PyPI - codeaudit - Versions diffs - 0.9.3__tar.gz → 1.0.0__tar.gz - Mend

codeaudit 0.9.3tar.gz → 1.0.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (138) hide show

codeaudit-1.0.0/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,22 @@
+# Change Log
+## Version 1.0
+This release represents a stabilisation of Python Code Audit!
+Main changes in relation to the pre-1.0 versions are:
+* More validations added: Python Code Audit now counts 70 security validations!
+* Documentation updates
+* Improved validation for `builtins`, like `compile`, `exec`,, `eval` that can be obfuscated in code.
+* Various UI/UX updates. CLI text improved and HTML report text made consistent.
+* Added test to validate correct working for now and in the future. Also validated working with other SAST tools to make sure core functionality is rock solid or better! Spoiler Python Code Audit is better than most used OSS and commercial SAST tools available today!
+## Beta Versions (Before 1.0)
+All published beta version are stable and verified!
+During the public beta phase input of users and experts is retrieved.
+This resulted is mainly:
+* More validation
+* Better documentation and
+* UI/UX improvements to make sure Python Code Audit is dead simple to use for non-programmers to validate a Python package.

{codeaudit-0.9.3 → codeaudit-1.0.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 0.9.3
+Version: 1.0.0
 Summary: Simplified static security checks for Python
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
@@ -33,28 +33,25 @@ Description-Content-Type: text/markdown
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10970/badge)](https://www.bestpractices.dev/projects/10970)
 [![PyPI Downloads](https://static.pepy.tech/badge/codeaudit)](https://pepy.tech/projects/codeaudit)
-Python Codeaudit - A modern Python source code analyzer based on distrust.
+Python Code Audit - A modern Python source code analyzer based on distrust.
-Codeaudit is a tool to find security issues in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
 This tool is created for:
-* Anyone who want or must check security risks with Python programs.
-* Anyone who loves to create functionality using Python. So not only professional programs , but also occasional Python programmers or programmers who are used to working with other languages.
-* Anyone who wants an easy way to get insight in possible security risks Python programs.
+* Users of Python programs who want to known the security risks of the used Python code.
+* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
+* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
-> [!WARNING]
-> Python Codeaudit is currently in *beta status*. Consider [contributing](CONTRIBUTING.md) to make Codeaudit the coolest open source Python SAST tool. Codeaudit is currently in a thorough testing phase. Use Python Codeaudit now and contribute to make it better!
 ## Features
-Python Codeaudit has the following features:
+Python Code Audit has the following features:
 * **Vulnerability Detection**: Identifies security vulnerabilities in Python files, essential for package security research.
 * **Complexity & Statistics**: Reports security-relevant complexity using a fast, lightweight [cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) count via Python's AST.
-* **Module Usage & External Vulnerabilities**: Detects used modules and reports vulnerabilities in external ones.
+* **Module Usage & External Vulnerabilities**: Detects used modules and reports known vulnerabilities for used external modules.
 * **Inline Issue Reporting**: Shows potential security issues with line numbers and code snippets.
@@ -63,7 +60,7 @@ Python Codeaudit has the following features:
 > [!IMPORTANT]
-> Python Codeaudit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
+> Python Code Audit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
 ## Installation
@@ -78,7 +75,7 @@ or use:
 pip install -U codeaudit
 ```
-If you have installed Codeaudit in the past and want to make sure you use the latest checks and features.
+If you have installed Python `codeaudit` in the past and want to make sure you use the latest new validations and features.
 ## Usage
@@ -91,16 +88,13 @@ codeaudit
 This will show all commands:
 ```text
---------------------------------------------------
-   _____          _                      _ _ _
-  / ____|        | |                    | (_) |
- | |     ___   __| | ___  __ _ _   _  __| |_| |_
- | |    / _ \ / _` |/ _ \/ _` | | | |/ _` | | __|
- | |___| (_) | (_| |  __/ (_| | |_| | (_| | | |_
-  \_____\___/ \__,_|\___|\__,_|\__,_|\__,_|_|\__|
---------------------------------------------------
+----------------------------------------------------
+ _                    __             _
+|_) \/_|_|_  _ __    /   _  _| _    |_|    _| o _|_
+|   /  |_| |(_)| |   \__(_)(_|(/_   | ||_|(_| |  |_
+----------------------------------------------------
-Codeaudit - Modern Python source code analyzer based on distrust.
+Python Code Audit - A modern Python security source code analyzer based on distrust.
 Commands to evaluate Python source code:
 Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE]
@@ -109,14 +103,15 @@ Depending on the command, a directory or file name must be specified. The output
 Commands:
   overview             Reports Complexity and statistics per Python file from a directory.
-  modulescan           Reports module information per file.
-  filescan             Reports potential security issues for a single Python file.
   directoryscan        Reports potential security issues for all Python files found in a directory.
-  checks               Generate an HTML report of all implemented codeaudit security checks.
-  version              Prints the module version. Use [-v] [--v] [-version] or [--version].
+  filescan             Reports potential security issues for a single Python file.
+  modulescan           Reports module information per file.
