuzz/generated/|bandit\.conf$
 
 -   repo: https://github.com/PyCQA/bandit
     rev: 1.7.7
diff --git a/bandit.conf b/bandit.conf
@@ -82,14 +82,14 @@
 # B703 : django_mark_safe
 
 # (optional) list included test IDs here, eg '[B101, B406]':
-tests:
+#tests:
 
 # (optional) list skipped test IDs here, eg '[B101, B406]':
-skips: ['B603', 'B607', 'B404', "B608"]
+skips: ['B603', 'B607', 'B404']
 # B603, B607 and B404 are all subprocess-related.
 # B608 should be re-enabled when multi-line issues can be marked with nosec
 
-# Explantion: cve-bin-tool is at heart a shell script that calls other processes.
+# Explanation: cve-bin-tool is at heart a shell script that calls other processes.
 # Switching to pure python has significant performance impacts.
 
 # skips assert rule on tests
@@ -100,5 +100,4 @@ assert_used:
 ### that may be given here, per-plugin. All bandit test plugins have a built in
 ### set of sensible defaults and these will be used if no configuration is
 ### provided. It is not necessary to provide settings for every (or any) plugin
-### if the defaults are acceptable.
-
+### if the defaults are acceptable.
diff --git a/cve_bin_tool/cve_scanner.py b/cve_bin_tool/cve_scanner.py
@@ -200,7 +200,7 @@ def get_cves(self, product_info: ProductInfo, triage_data: TriageData):
                 FROM cve_severity
                 WHERE CVE_number IN ({",".join(["?"] * number_of_cves)}) AND score >= ? and description != "unknown"
                 ORDER BY CVE_number, last_modified DESC
-                """
+                """  # nosec
                 # Add score parameter to tuple listing CVEs to pass to query
                 result = self.cursor.execute(query, cve_list[start:end] + [self.score])
                 start = end
diff --git a/cve_bin_tool/cvedb.py b/cve_bin_tool/cvedb.py
@@ -253,7 +253,7 @@ def latest_schema(
 
         self.LOGGER.debug("Check database is using latest schema")
         cursor = self.db_open_and_get_cursor()
-        schema_check = f"SELECT * FROM {table_name} WHERE 1=0"
+        schema_check = f"SELECT * FROM {table_name} WHERE 1=0"  # nosec
         result = cursor.execute(schema_check)
         schema_latest = False
 
@@ -865,7 +865,7 @@ def get_all_records_in_table(self, table_name):
         """Return JSON of all records in a database table."""
         cursor = self.db_open_and_get_cursor()
         cursor.row_factory = self.dict_factory
-        cursor.execute(f"SELECT * FROM '{table_name}' ")
+        cursor.execute(f"SELECT * FROM '{table_name}' ")  # nosec
         # fetchall as result
         results = cursor.fetchall()
         self.db_close()
diff --git a/cve_bin_tool/version_signature.py b/cve_bin_tool/version_signature.py
@@ -77,7 +77,7 @@ def get_mapping_data(self):
         update_required: bool = False
 
         datestamp = self.cursor.execute(
-            f"SELECT * FROM {self.update_table_name}"
+            f"SELECT * FROM {self.update_table_name}"  # nosec
         ).fetchone()  # update_table_name validated in __init__
 
         if datestamp and type(datestamp) is tuple:
@@ -93,18 +93,18 @@ def get_mapping_data(self):
             self.cursor.execute(f"DELETE FROM {self.table_name}")  # nosec
             self.cursor.execute(f"DELETE FROM {self.update_table_name}")  # nosec
             self.cursor.execute(
-                f"INSERT INTO {self.update_table_name} VALUES (?)",
+                f"INSERT INTO {self.update_table_name} VALUES (?)",  # nosec
                 (time.time(),),
             )
 
             for mapping in self.mapping_function():
                 self.cursor.execute(
-                    f"INSERT INTO {self.table_name} (version, sourceId) VALUES (?, ?)",
+                    f"INSERT INTO {self.table_name} (version, sourceId) VALUES (?, ?)",  # nosec
                     (mapping[0], mapping[1]),
                 )
 
         data = self.cursor.execute(
-            f"SELECT * FROM {self.table_name}"
+            f"SELECT * FROM {self.table_name}"  # nosec
         ).fetchall()  # table_name validated in __init__
 
         if self.conn is not None:
diff --git a/setup.cfg b/setup.cfg
@@ -2,7 +2,7 @@
 profile = black
 
 [flake8]
-exclude = build
+exclude = build, bandit.conf
 max-line-length = 88
 extend-ignore = E203, E501
 
diff --git a/test/test_cvedb.py b/test/test_cvedb.py
@@ -80,7 +80,7 @@ def test_new_database_schema(self):
 
         for table in tables_to_check:
             cursor.execute(
-                f"SELECT name FROM sqlite_master WHERE type='table' AND name='{table}'"
+                "SELECT name FROM sqlite_master WHERE type='table' AND name=?", (table,)
             )
             result = cursor.fetchone()
             assert result is not None  # Assert that the table exists

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ def test_new_database_schema(self):`
`80`	`80`
`81`	`81`	`for table in tables_to_check:`
`82`	`82`	`cursor.execute(`
`83`		`- f"SELECT name FROM sqlite_master WHERE type='table' AND name='{table}'"`
	`83`	`+ "SELECT name FROM sqlite_master WHERE type='table' AND name=?", (table,)`
`84`	`84`	`)`
`85`	`85`	`result = cursor.fetchone()`
`86`	`86`	`assert result is not None # Assert that the table exists`