-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[flake8-bandit
] Implement S502
SslInsecureVersion
rule
#9390
Conversation
_ => vec!["ssl_version", "method"], | ||
} | ||
}, | ||
None => vec!["ssl_version", "method"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Upstream implementations checks for all calls at MEDIUM severity and the the specific functions at HIGH severity. Unsure if we want to replicate this, as it might be a bit heavy performance wise and Ruff/flake8-bandit has no way of separating the severity levels right now. Just copied upstream implementation for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I decided to reduce the rule scope for the same reason.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thanks.
8f9e174
to
b3c05fc
Compare
## Summary Adds S503 rule for the [flake8-bandit](https://github.com/tylerwince/flake8-bandit) plugin port. Checks for function defs argument defaults which have an insecure ssl_version value. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_defaults Some logic and the `const` can be shared with #9390. When one of the two is merged. ## Test Plan Fixture added ## Issue Link Refers: #1646
Summary
Adds S502 rule for the flake8-bandit plugin port.
Checks for calls to any function with keywords arguments
ssl_version
ormethod
or for kwargsmethod
in calls toOpenSSL.SSL.Context
andssl_version
in calls tossl.wrap_socket
which have an insecure ssl_version valu. See also https://bandit.readthedocs.io/en/latest/_modules/bandit/plugins/insecure_ssl_tls.html#ssl_with_bad_versionTest Plan
Fixture added
Issue Link
Refers: #1646