>/iCSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSK r SSK J r SSK J r SSK Jr SSK Jr SSK Jr SSK Jr SSK Jr SS K Jr \R0"\5r\R6"S 5r\R6"S \R:5rS r"S S5r SSjr!SSjr"Sr#Sr$Sr%Sr&Sr'g)N)progress) constants)extension_loader)issue)meta_ast)metrics) node_visitor)test_setz!#\s*nosec:?\s*(?P[^#]+)?#?z(?:(B\d+|[a-z\d_]+),?)+2c\rSrSr/rSSjrSr\R\R4Sjr Sr Sr \R\R4Sjr SS jr SS jrS rS rS rSrg) BanditManager NcPX0lX@lXPlU(d0nXplXl/Ul/Ul[R"5Ul /Ul /Ul /Ul X l [R"5Ul[ R""X5Ul/Ulg)aGet logger, config, AST handler, and result store ready :param config: config options object :type config: bandit.core.BanditConfig :param agg_type: aggregation type :param debug: Whether to show debug messages or not :param verbose: Whether to show verbose output :param quiet: Whether to only show output in the case of an error :param profile_name: Optional name of profile to use (from cmd line) :param ignore_nosec: Whether to ignore #nosec or not :return: N)debugverbosequiet ignore_nosecb_conf files_listexcluded_files b_meta_ast BanditMetaAstb_maskippedresultsbaselineagg_typerMetrics b_test_set BanditTestSetb_tsscores)selfconfigrrrrprofilers M/home/james-whalen/.local/lib/python3.13/site-packages/bandit/core/manager.py__init__BanditManager.__init__#s,   G(  ,,.     ( ,,V=  c/nURHVn[US[5(a*URUSR S5US45 MEURU5 MX U$)Nrzutf-8)r isinstancebytesappenddecode)r#retskips r& get_skippedBanditManager.get_skippedKs[LLD$q'5)) DGNN73T!W=> 4 !  r)c$URX5$N)filter_results)r# sev_level conf_levels r&get_issue_listBanditManager.get_issue_listUs""999r)c/n[R"U5nUSVs/sHn[R"U5PM nnX lgs snf![a n[ R SU5 SnAN1SnAff=f)zPopulate a baseline set of issues from a JSON report This will populate a list of baseline issues discovered from a previous run of bandit. Later this baseline can be used to filter out the result set, see filter_results. rz Failed to load baseline data: %sN)jsonloadsrissue_from_dict ExceptionLOGwarningr)r#dataitemsjdatajes r&populate_baselineBanditManager.populate_baselineZsq ?JJt$E7 > ?s(A A A A A9A44A9cURVs/sHo3RX5(dMUPM nnUR(dU$[URU5n[ XT5$s snf)aReturns a list of results filtered by the baseline This works by checking the number of results returned from each file we process. If the number of results is different to the number reported for the same file in the baseline, then we return all results for the file. We can't reliably return just the new results, as line numbers will likely have changed. :param sev_filter: severity level filter to apply :param conf_filter: confidence level filter to apply )rfilterr_compare_baseline_results_find_candidate_matches)r# sev_filter conf_filterir unmatcheds r&r6BanditManager.filter_resultsis]|| #!xx 'HA|  }}N-dmmWE 'y:: s A(A(c6[URX55$)zReturn the count of results :param sev_filter: Severity level to filter lower :param conf_filter: Confidence level to filter :return: Number of results in the set )lenr9)r#rMrNs r& results_countBanditManager.results_counts4&&z?