+  checks               Creates an HTML report of all implemented security checks.
+  version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
-Use the [Codeaudit documentation](https://nocomplexity.com/documents/codeaudit/intro.html) to check the security of Python programs and make your Python programs more secure!
+Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/
 ```
 ## Example

{codeaudit-0.9.3 → codeaudit-1.0.0}/README.md RENAMED Viewed

@@ -7,28 +7,25 @@
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10970/badge)](https://www.bestpractices.dev/projects/10970)
 [![PyPI Downloads](https://static.pepy.tech/badge/codeaudit)](https://pepy.tech/projects/codeaudit)
-Python Codeaudit - A modern Python source code analyzer based on distrust.
+Python Code Audit - A modern Python source code analyzer based on distrust.
-Codeaudit is a tool to find security issues in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
+Python Code Audit is a tool to find **security issues** in Python code. This static application security testing (SAST) tool has **great** features to simplify the necessary security tasks and make it fun and easy.
 This tool is created for:
-* Anyone who want or must check security risks with Python programs.
-* Anyone who loves to create functionality using Python. So not only professional programs , but also occasional Python programmers or programmers who are used to working with other languages.
-* Anyone who wants an easy way to get insight in possible security risks Python programs.
+* Users of Python programs who want to known the security risks of the used Python code.
+* Anyone who loves to create Python programs and want to deliver Python code without vulnerabilities. So this tool is not only professional programs, but also occasional Python programmers. Creating secure software is very difficult. This program with the extensive documentation is your friendly security colleague!
+* Anyone who wants a simple way to get fast insight in possible security risks with Python packages or Python files.
-> [!WARNING]
-> Python Codeaudit is currently in *beta status*. Consider [contributing](CONTRIBUTING.md) to make Codeaudit the coolest open source Python SAST tool. Codeaudit is currently in a thorough testing phase. Use Python Codeaudit now and contribute to make it better!
 ## Features
-Python Codeaudit has the following features:
+Python Code Audit has the following features:
 * **Vulnerability Detection**: Identifies security vulnerabilities in Python files, essential for package security research.
 * **Complexity & Statistics**: Reports security-relevant complexity using a fast, lightweight [cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) count via Python's AST.
-* **Module Usage & External Vulnerabilities**: Detects used modules and reports vulnerabilities in external ones.
+* **Module Usage & External Vulnerabilities**: Detects used modules and reports known vulnerabilities for used external modules.
 * **Inline Issue Reporting**: Shows potential security issues with line numbers and code snippets.
@@ -37,7 +34,7 @@ Python Codeaudit has the following features:
 > [!IMPORTANT]
-> Python Codeaudit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
+> Python Code Audit uses the Python's Abstract Syntax Tree (AST) to get robust and reliable result. Using the Python AST makes contextual Vulnerability Detection possible and false positive are minimized.
 ## Installation
@@ -52,7 +49,7 @@ or use:
 pip install -U codeaudit
 ```
-If you have installed Codeaudit in the past and want to make sure you use the latest checks and features.
+If you have installed Python `codeaudit` in the past and want to make sure you use the latest new validations and features.
 ## Usage
@@ -65,16 +62,13 @@ codeaudit
 This will show all commands:
 ```text
---------------------------------------------------
-   _____          _                      _ _ _
-  / ____|        | |                    | (_) |
- | |     ___   __| | ___  __ _ _   _  __| |_| |_
- | |    / _ \ / _` |/ _ \/ _` | | | |/ _` | | __|
- | |___| (_) | (_| |  __/ (_| | |_| | (_| | | |_
-  \_____\___/ \__,_|\___|\__,_|\__,_|\__,_|_|\__|
---------------------------------------------------
+----------------------------------------------------
+ _                    __             _
+|_) \/_|_|_  _ __    /   _  _| _    |_|    _| o _|_
+|   /  |_| |(_)| |   \__(_)(_|(/_   | ||_|(_| |  |_
+----------------------------------------------------
-Codeaudit - Modern Python source code analyzer based on distrust.
+Python Code Audit - A modern Python security source code analyzer based on distrust.
 Commands to evaluate Python source code:
 Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE]
@@ -83,14 +77,15 @@ Depending on the command, a directory or file name must be specified. The output
 Commands:
   overview             Reports Complexity and statistics per Python file from a directory.
-  modulescan           Reports module information per file.
-  filescan             Reports potential security issues for a single Python file.
   directoryscan        Reports potential security issues for all Python files found in a directory.
-  checks               Generate an HTML report of all implemented codeaudit security checks.
-  version              Prints the module version. Use [-v] [--v] [-version] or [--version].
+  filescan             Reports potential security issues for a single Python file.
+  modulescan           Reports module information per file.
+  checks               Creates an HTML report of all implemented security checks.
+  version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
-Use the [Codeaudit documentation](https://nocomplexity.com/documents/codeaudit/intro.html) to check the security of Python programs and make your Python programs more secure!
+Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/
 ```
 ## Example

