PyPI - codeaudit - Versions diffs - 0.5.3__tar.gz → 0.5.5__tar.gz - Mend

codeaudit 0.5.3tar.gz → 0.5.5tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (136) hide show

{codeaudit-0.5.3 → codeaudit-0.5.5}/.gitignore RENAMED Viewed

@@ -146,3 +146,4 @@ dmypy.json
 _build/*
 .gitignore

codeaudit-0.5.5/CONTRIBUTE.md ADDED Viewed

@@ -0,0 +1,64 @@
+# Contribute
+Great that you see this page and want to contribute!
+:::{tip}
+All contributions are welcome!
+Think of corrections on the manual, code and more or better tests.
+:::
+The **Codeaudit** code repository is hosted at [Github](github.com/nocomplexity/codeaudit).
+Simple Guidelines:
+* Questions, Feature Requests, Bug Reports should all be reported on the [Github Issue Tracker](https://github.com/nocomplexity/codeaudit/issues) .
+* [Black](https://black.readthedocs.io/en/stable/index.html) is used for code style. But for a simple fix, using `Black` is not required!
+This codeaudit tool is designed by applying [Zero Complexity By Design principles](https://nocomplexity.com/documents/0complexity/abstract.html). So the goal is to keep the tool simple to use and the code simple to adjust or to extend.
+:::{warning}
+This simple tool is designed to be simple to use and maintain.
+:::
+**Pull Requests are welcome!**
+When you contribute to Codeaudit, your contributions are made under the same license as the file you are working on.
+We adopt the [Collective Code Construction Contract(C4)](https://rfc.zeromq.org/spec/42/) to streamline collaboration. C4 is meant to provide a reusable optimal collaboration model for open source software projects.
+:::{attention}
+This project values respect and inclusiveness, and enforces a [Code of Conduct](CoC-label) in all interactions.
+:::
+:::{note}
+This is an open community driven project. Contributors will be mentioned in the documentation.
+:::
+(CoC-label)=
+## Code of Conduct
+Version : 1.0
+As contributors, maintainers, administrators and founders of the Python Codeaudit Community projects, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+Examples of unacceptable behavior by participants include:
+*    The use of sexualized language or imagery.
+*    Personal attacks.
+*    Trolling or insulting/derogatory comments.
+*    Public or private harassment.
+*    Publishing other’s private information, such as physical or electronic addresses, without explicit permission.
+*    Other unethical or unprofessional conduct.
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, documentation edits, issues, and other contributions that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct/).

