PyCQA/bandit

yaml_load should not be B5xx cryptography group

Open

#306 opened on May 14, 2018

View on GitHub
 (1 comment) (0 reactions) (0 assignees)Python (5,660 stars) (559 forks)batch import
buggood first issue

Description

Describe the bug The yaml_load plugin has bandit ID B506. The 5xx group according to [1] is defined as the group for cryptography. This plugin would be more appropriate as a type of injection B6xx

To Reproduce n/a

Expected behavior n/a

Bandit version

bandit 1.4.0

Additional context Add any other context about the problem here.

Contributor guide

Tech stack
python
Domain
securitybackend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
under 1 hour
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
bandit plugin ID systemPython
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
75
Research direction
The yaml load plugin currently uses bandit ID B506, which falls under the cryptography group (B5xx). According to the issue, it should be under injection (B6xx). To fix, locate the plugin definition in bandit/plugins/yaml load.py and change the 'id' field from 'B506' to an appropriate B6xx ID (e.g., B601) and update any related test files. Check the bandit documentation for existing B6xx IDs to avoid duplication. No further discussion or PRs exist; the change is straightforward and isolated.