From 5cece0cf24d029a11398d4e951b152ae74e81997 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 28 Jul 2025 10:45:20 +0200 Subject: [PATCH 1/7] docs: adding documentation on how to properly ignore bandit warnings --- doc/source/how-to/vulnerabilities.rst | 45 +++++++++++++++++++++++++++ doc/source/links.rst | 1 + 2 files changed, 46 insertions(+) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index d136ab48..ef8f52a8 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -204,6 +204,13 @@ and the risk of command injection is significantly reduced. # Removing shell=True and using a list subprocess.run(["echo", user_input]) # User input is not executed as a shell command +.. note:: + + Bandit warning will still be raised after deactivating the `shell=True` argument. + If you are sure that the command is safe, you can ignore the Bandit warning. Please + check the `Ignore Bandit warnings`_ section for more information on how to do so. + + **try except continue statements** @@ -285,3 +292,41 @@ provides a secure way to generate random numbers. secure_random_number = secrets.randbelow(100) # Secure random number generation secure_random_letter = secrets.choice(["a", "b", "c"]) # Secure choice from a list + + +Ignore Bandit warnings +---------------------- + +In-line comment +~~~~~~~~~~~~~~~ + +When using Bandit, you may encounter warnings that you believe are not relevant to your codebase +or that you have already addressed. In such cases, you can ignore specific Bandit warnings by +adding a comment to the end of the line that triggers the warning. The comment should be in the +format ``# nosec ``, where ```` is the ID of the warning you want to ignore. + +When you ignore a Bandit warning, it is essential to provide a clear comment explaining why +the warning is being ignored. This helps maintainers and other developers understand the context +and rationale behind the decision. + +For example, to ignore the B604 warning, you would add `# nosec B604` to the end of the line: + +.. code:: python + + # Subprocess is needed to start the backend. But + # the input is controlled by the library. Excluding bandit check. + import subprocess # nosec B404 + + +Please note that ignoring Bandit warnings should be done with caution, and you should ensure +that the code is safe and does not introduce any security risks. It is recommended to review the +`bandit documentation`_ for more information on each warning and the potential risks involved. + + +Security considerations file +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In addition to ignoring specific Bandit warnings, it is a good practice to document the ignored +advisories in a dedicated file. You can find an example of such a file in the `PyACP security +considerations`_ documentation page. This way, you can provide to the users a clear overview of +the vulnerabilities that need to be taken into account when using the library. diff --git a/doc/source/links.rst b/doc/source/links.rst index cf72802e..e0e49cc9 100644 --- a/doc/source/links.rst +++ b/doc/source/links.rst @@ -118,6 +118,7 @@ .. _unzip: https://7-zip.org/ .. _conventional_commit_types: https://github.com/commitizen/conventional-commit-types/blob/master/index.json .. _Test Driven Development (TDD): https://en.wikipedia.org/wiki/Test-driven_development +.. _bandit documentation: https://bandit.readthedocs.io/en/latest/ .. _blacklists bandit documentation: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html .. #Sphinx-related links From 883e39a0ee6a89299f2b43a6978947d43c962ea8 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 28 Jul 2025 10:47:42 +0200 Subject: [PATCH 2/7] fix: typo --- doc/source/how-to/vulnerabilities.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index ef8f52a8..a967ebd8 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -309,7 +309,7 @@ When you ignore a Bandit warning, it is essential to provide a clear comment exp the warning is being ignored. This helps maintainers and other developers understand the context and rationale behind the decision. -For example, to ignore the B604 warning, you would add `# nosec B604` to the end of the line: +For example, to ignore the B404 warning, you would add `# nosec B404` to the end of the line: .. code:: python From 28a98acb1d7fadf221f640cf4d3fee09bbd0f1b6 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Mon, 28 Jul 2025 15:02:44 +0200 Subject: [PATCH 3/7] fix: vale issues --- doc/styles/config/vocabularies/ANSYS/accept.