{codeaudit-0.5.3 → codeaudit-0.5.5}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 0.5.3
+Version: 0.5.5
 Summary: Simplified static security checks for Python
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -8,24 +8,32 @@ Project-URL: Source, https://github.com/nocomplexity/codeaudit
 Author-email: Maikel Mardjan <mike@bm-support.org>
 License-Expression: GPL-3.0-or-later
 License-File: LICENSE.txt
+Keywords: Complexity Checker,Python SAST,SAST,SAST API
 Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Science/Research
 Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
 Requires-Python: >=3.8
 Requires-Dist: altair>=5.5
 Requires-Dist: fire>=0.7.0
 Requires-Dist: pandas>=2.3
 Description-Content-Type: text/markdown
-# codeaudit
+# Codeaudit
+![CodeauditLogo](docs/images/codeauditlogo.png)
 [![PyPI - Version](https://img.shields.io/pypi/v/codeaudit.svg)](https://pypi.org/project/codeaudit)
 [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/codeaudit.svg)](https://pypi.org/project/codeaudit)
-Codeaudit - A modern Python source code analyzer based on distrust.
+Python Codeaudit - A modern Python source code analyzer based on distrust.
-Codeaudit is a tool designed to find security issues in Python code. This static application security testing (SAST) tool has great features to simplify the necessary security tasks and make it fun and easy.
+Codeaudit is a tool to find security issues in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
 This tool is created for:
 * Anyone who want or must check security risks with Python programs.
@@ -34,20 +42,20 @@ This tool is created for:
 > [!WARNING]
-> Codeaudit is still is currently in *beta status*. There are still bugs in the software that need to be fixed. Consider [contributing](CONTRIBUTING.md) to make Codeaudit a cool modern Python SAST tool. Codeaudit is currently in a thorough testing period and changes and fixes are frequently applied.
+> Python Codeaudit is currently in *beta status*. Consider [contributing](CONTRIBUTING.md) to make Codeaudit the coolest open source Python SAST tool. Codeaudit is currently in a thorough testing phase. So use the Codeaudit now to and contribute to make it better!
 ## Features
-Codeaudit has the following features:
+Python Codeaudit has the following features:
 * Detecting and reporting potential vulnerabilities of from all Python files collected in a directory. This is a must **do** check when researching python packages on possible security issues.
 *  Detect and reports complexity and statistics relevant for security per Python file or from Python files found in a directory.
-* Codeaudit implements a light weight [cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) using Python’s Abstract Syntax Tree module. The codeaudit implemented check is by far good enough for determining security risks in Python files very quick!
+* Python Codeaudit implements a light weight [cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) count, using Python’s Abstract Syntax Tree module. The codeaudit complexity check is designed to determine security risks in Python files very quick!
-*  Detect and reports which module are used within a Python file. Also vulnerability information found from used external modules is shown.
+*  Detect and reports which module are used within a Python file. Also vulnerability information found from used external modules is reported.
 *  Detecting and reporting potential vulnerability issues within a Python file. Per detected issue the line number shown, with the lines that *could* cause a security issue.
@@ -55,7 +63,7 @@ Codeaudit has the following features:
 > [!IMPORTANT]
-> Codeaudit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
+> Python Codeaudit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
 ## Installation
@@ -107,7 +115,7 @@ Commands:
   checks               Generate an HTML report of all implemented codeaudit security checks.
   version              Prints the module version. Use [-v] [--v] [-version] or [--version].
-Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
+Use the [Codeaudit documentation](https://nocomplexity.com/documents/codeaudit/intro.html) to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/
 ```
@@ -144,7 +152,7 @@ When you contribute to Codeaudit, your contributions are made under the same lic
 > [!NOTE]
-> This is an open community driven project. Contributors will be mentioned in the documentation.
+> This is an open community driven project. Contributors will be mentioned in the [documentation](https://nocomplexity.com/documents/codeaudit/intro.html).
 We adopt the [Collective Code Construction Contract(C4)](https://rfc.zeromq.org/spec/42/) to streamline collaboration.

{codeaudit-0.5.3 → codeaudit-0.5.5}/README.md RENAMED Viewed

@@ -1,11 +1,13 @@
-# codeaudit
+# Codeaudit
+![CodeauditLogo](docs/images/codeauditlogo.png)
 [![PyPI - Version](https://img.shields.io/pypi/v/codeaudit.svg)](https://pypi.org/project/codeaudit)
 [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/codeaudit.svg)](https://pypi.org/project/codeaudit)
-Codeaudit - A modern Python source code analyzer based on distrust.
+Python Codeaudit - A modern Python source code analyzer based on distrust.
-Codeaudit is a tool designed to find security issues in Python code. This static application security testing (SAST) tool has great features to simplify the necessary security tasks and make it fun and easy.
+Codeaudit is a tool to find security issues in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
 This tool is created for:
 * Anyone who want or must check security risks with Python programs.
@@ -14,20 +16,20 @@ This tool is created for:
 > [!WARNING]
-> Codeaudit is still is currently in *beta status*. There are still bugs in the software that need to be fixed. Consider [contributing](CONTRIBUTING.md) to make Codeaudit a cool modern Python SAST tool. Codeaudit is currently in a thorough testing period and changes and fixes are frequently applied.
+> Python Codeaudit is currently in *beta status*. Consider [contributing](CONTRIBUTING.md) to make Codeaudit the coolest open source Python SAST tool. Codeaudit is currently in a thorough testing phase. So use the Codeaudit now to and contribute to make it better!
 ## Features
-Codeaudit has the following features:
+Python Codeaudit has the following features:
 * Detecting and reporting potential vulnerabilities of from all Python files collected in a directory. This is a must **do** check when researching python packages on possible security issues.
 *  Detect and reports complexity and statistics relevant for security per Python file or from Python files found in a directory.
-* Codeaudit implements a light weight [cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) using Python’s Abstract Syntax Tree module. The codeaudit implemented check is by far good enough for determining security risks in Python files very quick!
+* Python Codeaudit implements a light weight [cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) count, using Python’s Abstract Syntax Tree module. The codeaudit complexity check is designed to determine security risks in Python files very quick!
-*  Detect and reports which module are used within a Python file. Also vulnerability information found from used external modules is shown.
+*  Detect and reports which module are used within a Python file. Also vulnerability information found from used external modules is reported.
 *  Detecting and reporting potential vulnerability issues within a Python file. Per detected issue the line number shown, with the lines that *could* cause a security issue.
@@ -35,7 +37,7 @@ Codeaudit has the following features:
 > [!IMPORTANT]
-> Codeaudit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
+> Python Codeaudit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
 ## Installation
@@ -87,7 +89,7 @@ Commands:
   checks               Generate an HTML report of all implemented codeaudit security checks.
   version              Prints the module version. Use [-v] [--v] [-version] or [--version].
-Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
+Use the [Codeaudit documentation](https://nocomplexity.com/documents/codeaudit/intro.html) to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/
 ```
@@ -124,7 +126,7 @@ When you contribute to Codeaudit, your contributions are made under the same lic
 > [!NOTE]
-> This is an open community driven project. Contributors will be mentioned in the documentation.
+> This is an open community driven project. Contributors will be mentioned in the [documentation](https://nocomplexity.com/documents/codeaudit/intro.html).
 We adopt the [Collective Code Construction Contract(C4)](https://rfc.zeromq.org/spec/42/) to streamline collaboration.