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/CONTRIBUTE.md RENAMED Viewed

@@ -4,6 +4,7 @@ Great that you want to contribute!
 :::{tip}
 All contributions are welcome!
 Think of corrections on the manual, code and more or better tests.
 :::

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/_toc.yml RENAMED Viewed

@@ -26,6 +26,7 @@ parts:
     - file: checks/chmod_check
     - file: checks/binding_check
     - file: checks/directorycreation_check
+    - file: checks/dynamicimport_check
     - file: checks/exception_check
     - file: checks/tarfile_extract_check
     - file: checks/hash_check
@@ -48,11 +49,12 @@ parts:
 - caption: Architecture
   chapters:
-  # - file: astlines
+  #- file: astlines
   # - file: astlines2
   - file: complexitycheck
   - file: warnings
   - file: codeauditcommands
+  - file: changelog

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/astlines.md RENAMED Viewed

@@ -1,9 +1,18 @@
-# AST Lines for code complexity
+# Why use AST for code complexity
 A simple way to count the number of lines of a file can be done with various unix commands.
-Simple is to use the `wc` command. However counting lines is different from counting AST lines in a Python program.
+Simple is to use the `wc` command.
+But counting code lines is different than counting AST lines in a Python program.
+:::{note}
+AST lines give **good** indication for the complexity of a Python program.
+And complexity is the enemy of security!
+So a low number for complexity has several advantages from a security perspective!
+:::
-AST lines are needed to give a more precise indication of the complexity of a Python program.
 To explain the difference between an **AST line** (as counted by the provided `count_ast_lines` function) and a **line counted by the Unix `wc` command**, let’s break it down:

codeaudit-1.0.0/docs/changelog.md ADDED Viewed

@@ -0,0 +1,4 @@
+# Change Log
+```{include} ../CHANGELOG.md
+```

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/checks/builtinfunctions_check.md RENAMED Viewed

