Bandit: Static Code Analysis for Python Code

From Embedded Lab Vienna for IoT & Security
Revision as of 09:38, 23 October 2024 by NKirnbauer (talk | contribs) (NKirnbauer moved page Bandit - Static Code Analysis for Python Code to Bandit: Static Code Analysis for Python Code)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Summary

This documentation shows how to install and use Bandit, a static analysis tool for C/C++ source code. This Tool can be used to identify possible Security risks categorized in three different Severity Levels (Low, Medium, High).

Requirements

  • Python Version 3.7 or higher
  • Python Package: bandit

Installation and Usage

Bandit can be easily installed via the pip install command. Furthermore it can be found on PyPi for manual installation. If you want to install it manually please follow the attached References.

pip install bandit

For executing the analysis just enter die File or Folder you want to be analyzed in a Python Terminal

bandit <File/Folder>

Example

This example is using the Bandit example files from their github (https://github.com/PyCQA/bandit). For this case we are using the imports.py Example with the following Source Code:

import os
import pickle
import sys
import subprocess

After executing bandit on the File

bandit imports.py

you get the following output:

al

Bandit has found two Low Severity Issues regarding Problems with the imported Packages. A detailed information is given for every Issue found. It also shows the CWE Number associated with it.

Results

Bandit categorizes possible Problems into three Risk Categories Low, Medium, High each combined with a Confidence Score of Low, Medium High. This shows the impact of the Issue and how confident Bandit is, that this is really an issue.

al

al

al

References