{codeaudit-0.5.3 → codeaudit-0.5.5}/docs/CLIcommands.ipynb RENAMED Viewed

@@ -59,6 +59,8 @@
    "metadata": {},
    "outputs": [],
    "source": [
+    "output += '% THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!\\n'\n",
+    "output += '# Overview of Codeaudit commands\\n'\n",
     "output += f'Codeaudit commands for: {version_id}'"
    ]
   },
@@ -100,7 +102,7 @@
     "                \"checks\" : 'report_implemented_tests',\n",
     "               \"version\" : 'display_version'} \n",
     "for key, value in commands.items():    \n",
-    "    output += f'### codeaudit {key}\\n' # newlines matter when creating markdown\n",
+    "    output += f'## codeaudit {key}\\n' # newlines matter when creating markdown\n",
     "    output += '```text\\n' # raw display    \n",
     "    func_name = value\n",
     "    output += getattr(codeaudit, func_name).__doc__\n",
@@ -158,7 +160,7 @@
    "name": "python",
    "nbconvert_exporter": "python",
    "pygments_lexer": "ipython3",
-   "version": "3.13.5"
+   "version": "3.13.1"
   }
  },
  "nbformat": 4,

codeaudit-0.5.5/docs/CONTRIBUTE.md ADDED Viewed

@@ -0,0 +1,64 @@
+# Contribute
+Great that you see this page and want to contribute!
+:::{tip}
+All contributions are welcome!
+Think of corrections on the manual, code and more or better tests.
+:::
+The **Codeaudit** code repository is hosted at [Github](github.com/nocomplexity/codeaudit).
+Simple Guidelines:
+* Questions, Feature Requests, Bug Reports should all be reported on the [Github Issue Tracker](https://github.com/nocomplexity/codeaudit/issues) .
+* [Black](https://black.readthedocs.io/en/stable/index.html) is used for code style. But for a simple fix, using `Black` is not required!
+This codeaudit tool is designed by applying [Zero Complexity By Design principles](https://nocomplexity.com/documents/0complexity/abstract.html). So the goal is to keep the tool simple to use and the code simple to adjust or to extend.
+:::{warning}
+This simple tool is designed to be simple to use and maintain.
+:::
+**Pull Requests are welcome!**
+When you contribute to Codeaudit, your contributions are made under the same license as the file you are working on.
+We adopt the [Collective Code Construction Contract(C4)](https://rfc.zeromq.org/spec/42/) to streamline collaboration. C4 is meant to provide a reusable optimal collaboration model for open source software projects.
+:::{attention}
+This project values respect and inclusiveness, and enforces a [Code of Conduct](CoC-label) in all interactions.
+:::
+:::{note}
+This is an open community driven project. Contributors will be mentioned in the documentation.
+:::
+(CoC-label)=
+## Code of Conduct
+Version : 1.0
+As contributors, maintainers, administrators and founders of the Python Codeaudit Community projects, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+Examples of unacceptable behavior by participants include:
+*    The use of sexualized language or imagery.
+*    Personal attacks.
+*    Trolling or insulting/derogatory comments.
+*    Public or private harassment.
+*    Publishing other’s private information, such as physical or electronic addresses, without explicit permission.
+*    Other unethical or unprofessional conduct.
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, documentation edits, issues, and other contributions that are not aligned to this Code of Conduct.
+By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by opening an issue or contacting one or more of the project maintainers.
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](https://www.contributor-covenant.org/version/1/2/0/code-of-conduct/).

