codeaudit 1.3.0__tar.gz → 1.4.0__tar.gz

{codeaudit-1.3.0 → codeaudit-1.4.0}/CHANGELOG.md

@@ -1,7 +1,28 @@
 # Change Log
 
+## Version 1.4: Changes and Updates
 
 
+🚀 New Features and Enhancements
+Direct PyPI Package Scanning: You can now directly scan packages hosted on PyPI from the command line interface (CLI).
+
+* Usage: Use the existing codeaudit filescan command followed by the package name.
+
+Example: `codeaudit filescan [package_name]`
+
+Consult the [documentation](https://nocomplexity.com/documents/codeaudit/intro.html#) for full details.
+
+* HTML Report Text Improvement: The text content and clarity of the generated HTML reports have been enhanced for better readability.
+
+🛡️ Security Validation Updates
+New Weakness Detection (Python 3.14+): Added a new validation rule to detect potential weaknesses when using the newly added compression.zstd module (available in Python 3.14 and later).
+
+The scanner now specifically flags cases where compression.zstd is used for decompressing or opening a zstd compressed archive.
+
+🐛 Bug Fixes and Documentation
+* Documentation Correction: Corrected and improved the help text for the API call get_construct_counts().
+And many small improvements on the manual to assist you better with outlining risks on found weaknesses and possible mitigations. 
+
 
 ## Version 1.3: Changes and Updates
 

{codeaudit-1.3.0 → codeaudit-1.4.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.3.0
+Version: 1.4.0
 Summary: Simplified static security checks for Python 
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/_toc.yml

@@ -47,7 +47,7 @@ parts:
     - file: checks/xml_check
     - file: checks/zipfile_check
     - file: checks/shutil_check
-
+  - file: securecoding
 
 - caption: Architecture 
   chapters:     

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/checks/base64_check.md

@@ -1,11 +1,19 @@
 # Base64 Statements
 
-Codeaudit checks on use of:
-*  Base64 Encoding / Decoding
+Python Code Audit checks for obfuscated text, particularly content encoded with `base64`:
 
-The `base64` module requires specific security considerations.
+*  `base64` Encoding / Decoding.
 
-It’s recommended to review the security considerations for any code deployed to production using `base64` encoding.
+
+## Rationale
+
+
+Obfuscation is a long-standing and straightforward technique often used to conceal malicious code within Python projects. This technique allows attackers to easily hide malware within Python programs.
+
+The presence of obfuscated content is atypical in well-structured, non-malicious Python code and is a significant indicator of potential security risks.
+
+
+It’s recommended to review any code deployed to production using `base64` encoding. **Python Code Audit** does this automatically.
 
 Security considerations section from RFC 4648 (section 12):
 
@@ -50,4 +58,5 @@ Security Considerations
 ## More information
 
 * https://docs.python.org/3/library/base64.html#base64-security
-* https://datatracker.ietf.org/doc/html/rfc4648.html#page-14 
+* https://datatracker.ietf.org/doc/html/rfc4648.html#page-14 
+* [Base64 Malleability in Practice](https://eprint.iacr.org/2022/361.pdf)

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/checks/builtinfunctions_check.md

@@ -127,12 +127,69 @@ Using this construct can still crash the Python interpreter due to stack depth l
 
 * Avoid using `eval`,`exec` and `compile`: Find a secure way by design, so rethink your design again from a security perspective. There is always a better and safer solution.
 
+* Use a battle-tested safe expression evaluator.
+
+* Rethink the architecture to eliminate exec(), which introduces unnecessary risk.
+
+* For in-browser sandboxing, use Pyodide (e.g., via JupyterLite)(https://jupyterlite.readthedocs.io/en/latest/ ).
+
+* Call Functions or Methods by Name (String Input)
+If a function needs to be called based on a string name (e.g., from user input), store the functions in a dictionary and look them up by key. Avoid:
+```python
+func_name = input("Enter function to run: ")
+exec(f"{func_name}()")
+```
+
+Recommended Alternative (Dictionary of Functions):
+
+```python
+def greet():
+    print("Hello!")
+
+def quit_app():
+    import sys
+    sys.exit()
+
+available_functions = {
+    "greet": greet,
+    "quit": quit_app
+}
+
+func_name = input("Enter function to run (greet or quit): ")
+if func_name in available_functions:
+    available_functions[func_name]()
+else:
+    print("Unknown function")
+```
+
+* For evaluating simple, safe expressions, use ast.literal_eval() which safely evaluates basic Python literals without allowing full code execution.
+Avoid:
+```
+exec("import os; os.system('your_command')")
+```
+Recommended Alternative (`ast.literal_eval`):
+```python
+import ast
+user_input = "(2 + 3) * 5"
+try:
+    result = ast.literal_eval(user_input)
+    print(result)
+except (ValueError, SyntaxError):
+    print("Invalid input")
+```
+
+
 
