Skip to content

Using # nosec BXXX annotation in a nested dict causes "higher" annotations to be ignored #1003

New issue
New issue
Open
#1004
Open
Using # nosec BXXX annotation in a nested dict causes "higher" annotations to be ignored#1003
#1004
Labels
bugSomething isn't working
@0xDEC0DE

Description

@0xDEC0DE
0xDEC0DE
opened on Mar 23, 2023

Describe the bug

Using a # nosec BXXX annotation inside a nested data structure appears to cause "higher" nosec annotations to be ignored:

Test results:
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
   Severity: Medium   Confidence: Medium
   CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b108_hardcoded_tmp_directory.html
   Location: derp.py:7:23
6	    ),
7	    'LOCALFS_BASEDIR': '/var/tmp/herp',  # nosec B108
8	    'ALPINE_APORTS_DIR': '/tmp/derp',  # nosec B108
9	}

--------------------------------------------------
>> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.
   Severity: Medium   Confidence: Medium
   CWE: CWE-377 (https://cwe.mitre.org/data/definitions/377.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/plugins/b108_hardcoded_tmp_directory.html
   Location: derp.py:8:25
7	    'LOCALFS_BASEDIR': '/var/tmp/herp',  # nosec B108
8	    'ALPINE_APORTS_DIR': '/tmp/derp',  # nosec B108
9	}

--------------------------------------------------

Reproduction steps

Use this as a test case (save to testcase.py):

example = {
    'S3_CONFIG_PARAMS': dict(  # nosec B106
        aws_access_key_id='key_goes_here',
        aws_secret_access_key='secret_goes_here',
        endpoint_url='s3.amazonaws.com',
    ),
    'LOCALFS_BASEDIR': '/var/tmp/herp',  # nosec B108
    'ALPINE_APORTS_DIR': '/tmp/derp',  # nosec B108
}

..and run bandit testcase.py

Expected behavior

0 issues found.

Bandit version

1.7.5

Python version

3.11.2

Additional context

  1. Using plain # nosec annotations works.
  2. This test case also works, but throws warnings:
example = {
    'LOCALFS_BASEDIR': '/var/tmp/herp',  # nosec B108
    'ALPINE_APORTS_DIR': '/tmp/derp',  # nosec B108
    'S3_CONFIG_PARAMS': dict(
        aws_access_key_id='key_goes_here',
        aws_secret_access_key='secret_goes_here',  # nosec B106
        endpoint_url='s3.amazonaws.com',
    ),
}

So the issue would appear to have something to do with ignoring individual tests, and nesting depth.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions