Skip to content

False negative for hardcoded credentials (B105) using python 3.8 #605

New issue
New issue
Open
#1340
Open
False negative for hardcoded credentials (B105) using python 3.8#605
#1340
Labels
bugSomething isn't working
@defsprite

Description

@defsprite
defsprite
opened on Apr 27, 2020

Describe the bug
bandit 1.6.2 reports a false negative using python 3.8 versus 3.7 for hardcoded credentials.

Possibly a duplicate of #551

To Reproduce
Given an example file foo.py like:

def fooBar(password):
    if password == "root":
        print("OK, logged in")

Expected behavior
Bandit should have the same output as it has with 3.7:

/ # bandit --version
bandit 1.6.2
  python version = 3.8.2 (default, Mar 24 2020, 02:56:01) [GCC 9.2.0]
/ # bandit -r /src
main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.8.2
Run started:2020-04-27 08:09:13.240911

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 3
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
Files skipped (0):

versus

/ # bandit --version
bandit 1.6.2
  python version = 3.7.7 (default, Apr 24 2020, 22:09:29) [GCC 9.2.0]
/ # bandit -r /src
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.7
Run started:2020-04-27 08:07:46.261926

Test results:
>> Issue: [B105:hardcoded_password_string] Possible hardcoded password: 'root'
   Severity: Low   Confidence: Medium
   Location: /src/foo.py:2
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html
1	def fooBar(password):
2	    if password == "root":
3	        print("OK, logged in")

--------------------------------------------------

Code scanned:
	Total lines of code: 3
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 1.0
		Medium: 0.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 1.0
		High: 0.0
Files skipped (0):

Bandit version

bandit 1.6.2
  python version = 3.8.2 (default, Mar 24 2020, 02:56:01) [GCC 9.2.0]

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions