Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of assert in test and framework code triggers bandit alert #1331

Open
ishaileshpant opened this issue Feb 3, 2025 · 4 comments
Open

Usage of assert in test and framework code triggers bandit alert #1331

ishaileshpant opened this issue Feb 3, 2025 · 4 comments
Assignees
@gbikkiintel
Labels
bug Something isn't working

Comments

@ishaileshpant
Copy link
Collaborator

ishaileshpant commented Feb 3, 2025
edited
Loading

Currently assert statement are used in both tests and framework code and the same is followed in new PRs as well which triggers bandit alert e.g https://github.com/securefederatedai/openfl/security/code-scanning/1482 which is, specifically in tests a common practice and hence should be ignored potentially via https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
@ishaileshpant ishaileshpant added the bug Something isn't working label Feb 3, 2025
@rahulga1
Copy link
Collaborator

rahulga1 commented Feb 3, 2025

@gbikkiintel @pasokan-intel can you have a look at it

@pasokan-intel
Copy link
Collaborator

@nambi21 can you add this to skip

@nambi21
Copy link
Contributor

nambi21 commented Feb 4, 2025

@ishaileshpant I have raised a PR for this issue to exclude B101 test during Bandit Scan (added it as part of skip tests)

Also, I have attached the list of test vulnerabilities detected during latest bandit scan:
Fix Aggregator / Assigner leaky abstraction (#1301) · securefederatedai/openfl@4cae356

Please validate this table in attached below and let us know if there are any other tests other than B101 to be skipped

+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| Rule ID | Message | Count |
+===========+=======================================================================================================================================================================================================================================+=========+
| B101 | Use of assert detected. The enclosed code will be removed when compiling to optimised byte code. | 280 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B310 | Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected. | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B405 | Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called. | 2 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B314 | Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B403 | Consider possible security implications associated with dill module. | 7 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B301 | Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue. | 11 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B614 | Use of unsafe PyTorch load or save | 21 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B605 | Starting a process with a shell, possible injection detected, security issue. | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B113 | Call to requests without timeout | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B404 | Consider possible security implications associated with the subprocess module. | 11 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B603 | subprocess call - check for execution of untrusted input. | 55 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B608 | Possible SQL injection vector through string-based query construction. | 5 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B506 | Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load(). | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B311 | Standard pseudo-random generators are not suitable for security/cryptographic purposes. | 3 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B108 | Probable insecure usage of temp file/directory. | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B606 | Starting a process without a shell. | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B602 | subprocess call with shell=True identified, security issue. | 11 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B105 | Possible hardcoded password: '.' | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B607 | Starting a process with a partial executable path | 40 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+
| B410 | Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package. | 1 |
+-----------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+

@ishaileshpant
Copy link
Collaborator Author

hey @nambi21 thanks for taking care of this - for now I think only B101 needs to be relaxed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gbikkiintel gbikkiintel

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rahulga1 @pasokan-intel @gbikkiintel @nambi21 @ishaileshpant