@@r)c [RRnXW;aX[RR 5(a3[ R"S5c[ R"S5S:waSOSnXunURn US:Xa U "UUUUUS9 gU "UUUUUS 9 g![an [S US [U 535eSn A ff=f) aOutputs results from the result store :param lines: How many surrounding lines to show per result :param sev_level: Which severity levels to show (LOW, MEDIUM, HIGH) :param conf_level: Which confidence levels to show (LOW, MEDIUM, HIGH) :param output_file: File to store results :param output_format: output format plugin name :param template: Output template with non-terminal tags (default: {abspath}:{line}: {test_id}[bandit]: {severity}: {msg}) :return: - NO_COLORNTERMdumbscreentxtcustom)fileobjr7r8template)r]r7r8lineszUnable to output report using 'z ' formatter: ) rMANAGERformatters_mgrsysstdoutisattyosgetenvpluginr? RuntimeErrorstr) r#r_r7r8 output_file output_formatr^ra formatter report_funcrFs r&output_resultsBanditManager.output_resultss*$ -55DDN2 ))++IIj19IIf-7  '5I#**K('')% '')  !?-Ax9  sBB% B%% C/C  Cc[5n[5nURRS5=(d /nURRS5=(d S/nU(amURS5HXn[R R U5(a [R RUS5nURU5 MZ UHn [R R U 5(aPU(a1[U UUS9upURU 5 URU 5 M_[RSU 5 Mw[U UUSS 9(a9U S :wa [R RS U 5n URU 5 MURU 5 M [U5Ul[U5Ulg ) zAdd tests directly and from a directory to the test set :param targets: The command line list of files and directories :param recursive: True/False - whether to add all files from dirs :return: exclude_dirsinclude*.py,*)included_globsexcluded_path_stringsz5Skipping directory (%s), use -r flag to scan contentsF) enforce_glob-.N)setr get_optionsplitrepathisdirjoinr._get_files_from_dirupdater@rA_is_file_includedaddsortedrr) r#targets recursiveexcluded_pathsrrexcluded_path_globsrvr~fname new_filesnewly_excludeds r&discover_filesBanditManager.discover_filessjU "kk44^DJ// :Fvh &,,S177==&&77<<c2D#**40 2Eww}}U##0C'5.A1-I %%i0")).9KK(%"'!&  | " S% 8NN5)"&&u-AD!,$^4r)c[UR5n[UR5[:aG[R 5[ R::a![R"UR5nO URn[U5Hup4[RSU5 US:Xa[R"[RR!5SS5n["R$"UR'55nUVs/sH owS:XaSOUPM nnUR)SXa5 M[+US5nUR)XFU5 SSS5 M XlUR6R95 gs snf!,(df  GM=f![,aCnUR.R1XHR245 UR5U5 SnAGMSSnAff=f)z0Runs through all files in the scope :return: - zworking on file : %sryrbrzN)listrrSPROGRESS_THRESHOLDr@getEffectiveLevelloggingINFOrtrack enumeraterrefdopenrbstdinfilenoioBytesIOread _parse_fileopenOSErrorrr.strerrorremover aggregate) r#new_files_listfilescountropen_fdfdataxrFs r& run_testsBanditManager.run_testssndoo.  #5 5%%'7<<7NN4??3EOOE%e,LE II,e 4 -C< ii (8(8(:D!DGJJw||~6E>L&>L#X 14n#&$$YFeT*e((~F+*-&)  & +* - ##UJJ$78%%e,, -sO-A"FF"F8 FF FF F FF G)&7G$$G)cUR5nUR5nURRU5 URR U5 [ 5nUR S5 [R"UR5nUR(d4UH.upun n U[R:XdM![U 5Xj'M0 URXXF5n URRU 5 URR!U /5 g![Ra N`f=f!["a [$R&"S5 g[(a1 UR*RUS45 UR-U5 g[.an [0R3SU5 [0R5[6R85(d[0R3SU5 UR*RUS45 UR-U5 [0R;SU 5 [0R;S[<R>"55 Sn A gSn A ff=f) Nrz(syntax error while parsing AST from filez3Exception occurred when executing tests against %s.z2Run "bandit --debug %s" to see the full traceback.zexception while scanning filez Exception string: %sz Exception traceback: %s) r splitlinesrbegin count_locsdictseektokenizereadlinerCOMMENT_parse_nosec_comment TokenError_execute_ast_visitorr"r. count_issuesKeyboardInterruptrbexit SyntaxErrorrrr?r@error isEnabledForrDEBUGr traceback format_exc)r#rrrrBr_ nosec_linestokenstoktypetokvallineno_scorerFs r&rBanditManager._parse_file-s* K::>:((>D:&!a"h&6&662Fv2NK/?E --eDNE KK  u % LL % %ug . &&   !  HHQK ) LL  BC   ! !% ( K IIEu ##GMM22 H% LL  (G H I  ! !