@@ -8,6 +8,21 @@ The Python built-in functions:
 * `compile`
 Should always be reviewed within the full context. By default use of this function is a **red** alert from a security perspective.
+Python Code Audit checks also on Builtin that are 'hidden':
+* Confusable homoglyphs like: `ℯ𝓍ℯ𝒸("print(2 + 2)")` Statements are detected.
+* Obfuscating usage of builtins module calls of `eval`, `exec` and `compile` like:
+```python
+import builtins
+b = builtins
+b.exec("2+2")
+```
+Or
+```python
+code_obj = d.compile('x = 5*5\nprint(x)', '<string>', 'exec')
+result = d.exec(code_obj)  #Input should not be obfuscated. Code Audit will detect this!
+```
 ## Why check on `eval`

codeaudit-1.0.0/docs/checks/dynamicimport_check.md ADDED Viewed

@@ -0,0 +1,42 @@
+# Dynamic Import Statements
+Using dynamic imports are a potential security issues.
+Especially if you can not validate upfront what is imported.
+Python Code Audit checks on:
+* `__import__`: This builtin function SHOULD never be used anymore. This is an advanced function that is not needed in everyday Python programming.
+* `importlib.import_module` use. Using this function should be validated upfront.
+Using the dynamic imports can be a potential security issue, especially when the module name comes from an untrusted source. Often modules are fetches from internet or are imported by cleaver user input constructs in the code. But an attacker could also import the `os` module and then find a way to call functions to run commands on the system.
+:::{caution}
+Allowing dynamically module imports makes it easy to execute arbitrary code.
+:::
+:::{tip}
+If the Python code or package really must use dynamic module input:
+Use:
+`importlib.import_module()`
+This offers a better way to handle dynamic imports. Avoid using `__import__`.
+:::
+* `importlib.import_module()` is part of the standard library's importlib module, which is the modern way to interact with Python's import system programmatically. Its name clearly indicates its purpose, unlike `__import__()`, which looks like a "magic method" and is often a last resort or still found in old Python programs.
+* Using `importlib.import_module()` keeps dynamic import logic contained within the `importlib module`, which is maintained by the core Python developers. This is from a security point of view  preferred over directly using the low-level built-in function `__import__`.
+## Mitigation
+There is always a security risk when `importlib.import_module()` is used.
+Possible mitigations:
+* **ALWAYS** use the Python Code Audit `modulescan` option for all modules within a file.
+* Check and understand what will be imported and what security risks are involved. You **MUST** never trust that dynamic imports are safe. Most are not!
+* Check if your Python program has or needs an API to download dynamic imports.
+* If you do not trust it: Call a security expert to help you! See the [sponsor](../sponsors) page for companies that could help you!
+## References
+* https://docs.python.org/3/library/functions.html#import__

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/checks/shutil_check.md RENAMED Viewed

@@ -13,9 +13,10 @@ Other implemented checks on `shutil` module methods:
 * shutil.copy2
 * shutil.copytree
 * shutil.chown
+* shutil.rmtree
 Note:
-* `shutil.rmtree` can be dangerous. However this call is/will be depreciated within the `shutil` module. So codeaudit will not check on this construct.
+* `shutil.rmtree` can be dangerous. However this call is/will be depreciated within the `shutil` module. For now Python Code Audit will check on usage.
 ## More information

