-
Notifications
You must be signed in to change notification settings - Fork 249
Whitelist lines ending in # nosec #121
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Added args and nosec_lines
You can pass in nosec_lines to https://github.com/omergunal/pyt/blob/4cd3ea596e2ef0c834e206938af6963bbd08130d/pyt/__main__.py#L304 and https://github.com/omergunal/pyt/blob/4cd3ea596e2ef0c834e206938af6963bbd08130d/pyt/__main__.py#L246, you'll just have to move it up in the file.
Can you check main.py and vulnerabilities.py ?
pyt/__main__.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, I like this even more than .read()->.splitlines.
pyt/__main__.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I kind of like how Bandit does this a little more https://github.com/openstack/bandit/blob/master/bandit/cli/main.py#L230
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i.e.
parser.add_argument(
'--ignore-nosec', dest='ignore_nosec', action='store_true',
help='do not skip lines with # nosec comments'
)
looks really nice.
pyt/vulnerabilities.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The else: pass isn't needed
pyt/vulnerabilities.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I kind of liked how the newlines were in this function.
pyt/__main__.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this code
if args.ignore_nosec: nosec_lines = set() else: file = open(path, "r") lines = file.readlines() nosec_lines = set( lineno for (lineno, line) in enumerate(lines, start=1) if '#nosec' in line or '# nosec' in line)
to near the top, so we take into account nosec_lines at both call-sites to find_vulnerabilities.
https://github.com/omergunal/pyt/blob/fb88051e1d988d5890127ef3aa6867adf0db07de/pyt/__main__.py#L240
is a good spot, the same way UImode is set once and then passed to both call-sites https://github.com/python-security/pyt/blob/master/pyt/__main__.py#L232-L236
edited argument, moved code place
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i moved the code this place and deleted nosec_lines = set() .Because its already created in if-else statement.
pyt/__main__.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its necessary for learning filename. i moved to above the ignore_nosec argument
@KevinHock can you check it again?
So there are just a few things left, vulnerabilities.py looks good.
Can you pass nosec_lines to analyse_repo and then also to the call to find_vulnerabilities inside of that function?
Can you delete the find_vulnerabilities call in the else statement of if args.nosec_lines?
unnecessary codes deleted, passed nosec_lines on analyse_repo
Like that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Yup, shall I merge? 😀
Why not :)
Oh whoops, it seems like tests are failing https://travis-ci.org/python-security/pyt/builds/371295436?utm_source=github_status&utm_medium=notification
Can you make nosec_lines default to being an empty set e.g. nosec_lines=set()? You can also delete the test_no_args (tests.command_line_test.CommandLineTest) as it's annoying lol
Looks like ok now.
Sorry by Can you make nosec_lines default to being an empty set e.g. nosec_lines=set()? I meant
Before:
def find_vulnerabilities( cfg_list, analysis_type, ui_mode, vulnerability_files, nosec_lines ):
After:
def find_vulnerabilities( cfg_list, analysis_type, ui_mode, vulnerability_files, nosec_lines=set() ):
So that you won't have to manually pass an empty set to every find_vulnerabilities call, it makes things cleaner.
You are right, my bad :)
I changed it
I think its ok now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Almost there 👍
pyt/vulnerabilities.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please do nosec_lines=set() instead of nosec_lines = set()? I thought find_vulnerabilities was the only function that needed this, but you're right since we do call find_triggers once from a test here
pyt/tests/vulnerabilities_test.py
Line 96 in a3b9951
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can see some of these in the https://codeclimate.com/github/python-security/pyt/pull/121 output.
pyt/vulnerabilities.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this shouldn't be necessary, (to make it default to empty set), we can just leave it as nosec_lines. This is b/c we only call find_vulnerabilities from tests, not this function.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We normally leave 2 lines between the imports and other code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, sorry.
pyt/vulnerabilities.py
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So identify_triggers( is never called in tests, so I don't think a default arg is needed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @omergunal!
You are welcome 👍
Issue #108
I built nosec_lines but im not sure how to send to
find_triggersandfind_vulnerabilities