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/styles/config/vocabularies/ANSYS/accept.txt b/doc/styles/config/vocabularies/ANSYS/accept.txt index 8a7f62a8..9f777831 100644 --- a/doc/styles/config/vocabularies/ANSYS/accept.txt +++ b/doc/styles/config/vocabularies/ANSYS/accept.txt @@ -56,6 +56,7 @@ Microelectromechanical monospaced Muela [Nn]amespace +nosec npm numpy [Nn]umpydoc From 63db70c595e6121cb84d626e02dc690d9dc7566d Mon Sep 17 00:00:00 2001 From: Camille Latapie <78221213+clatapie@users.noreply.github.com> Date: Fri, 1 Aug 2025 15:07:12 +0200 Subject: [PATCH 4/7] Update doc/source/how-to/vulnerabilities.rst Co-authored-by: Maxime Rey <87315832+MaxJPRey@users.noreply.github.com> --- doc/source/how-to/vulnerabilities.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index a967ebd8..78cbae61 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -317,7 +317,7 @@ For example, to ignore the B404 warning, you would add `# nosec B404` to the end # the input is controlled by the library. Excluding bandit check. import subprocess # nosec B404 - +.. warning:: Please note that ignoring Bandit warnings should be done with caution, and you should ensure that the code is safe and does not introduce any security risks. It is recommended to review the `bandit documentation`_ for more information on each warning and the potential risks involved. From 37f3d19591cf106c04c41388cdded1f3bc5a1e35 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Fri, 1 Aug 2025 15:08:41 +0200 Subject: [PATCH 5/7] docs: adding warning section --- doc/source/how-to/vulnerabilities.rst | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index 78cbae61..45934d8f 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -317,10 +317,11 @@ For example, to ignore the B404 warning, you would add `# nosec B404` to the end # the input is controlled by the library. Excluding bandit check. import subprocess # nosec B404 -.. warning:: -Please note that ignoring Bandit warnings should be done with caution, and you should ensure -that the code is safe and does not introduce any security risks. It is recommended to review the -`bandit documentation`_ for more information on each warning and the potential risks involved. +.. warning:: + + Please note that ignoring Bandit warnings should be done with caution, and you should ensure + that the code is safe and does not introduce any security risks. It is recommended to review the + `bandit documentation`_ for more information on each warning and the potential risks involved. Security considerations file From 670c8503fa1989e42357e93dfafda69a14ee04b9 Mon Sep 17 00:00:00 2001 From: clatapie <78221213+clatapie@users.noreply.github.com> Date: Fri, 1 Aug 2025 15:08:56 +0200 Subject: [PATCH 6/7] fix: adding extra space --- doc/source/how-to/vulnerabilities.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index 45934d8f..d1ef49e9 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -317,8 +317,9 @@ For example, to ignore the B404 warning, you would add `# nosec B404` to the end # the input is controlled by the library. Excluding bandit check. import subprocess # nosec B404 + .. warning:: - + Please note that ignoring Bandit warnings should be done with caution, and you should ensure that the code is safe and does not introduce any security risks. It is recommended to review the `bandit documentation`_ for more information on each warning and the potential risks involved. From c04e199db7e4266cc622a20e5c8df9f88cc9eeda Mon Sep 17 00:00:00 2001 From: Camille Latapie <78221213+clatapie@users.noreply.github.com> Date: Fri, 1 Aug 2025 15:31:35 +0200 Subject: [PATCH 7/7] Update doc/source/how-to/vulnerabilities.rst Co-authored-by: Revathy Venugopal <104772255+Revathyvenugopal162@users.noreply.github.com> --- doc/source/how-to/vulnerabilities.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/source/how-to/vulnerabilities.rst b/doc/source/how-to/vulnerabilities.rst index d1ef49e9..9768584f 100644 --- a/doc/source/how-to/vulnerabilities.rst +++ b/doc/source/how-to/vulnerabilities.rst @@ -206,7 +206,7 @@ and the risk of command injection is significantly reduced. .. note:: - Bandit warning will still be raised after deactivating the `shell=True` argument. + Bandit warning remains even after deactivating the `shell=True` argument. If you are sure that the command is safe, you can ignore the Bandit warning. Please check the `Ignore Bandit warnings`_ section for more information on how to do so.