{codeaudit-0.5.3 → codeaudit-0.5.5}/docs/_config.yml RENAMED Viewed

@@ -100,6 +100,6 @@ sphinx:
       use_issues_button: True
       home_page_in_toc: True
       logo:
-           text: <b>Code Audit</b>
+           text: <b>Python Security Code Audit</b>
       extra_footer: '<p><a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" /></a> This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>.</p>'

codeaudit-0.5.5/docs/_toc.yml ADDED Viewed

@@ -0,0 +1,67 @@
+format: jb-book
+root: intro
+parts:
+- caption: Quick Start
+  chapters:
+  - file: features
+  - file: userguide
+    sections:
+    - file: codeauditoverview
+    - file: modulescan
+    - file: filescan
+    - file: directoryscan
+    - file: codeauditchecks
+  - file: whysast
+- caption: Security Checks
+  chapters:
+  - file: checksinformation
+    sections:
+    - file: checks/assert_check
+    - file: checks/input_check
+    - file: checks/builtinfunctions_check
+    - file: checks/chmod_check
+    - file: checks/binding_check
+    - file: checks/directorycreation_check
+    - file: checks/exception_check
+    - file: checks/tarfile_extract_check
+    - file: checks/hash_check
+    - file: checks/marshal_check
+    - file: checks/subprocess_check
+    - file: checks/systemcalls_check
+    - file: checks/loggingconf_check
+    - file: checks/base64_check
+    - file: checks/httpserver_check
+    - file: checks/multiprocessing_check
+    - file: checks/pickle_check
+    - file: checks/random_check
+    - file: checks/shelve_check
+    - file: checks/xml_check
+    - file: checks/zipfile_check
+    - file: checks/shutil_check
+- caption: Architecture
+  chapters:
+  # - file: astlines
+  # - file: astlines2
+  - file: complexitycheck
+  - file: warnings
+  - file: codeauditcommands
+# - caption: API Documentation
+#   chapters:
+#   - file: modules
+- caption: About
+  chapters:
+  - file: help
+  - file: CONTRIBUTE
+  - file: sponsors
+  - file: license
+  - file: about

{codeaudit-0.5.3 → codeaudit-0.5.5}/docs/astlines.md RENAMED Viewed

@@ -8,7 +8,7 @@ AST lines are needed to give a more precise indication of the complexity of a Py
 To explain the difference between an **AST line** (as counted by the provided `count_ast_lines` function) and a **line counted by the Unix `wc` command**, let’s break it down:
-### 1. **Lines Counted by Unix `wc -l`**
+1. **Lines Counted by Unix `wc -l`**
 - The Unix command `wc -l filename` counts the **physical lines** in a file.
 - A "line" is defined as any sequence of characters terminated by a newline character (`\n`).
 - This includes:
@@ -26,7 +26,7 @@ To explain the difference between an **AST line** (as counted by the provided `c
   ```
   Running `wc -l` on this file yields **5 lines** because there are five newline characters (one for each line, including the blank line).
-### 2. **AST Lines (as counted by `count_ast_lines`)**
+2. **AST Lines (as counted by `count_ast_lines`)**
 - The `count_ast_lines` function uses Python’s `ast` module to parse the source code into an **Abstract Syntax Tree (AST)** and counts **unique lines that contain AST nodes with a `lineno` attribute**.
 - An AST represents the syntactic structure of the code, ignoring comments, blank lines, and certain non-executable elements.
 - The function:
@@ -57,7 +57,7 @@ To explain the difference between an **AST line** (as counted by the provided `c
     - `x = 1` (line 5, Assign node).
   - The `set` of line numbers is `{2, 3, 5}`, so `count_ast_lines` returns **3**.
-### 3. **Key Differences**
+3. **Key Differences**
 | Aspect                     | `wc -l`                              | `count_ast_lines` (AST Lines)         |
 |----------------------------|--------------------------------------|---------------------------------------|
 | **Definition**             | Counts physical lines (newline-terminated). | Counts unique lines with AST nodes.   |
@@ -67,7 +67,8 @@ To explain the difference between an **AST line** (as counted by the provided `c
 | **Purpose**                | General file line count              | Measures executable code lines        |
 | **Example Output**         | 5 (for above example)                | 3 (for above example)                 |
-### 4. **Additional Example for Clarity**
+4. **Additional Example for Clarity**
 Consider this code:
 ```python
 # This is a comment
@@ -96,7 +97,7 @@ def example():
   - Unique line numbers: `{2, 3, 7, 11}`.
   - Output: `4`.
-### 5. **Why the Difference Matters**
+5. **Why the Difference Matters**
 - `wc -l` is useful for getting a raw count of lines in a file, often used for file statistics or quick checks.
 - `count_ast_lines` is more relevant for analyzing **executable code complexity** or **code coverage**, as it focuses on lines that represent actual Python syntax nodes, ignoring non-executable content like comments or blank lines.