codeaudit-1.0.0/docs/checks/zipfile_check.md ADDED Viewed

@@ -0,0 +1,56 @@
+# Zipfiles extraction
+When using the Python module `zipfile` there is a risk processing maliciously prepared `.zip files`. This can availability issues due to storage exhaustion.
+Validations are done on `zipfile` methods:
+* `.extractall`
+* `.open` and more.
+And the methods:
+* `gzip.open`
+* `bz2.open`
+* `bz2.BZ2File`
+* `lzma.open`
+* `lzma.LZMAFile`
+* `shutil.unpack_archive`
+## Potential danger when opening compressed files
+When using `gzip.open` or equivalent the potential security issue is related to resource consumption if the file is untrusted.
+:::{caution}
+Never extract archives from untrusted sources without prior inspection!
+It is possible that files are created outside of the path specified in the extract_dir argument, e.g. members that have absolute filenames starting with “/” or filenames with two dots “..”.
+:::
+This accounts also for using `bz2`, `lzma` , `shutil.unpack_archive` or `tar` compressed files. All these great Python functions that can decompress files require defense in depth to be sure that only trusted files can be opened.
+This can lead to:
+* **Denial of Service via Resource Exhaustion**
+If a gzip file is controlled by a malicious user, they could create a highly compressed file that expands to an enormous size when decompressed. This is known as a "zip bomb."
+Such `gzip` file could quickly consume all of the system's available RAM, causing the application to crash or the server to become unresponsive. This is a common attack vector when processing user-uploaded or external compressed files.
+* **Potential Path Traversal**
+A path traversal vulnerability could arise if the file in the `gzip` file is constructed from user input. For example, if the path came from a web request, a user could provide a path like ../../../../etc/passwd.gz to access sensitive files outside of the intended directory. This is a critical security consideration for any code that handles file paths based on external data that is decompressed with `gzip.open`.
+## Possible measures
+1. Make sure by design that these Python functions  will  **Only decompress files from trusted sources**
+2. Set a limit for the  decompression size. This is not simple and always possible! The Python `lzma` library does not have a built-in parameter to do this directly. You would need to read the data in fixed-size chunks and check the total size as you go, raising an error if it exceeds a predefined limit.
+3. Check File Metadata: If possible, check the uncompressed size of the file from its header before starting the decompression. While not all formats contain this information, it can be a useful first check. **Note: This mitigation measurement should NEVER be used without other safeguards**
+4. Resource Monitoring: Monitor your application's memory,  CPU and resource usage during the decompression process and terminate it if it begins to consume an unusual amount of resources. Note that this measurement is not fail-safe!
+## More information
+* https://docs.python.org/3/library/zipfile.html#zipfile-resources-limitations
+* https://docs.python.org/3/library/gzip.html
+* https://docs.python.org/3/library/bz2.html#bz2.open
+* https://docs.python.org/3/library/shutil.html

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/codeauditcommands.md RENAMED Viewed

@@ -1,17 +1,14 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Overview of Codeaudit commands
-Codeaudit commands for: version: 0.9.2
+Codeaudit commands for: version: 0.10.0
 ```
---------------------------------------------------
-   _____          _                      _ _ _
-  / ____|        | |                    | (_) |
- | |     ___   __| | ___  __ _ _   _  __| |_| |_
- | |    / _ \ / _` |/ _ \/ _` | | | |/ _` | | __|
- | |___| (_) | (_| |  __/ (_| | |_| | (_| | | |_
-  \_____\___/ \__,_|\___|\__,_|\__,_|\__,_|_|\__|
---------------------------------------------------
+----------------------------------------------------
+ _                    __             _
+|_) \/_|_|_  _ __    /   _  _| _    |_|    _| o _|_
+|   /  |_| |(_)| |   \__(_)(_|(/_   | ||_|(_| |  |_
+----------------------------------------------------
-Codeaudit - Modern Python source code analyzer based on distrust.
+Python Code Audit - A modern Python security source code analyzer based on distrust.
 Commands to evaluate Python source code:
 Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE]
@@ -23,8 +20,8 @@ Commands:
   directoryscan        Reports potential security issues for all Python files found in a directory.
   filescan             Reports potential security issues for a single Python file.
   modulescan           Reports module information per file.
-  checks               Generate an HTML report of all implemented codeaudit security checks.
-  version              Prints the module version. Use [-v] [--v] [-version] or [--version].
+  checks               Creates an HTML report of all implemented security checks.
+  version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
 Use the Codeaudit documentation to check the security of Python programs and make your Python programs more secure!
 Check https://simplifysecurity.nocomplexity.com/
@@ -118,7 +115,7 @@ errors defaults to 'strict'.
 ## codeaudit checks
 ```text
-Generate an HTML report of all implemented codeaudit security checks.
+Creates an HTML report of all implemented security checks.
 This report provides a user-friendly overview of the static security checks
 currently supported by codeaudit. It is intended to make it easier to review
@@ -148,7 +145,7 @@ errors defaults to 'strict'.
 ```
 ## codeaudit version
 ```text
-Prints the module version. Use [-v] [--v] [-version] or [--version].str(object='') -> str
+Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str
 Create a new string object from the given object. If encoding or

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/complexitycheck.md RENAMED Viewed

@@ -1,4 +1,4 @@
-# Codeaudit complexity Check
+# Complexity Check
 The Python `codeaudit` tool implements a Simple Cyclomatic complexity check.