% ( II. 2 II193G3G3I J J KsQA D=#A!D#D#A D=#D:7D=9D::D== I,7I, I,!CI''I,c /n[R"UUURURURUUR 5nUR U5nURRURR5 U$)zExecute AST parse on each file :param fname: The name of the file being parsed :param data: Original file contents :param lines: The lines of code to process :return: The accumulated test score ) b_node_visitorBanditNodeVisitorrr!rrprocessrextendtester)r#rrrBrrress r&r"BanditManager._execute_ast_visitorZso..   II II JJ  LL  D! CJJ../ r))rrrr!rrrrrrrrr"rr)FFFNFr5)F)__name__ __module__ __qualname____firstlineno__scoper'r2 b_constantsLOWr9rGr6rTrnrrrr__static_attributes__r)r&r r sy E &P$KOO: ;4%koo A$9v;5z&!P+KZr)r cPU(dS/nU(d/n[5n[5n[R"U5HcupVnUHWn[RR XX5n [ XU5(aUR U 5 MFUR U 5 MY Me X44$)Nrs)r{rewalkr~rrr) files_dirrvrwrrrootrrfilenamer~s r&rrrs   "JUN''),H77<</D 7LMMt$""4( -  %%r)c^Sn[TU5(dU(d-[TU5(d[U4SjU55(dSnU$)a:Determine if a file should be included based on filename This utility function determines if a file should be included based on the file name, a list of parsed extensions, excluded paths, and a flag specifying whether extensions should be enforced. :param path: Full path of file to check :param parsed_extensions: List of parsed extensions :param excluded_paths: List of paths (globbing supported) from which we should not include files :param enforce_glob: Can set to false to bypass extension check :return: Boolean indicating whether a file should be included Fc3,># UH oT;v M g7fr5r).0rr~s r& $_is_file_included..sK 4!I4sT)_matches_glob_listany)r~rvrwrx return_values` r&rrsS L$//|!$(=>>sK 4K H H  L r)cPUH n[R"X5(dM g g)NTF)fnmatch)r glob_listglobs r&rrs# ??8 * * r)c@UVs/sH o"U;dM UPM sn$s snf)a*Compare a baseline list of issues to list of results This function compares a baseline set of issues to a current set of issues to find results that weren't present in the baseline. :param baseline: Baseline list of issues :param results: Current list of issues :return: List of unmatched issues r)rras r&rKrKs! 4w!8"3Aw 44 4s c[R"5nUHnUVs/sH oCU:XdM UPM snX#'M! U$s snf)aReturns a dictionary with issue candidates For example, let's say we find a new command injection issue in a file which used to have two. Bandit can't tell which of the command injection issues in the file are new, so it will show all three. The user should be able to pick out the new one. :param unmatched_issues: List of issues that weren't present before :param results_list: main list of current Bandit findings :return: A dictionary with a list of candidates for each issue ) collections OrderedDict)unmatched_issues results_listissue_candidatesrPrOs r&rLrLsK#..0% #' #!A~A|' #&  ' s ==cURU5nU(aU$URU5nU(d[RSU5 U$)Nz6Test in comment: %s is not a test name or id, ignoring)check_id get_test_idr@rA)extmanmatchtest_ids r&_find_test_id_from_nosec_stringrsCooe$G   'G  De  Nr)cz[RU5nU(dgUR5nURS[ 55n[ 5nU(ab[ R n[RU5H9nURS5n[XW5nU(dM(URU5 M; U$)Ntestsr+) NOSEC_COMMENTsearch groupdictgetr{rr`NOSEC_COMMENT_TESTSfinditergrouprr) commentfound_no_sec_commentmatches nosec_teststest_idsrtest test_matchrs r&rrs(//8 ",,.G++gsu-KuH!))'00=DAJ5fIGw W% > Or))NN)T)(rrrr<rrererbrrrichr bandit.corerrrrrrrr rr r getLoggerrr@compiler IGNORECASErrr rrrrKrLrrrr)r&rs   0(.6. ! ?@ jj!;R]]KOOf ;?&.?C: 5. r)