codeaudit-0.5.5/docs/checks/assert_check.md ADDED Viewed

@@ -0,0 +1,40 @@
+# Assert Statement
+The Python `assert` statement itself is not insecure, but its *misuse* can lead to security vulnerabilities.
+:::{danger}
+Using `assert` can be problematic from a security perspective!
+:::
+## Rationale
+1. Assertions are primarily for debugging and development, **NOT** for production validation or error handling.
+* **They can be disabled:** When Python is run in optimized mode (with the `-O` or `-OO` flags, or by setting the `PYTHONOPTIMIZE` environment variable), `assert` statements are completely ignored. This means any crucial checks you rely on for security or data integrity will simply vanish, leaving your application vulnerable.
+* **Not for user input validation:** So never use `assert` to validate user input or external data. If assertions are disabled in production, malicious or malformed input will bypass your checks, potentially leading to crashes, data corruption, or even arbitrary code execution. Use `if/else` statements with proper exception handling (e.g., `ValueError`, `TypeError`) for this.
+* **Not for graceful error handling:** Assertions are designed to signal "this should never happen, it's a bug." They raise an `AssertionError` which typically halts the program. In a production environment, you usually want to handle anticipated errors gracefully, log them, and potentially recover or inform the user, rather than crashing the application.
+2. Some side effects within `assert` statements can be dangerous.
+* If an `assert` statement contains code with side effects (e.g., modifying a variable, calling a function that performs an action), those side effects will also be skipped when assertions are disabled. This can lead to unexpected behavior and security gaps.
+3. Use assert for testing code and during development only
+* `assert` is good to use for `pytest` or other development constructs.
+* `Assert` helps to find mistakes during development. But it is not a security fence to protect against external threats or a robust mechanism for handling runtime issues in a live system. For production code, especially when dealing with external inputs or critical business logic, rely on explicit `if/else` checks and robust exception handling.
+ * `Assert` statements should in general only be used for testing and debugging purposes.
+ `assert` statements **SHOULD** be removed when not running in debug mode (i.e. when invoking the Python command with the -O or -OO options).
+## More information
+* [The assert statement - Python Documentation](https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement)
+* [The dangers of assert in Python](https://snyk.io/blog/the-dangers-of-assert-in-python/)
+* [Feature: Python assert should be consider harmful](https://community.sonarsource.com/t/feature-python-assert-should-be-consider-harmful/38501) But note that Sonar did not implement this check.

