2 ### Bandit config file generated from:
3 # 'PIPENV_VENV_IN_PROJECT=true pipenv run bandit-config-generator -o ../bandit.yaml'
5 ### This config may optionally select a subset of tests to run or skip by
6 ### filling out the 'tests' and 'skips' lists given below. If no tests are
7 ### specified for inclusion then it is assumed all tests are desired. The skips
8 ### set will remove specific tests from the include set. This can be controlled
9 ### using the -t/-s CLI options. Note that the same test ID should not appear
10 ### in both 'tests' and 'skips', this would be nonsensical and is detected by
11 ### Bandit at runtime.
16 # B103 : set_bad_file_permissions
17 # B104 : hardcoded_bind_all_interfaces
18 # B105 : hardcoded_password_string
19 # B106 : hardcoded_password_funcarg
20 # B107 : hardcoded_password_default
21 # B108 : hardcoded_tmp_directory
22 # B110 : try_except_pass
23 # B112 : try_except_continue
24 # B201 : flask_debug_true
33 # B309 : httpsconnection
34 # B310 : urllib_urlopen
37 # B313 : xml_bad_cElementTree
38 # B314 : xml_bad_ElementTree
39 # B315 : xml_bad_expatreader
40 # B316 : xml_bad_expatbuilder
42 # B318 : xml_bad_minidom
43 # B319 : xml_bad_pulldom
44 # B320 : xml_bad_etree
47 # B323 : unverified_context
48 # B324 : hashlib_new_insecure_functions
50 # B401 : import_telnetlib
51 # B402 : import_ftplib
52 # B403 : import_pickle
53 # B404 : import_subprocess
54 # B405 : import_xml_etree
55 # B406 : import_xml_sax
56 # B407 : import_xml_expat
57 # B408 : import_xml_minidom
58 # B409 : import_xml_pulldom
60 # B411 : import_xmlrpclib
61 # B412 : import_httpoxy
62 # B413 : import_pycrypto
63 # B414 : import_pycryptodome
64 # B501 : request_with_no_cert_validation
65 # B502 : ssl_with_bad_version
66 # B503 : ssl_with_bad_defaults
67 # B504 : ssl_with_no_version
68 # B505 : weak_cryptographic_key
70 # B507 : ssh_no_host_key_verification
71 # B601 : paramiko_calls
72 # B602 : subprocess_popen_with_shell_equals_true
73 # B603 : subprocess_without_shell_equals_true
74 # B604 : any_other_function_with_shell_equals_true
75 # B605 : start_process_with_a_shell
76 # B606 : start_process_with_no_shell
77 # B607 : start_process_with_partial_path
78 # B608 : hardcoded_sql_expressions
79 # B609 : linux_commands_wildcard_injection
80 # B610 : django_extra_used
81 # B611 : django_rawsql_used
82 # B701 : jinja2_autoescape_false
83 # B702 : use_of_mako_templates
84 # B703 : django_mark_safe
86 # (optional) list included test IDs here, eg '[B101, B406]':
89 # (optional) list skipped test IDs here, eg '[B101, B406]':
91 # NOTE: We have to work around a highly obscure effect: If you add any of
92 # those test below (md5, ciphers, import_pycryptodome), Bandit's runtime goes
93 # up by a factor of 15! Strangely enough, using the tests separately is no
94 # problem at all, so there must be some unlucky interaction between some
95 # tests. :-/ We should investigate this further at some point...
100 ### (optional) plugin settings - some test plugins require configuration data
101 ### that may be given here, per-plugin. All bandit test plugins have a built in
102 ### set of sensible defaults and these will be used if no configuration is
103 ### provided. It is not necessary to provide settings for every (or any) plugin
104 ### if the defaults are acceptable.
106 any_other_function_with_shell_equals_true:
137 - commands.getstatusoutput
141 - subprocess.check_call
142 - subprocess.check_output
144 hardcoded_tmp_directory:
149 linux_commands_wildcard_injection:
180 - commands.getstatusoutput
184 - subprocess.check_call
185 - subprocess.check_output
187 ssl_with_bad_defaults:
188 bad_protocol_versions:
196 ssl_with_bad_version:
197 bad_protocol_versions:
205 start_process_with_a_shell:
236 - commands.getstatusoutput
240 - subprocess.check_call
241 - subprocess.check_output
243 start_process_with_no_shell:
274 - commands.getstatusoutput
278 - subprocess.check_call
279 - subprocess.check_output
281 start_process_with_partial_path:
312 - commands.getstatusoutput
316 - subprocess.check_call
317 - subprocess.check_output
319 subprocess_popen_with_shell_equals_true:
350 - commands.getstatusoutput
354 - subprocess.check_call
355 - subprocess.check_output
357 subprocess_without_shell_equals_true:
388 - commands.getstatusoutput
392 - subprocess.check_call
393 - subprocess.check_output
396 check_typed_exception: false
398 check_typed_exception: false
399 weak_cryptographic_key:
400 weak_key_size_dsa_high: 1024
401 weak_key_size_dsa_medium: 2048
402 weak_key_size_ec_high: 160
403 weak_key_size_ec_medium: 224
404 weak_key_size_rsa_high: 1024
405 weak_key_size_rsa_medium: 2048