{codeaudit-0.9.3 → codeaudit-1.0.0}/docs/warnings.md RENAMED Viewed

@@ -1,6 +1,6 @@
-# Handling warnings
+# Warnings
-Codeaudit captures warnings.
+Code Audit captures Python warnings.
 But:
 :::{caution}

{codeaudit-0.9.3 → codeaudit-1.0.0}/src/codeaudit/__about__.py RENAMED Viewed

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "0.9.3"
+__version__ = "1.0.0"

{codeaudit-0.9.3 → codeaudit-1.0.0}/src/codeaudit/codeaudit.py RENAMED Viewed

@@ -18,26 +18,23 @@ from codeaudit import __version__
 from codeaudit.reporting import overview_report ,report_module_information ,file_scan_report , directory_scan_report , report_implemented_tests
 codeaudit_ascii_art=r"""
---------------------------------------------------
-   _____          _                      _ _ _
-  / ____|        | |                    | (_) |
- | |     ___   __| | ___  __ _ _   _  __| |_| |_
- | |    / _ \ / _` |/ _ \/ _` | | | |/ _` | | __|
- | |___| (_) | (_| |  __/ (_| | |_| | (_| | | |_
-  \_____\___/ \__,_|\___|\__,_|\__,_|\__,_|_|\__|
---------------------------------------------------
+----------------------------------------------------
+ _                    __             _
+|_) \/_|_|_  _ __    /   _  _| _    |_|    _| o _|_
+|   /  |_| |(_)| |   \__(_)(_|(/_   | ||_|(_| |  |_
+----------------------------------------------------
 """
 def display_version():
-    """Prints the module version. Use [-v] [--v] [-version] or [--version]."""
+    """Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version]."""
     print(f"version: {__version__}")
 def display_help():
     """Shows detailed help for using codeaudit tool."""
     print(codeaudit_ascii_art)
-    print("Codeaudit - Modern Python source code analyzer based on distrust.\n")
+    print("Python Code Audit - A modern Python security source code analyzer based on distrust.\n")
     print("Commands to evaluate Python source code:")
     print('Usage: codeaudit COMMAND [PATH or FILE]  [OUTPUTFILE] \n')
     print('Depending on the command, a directory or file name must be specified. The output is a static HTML file to be examined in a browser. Specifying a name for the output file is optional.\n')
@@ -66,6 +63,7 @@ def main():
                 "filescan" : file_scan_report,
                 "directoryscan" : directory_scan_report,
                 "checks" : report_implemented_tests,
+                "version" : display_version,
                 "-help": display_help,
             }
         )

{codeaudit-0.9.3 → codeaudit-1.0.0}/src/codeaudit/data/sastchecks.csv RENAMED Viewed