{codeaudit-0.5.3 → codeaudit-0.5.5}/docs/checks/base64_check.md RENAMED Viewed

@@ -1,9 +1,13 @@
-# Using Base64 Encoding / Decoding
+# Base64 Statements
+Codeaudit checks on use of:
+*  Base64 Encoding / Decoding
 The `base64` module requires specific security considerations.
 It’s recommended to review the security considerations for any code deployed to production using `base64` encoding.
+Security considerations section from RFC 4648 (section 12):
 ```text
 Security Considerations

codeaudit-0.5.5/docs/checks/binding_check.md ADDED Viewed

@@ -0,0 +1,54 @@
+# Binding Statement
+Purpose of this validation is to detect code construct where binding to all interfaces is applied.
+The Python construct `s.bind()` is dangerous from a security perspective.
+It opens network sockets and makes your application vulnerable. Additional measurements are often required. So not only within the Python code. This is seldom enough.
+When `s.bind` constuct is detected this requires a further inspection to determine what the risks are. This inspection can only be done in full context, so in context of the environment where the code will be executed.
+## Additional explanation
+Within Python Binding sockets on all interfaces can be done on several ways. E.g.:
+```python
+import socket
+addr = ("", 8080)  # all interfaces, port 8080
+if socket.has_dualstack_ipv6():
+    s = socket.create_server(addr, family=socket.AF_INET6, dualstack_ipv6=True)
+else:
+    s = socket.create_server(addr)
+```
+([reference - Python documentation](https://docs.python.org/3/library/socket.html#socket.AF_INET6))
+:::{caution}
+Port bindings **SHOULD** never be hardcoded. But if used dynamically assigned based on ports that are not yet in use.
+When multiple sockets are allowed to bind to the same port, other services on that port may be stolen or spoofed.
+So prevent an another application to bind to the specific address on unprivileged port, and steal its UDP packets/TCP connection.
+Minimal required is a strong authorization mechanism and preferred is a 'zero-trust' network policy.
+**Make sure measurements are taken** when communication using raw sockets in Python.
+:::
+Some measurements (besides changing the code!) are:
+1.  **Firewall Configuration:** Configure a to explicitly allow incoming connections *only from trusted sources* or specific IP ranges. Block all other incoming connections to that port.
+2.  **Application Security:**
+    * **Authentication and Authorization:** Implement strong authentication and authorization mechanisms for your application. Don't leave it open for anyone to connect.
+    * **Input Validation:** Sanitize and validate all user inputs to prevent common vulnerabilities like SQL injection, cross-site scripting (XSS), and command injection.
+    * **Least Privilege:** Ensure the application runs with the minimum necessary privileges.
+    * **Error Handling:** Implement robust error handling that doesn't expose sensitive system information.
+    * **Logging and Monitoring:** Log access attempts and suspicious activities. Monitor these logs for anomalies.
+4.  **Zero-Trust and Network Segmentation:** For critical services, consider placing them in separate network segments to limit lateral movement if one part of your network is compromised.
+## More Information
+ * https://docs.python.org/3/library/socket.html

{codeaudit-0.5.3 → codeaudit-0.5.5}/docs/checks/builtinfunctions_check.md RENAMED Viewed

@@ -1,23 +1,30 @@
 # Built-in Functions
-Some Python built-in functions can cause risks. Codeaudit checks on:
+Some Python built-in functions can cause severe risks.
+The Python built-in functions:
+* `eval`
+* `exec` and
+* `compile`
+Should always be reviewed within the full context. By default use of this function is a **red** alert from a security perspective.
-## Check on `eval`
+## Why check on `eval`
 This function executes arbitrary code. Calling it with user-supplied input may lead to security vulnerabilities.
 This function can also be used to execute arbitrary code objects (such as those created by compile()).
-## Check on `exec`
+## Why Check on `exec`
 This function executes arbitrary code. Calling it with user-supplied input may lead to security vulnerabilities.
-## Check on `compile`
+## Why check on `compile`
 It is possible to crash the Python interpreter with a sufficiently large/complex string when compiling to an AST object due to stack depth limitations in Python’s AST compiler.
-More info:
+## More info
 * https://docs.python.org/3/library/functions.html#eval
 * https://docs.python.org/3/library/functions.html#exec

codeaudit-0.5.5/docs/checks/chmod_check.md ADDED Viewed

@@ -0,0 +1,18 @@
+# Chmod Statement
+Applying and using the Python `os.chmod` function is not the way to deal with permissions.
+Sooner or later you will share your program to be used by others.
+It is also common that Python programs run with too wide authorizations.
+Especially with downloaded programs:
+:::{tip}
+Always check if `chmod` is used in the code!
+:::
+Automatic use of `chmod` in programs is a receipt for disasters and privacy concerns.
+## More information
+* https://docs.python.org/3/library/os.html#os.chmod

codeaudit 0.5.3__tar.gz → 0.5.5__tar.gz

codeaudit 0.5.3tar.gz → 0.5.5tar.gz