PyCQA/bandit

yaml_load should not be B5xx cryptography group

Open

#306 建立於 2018年5月14日

在 GitHub 查看
 (1 留言) (0 反應) (0 負責人)Python (5,660 star) (559 fork)batch import
buggood first issue

描述

Describe the bug The yaml_load plugin has bandit ID B506. The 5xx group according to [1] is defined as the group for cryptography. This plugin would be more appropriate as a type of injection B6xx

To Reproduce n/a

Expected behavior n/a

Bandit version

bandit 1.4.0

Additional context Add any other context about the problem here.

貢獻者指南

技術棧
python
領域
securitybackend
議題類型
bug
難度面向新貢獻者的預計實作難度,1 表示很小改動,5 表示專家級工作。
2
預計時間有經驗貢獻者完成調查、實作、測試並準備 pull request 的粗略時間範圍。
under 1 hour
活動狀態議題目前的可參與程度:新鮮、活躍、陳舊、阻塞或等待維護者輸入。
stale
清晰度議題是否清楚說明預期改動、驗收標準和下一步。
clear
前置要求
bandit plugin ID systemPython
新手友善度1-100 的估計分數,表示該議題對首次貢獻者的友善程度。
75
研究方向
The yaml load plugin currently uses bandit ID B506, which falls under the cryptography group (B5xx). According to the issue, it should be under injection (B6xx). To fix, locate the plugin definition in bandit/plugins/yaml load.py and change the 'id' field from 'B506' to an appropriate B6xx ID (e.g., B601) and update any related test files. Check the bandit documentation for existing B6xx IDs to avoid duplication. No further discussion or PRs exist; the change is straightforward and isolated.