@@ -12,8 +12,10 @@ Check on eval usage,eval,High,This function can executes arbitrary code.
 Check on input statement,input,Low,Use of input requires strict sanitizing and validation.
 Exception Handling,pass,Low,Too broad exception handling risk when not used correctly.
 Exception Handling- Continue statement,continue,Low,Too broad exception handling risk when not used correctly.
-Built-in Functions: Check for exec usage.,exec,High,This built-in function can execute code you do not want and/or aware of. So check and validate if it is used correct.
+Built-in Functions: Check for exec usage.,exec,High,This built-in function can execute code you do not want. Check and refuse using dynamic contructs within exec you can not validate upfront.
 Built-in Functions: Check on compile usage.,compile,High,It is possible to crash the Python interpreter when using this function.
+Use of dynamic Imports,__import__,Medium,"Validate the what is imported and only allow of known, safe modules."
+Use of dynamic Imports,importlib.import_module,Medium,"Validate the what is imported and only allow of known, safe modules."
 Hash Check - md5,hashlib.md5,High,Use of insecure hashing algorithms detected.
 Hash Check -sha1,hashlib.sha1,High,Use of insecure hashing algorithms detected.
 Logging - configuration ,logging.config,Low,Potential security issues can arise with parsing objects and incorrect sanitizing.
@@ -55,10 +57,15 @@ Multiprocessing ,connection.recv,High,Connection.recv() uses pickle
 Multiprocessing ,multiprocessing.connection.Connection,High,Connection.recv() uses pickle
 Zipfile,zipfile.ZipFile,High,Extracting files within a program should never be trusted by default. This issue is detected when the zipfile and/or tarfile module with an extraction method is used.
 Gzip,gzip.open,Medium,Potential resource consumption if the file is untrusted.
+bz2 use,bz2.open,Medium,Potential resource consumption if bz2 compressed file is untrusted.
+bz2 class use,bz2.BZ2File,Medium,Potential risk with bz2 class when decompressing data from untrusted or unknown source.
+lzma use,lzma.open,Medium,Potential risk with lzma when decompressing data from untrusted or unknown source.
+lzma class use,lzma.LZMAFile,Medium,Potential risk with lzma class when decompressing data from untrusted or unknown source.
 shutil,shutil.unpack_archive,Medium,Extracting files within a program should not be trusted by default.
 shutil,shutil.copy,Medium,Information can be transfered without permission.
 shutil,shutil.copy2,Medium,Information can be transfered without permission.
 shutil,shutil.copytree,Medium,Information can be transfered without permission.
 shutil,shutil.chown,Medium,Programs should not change access rights on files they do not own.
+shutil,shutil.rmtree,Medium,Risk on path traversal attack.
 HTTP servers: Check on usage.,http.server.BaseHTTPRequestHandler,High,Insecure for production use.
 HTTP servers: Check on usage.,http.server.HTTPServer,High,Insecure for production use.

{codeaudit-0.9.3 → codeaudit-1.0.0}/src/codeaudit/issuevalidations.py RENAMED Viewed

@@ -35,8 +35,7 @@ def find_constructs(source_code, constructs_to_detect):
     """
     with warnings.catch_warnings():  # Suppression of warnings
         warnings.simplefilter("ignore", category=SyntaxWarning)
-        tree = ast.parse(source_code)
+        tree = ast.parse(source_code)
         results = defaultdict(list)
         seen = set()  # (construct, lineno) pairs already counted
@@ -70,9 +69,16 @@ def find_constructs(source_code, constructs_to_detect):
                     full_resolved = resolved_prefix + full[len(prefix) :]
                     if full_resolved in constructs_to_detect:
                         construct = full_resolved
-                    elif node.func.attr in ('extractall', 'extract') and 'tarfile' in core_modules:   #note only in combination with tarfile import or alias - see step 1
-                        #construct = full_resolved
+                    elif node.func.attr in ('extractall', 'extract') and 'tarfile' in core_modules: #note only in combination with tarfile module or alias,see step1
                         construct = 'tarfile.TarFile'
+                    elif node.func.attr in ('eval') and 'builtins' in core_modules:   #catch obfuscating eval construct with builtins module
+                        construct = 'eval'
+                    elif node.func.attr in ('exec') and 'builtins' in core_modules:   #catch obfuscating exec construct with builtins module
+                        construct = 'exec'
+                    elif node.func.attr in ('input') and 'builtins' in core_modules:   #catch obfuscating construct with builtins module
+                        construct = 'input'
+                    elif node.func.attr in ('compile') and 'builtins' in core_modules:   #catch obfuscating construct with builtins module
+                        construct = 'compile'
                 elif isinstance(func, ast.Name):
                     resolved = alias_map.get(func.id, func.id)
                     if resolved in constructs_to_detect:

codeaudit 0.9.3__tar.gz → 1.0.0__tar.gz

codeaudit 0.9.3tar.gz → 1.0.0tar.gz