 
 ## More information
 
+* [CWE-94: Improper Control of Generation of Code ('Code Injection')](https://cwe.mitre.org/data/definitions/94.html)
 * https://docs.python.org/3/library/functions.html#eval 
 
 * https://docs.python.org/3/library/functions.html#exec
 
-* https://docs.python.org/3/library/functions.html#compile
+* https://docs.python.org/3/library/functions.html#compile
+
+* [CVE-2025-3248 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-3248)
+
+* [CVE-2025-3248 – Unauthenticated Remote Code Execution in Langflow via Insecure Python exec Usage](https://www.offsec.com/blog/cve-2025-3248/)

codeaudit-1.4.0/docs/checks/random_check.md

@@ -0,0 +1,67 @@
+# Random Statement 
+
+Python Code Audit checks on use of the `random` module. Checks are done for:
+* `random.seed` 
+* `random.Random`
+* `random.randbytes`
+* `random.randint`
+* `random.random`
+* `random.randrange`
+* `random.seed`
+* `random.triangular` and
+* `random.uniform`
+
+Too often these functions are not used in the right way!
+
+The pseudo-random generators of the module `random` should **not** be used for security purposes. 
+However this is still too often neglected. 
+
+Normal `random` use is only acceptable if the Python code is not used for security or cryptographic purposes.
+
+## Rationale
+
+The `random` module in Python is not safe for security or cryptographic purposes, such as generating session tokens, encryption keys, or passwords.
+
+This is because the `random` module uses a pseudo-random number generator (PRNG) called the Mersenne Twister. This algorithm is deterministic. If an attacker can observe a sufficient amount of its output, they can completely determine its internal state (the seed) and accurately predict all future and even past values.
+
+The `random` module is specifically designed for non-security-sensitive applications like simulations, statistical modeling, and simple games, prioritizing speed and good statistical distribution over true unpredictability.
+
+For all security-sensitive tasks, you must use the `secrets` module, which relies on a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) provided by the operating system.
+
+
+## Preventive measures
+
+- For security or cryptographic uses, **never** use the `random` module but use the `secrets` module.
+
+- Use `random.SystemRandom` for random numbers, but this function is not available on all systems.
+
+
+## Example
+
+```python
+"""Problematic code using random module"""
+import random
+
+browser_cookie = random.randint(min_value, max_value)
+```
+
+To improve this code:
+Use the  `SystemRandom` class. This class uses the system function `os.urandom()` to generate random numbers from sources provided by the operating system.
+
+```python
+from random import SystemRandom
+safe_random = SystemRandom()
+
+browser_cookie = safe_random.randint(min_value, max_value)
+```
+
+
+## More information
+
+* https://docs.python.org/3/library/random.html
+* https://docs.python.org/3/library/secrets.html#module-secrets
+* [ CWE-330: Use of Insufficiently Random Values](https://cwe.mitre.org/data/definitions/330.html)
+* [CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)](https://cwe.mitre.org/data/definitions/338.html)
+* [CVE-2022-23472](https://nvd.nist.gov/vuln/detail/CVE-2022-23472)
+* [PEP 506 – Adding A Secrets Module To The Standard Library](https://peps.python.org/pep-0506/)
+* https://www.codiga.io/blog/python-avoid-random/

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/checks/zipfile_check.md

@@ -14,6 +14,8 @@ And the methods:
 * `lzma.open` 
 * `lzma.LZMAFile` 
 * `shutil.unpack_archive`
+* `compression.zstd.decompress`
+* `compression.zstd.open`
 
 ## Potential danger when opening compressed files
 
@@ -27,7 +29,7 @@ It is possible that files are created outside of the path specified in the extra
 :::
 
 
-This accounts also for using `bz2`, `lzma` , `shutil.unpack_archive` or `tar` compressed files. All these great Python functions that can decompress files require defense in depth to be sure that only trusted files can be opened.
+This accounts also for using `bz2`, `lzma` , `shutil.unpack_archive`,  `tar` or `zstd` compressed files. All these great Python functions that can decompress files require defense in depth to be sure that only trusted files can be opened.
 
 This can lead to:
 * **Denial of Service via Resource Exhaustion**
@@ -53,4 +55,7 @@ A path traversal vulnerability could arise if the file in the `gzip` file is con
 * https://docs.python.org/3/library/zipfile.html#zipfile-resources-limitations
 * https://docs.python.org/3/library/gzip.html
 * https://docs.python.org/3/library/bz2.html#bz2.open
-* https://docs.python.org/3/library/shutil.html
+* https://docs.python.org/3/library/shutil.html
+* [PEP 784 on zstd](https://peps.python.org/pep-0784/)
+* [CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)](https://cwe.mitre.org/data/definitions/409.html)
+* [urllib3 Streaming API improperly handles highly compressed data](https://www.cve.org/CVERecord?id=CVE-2025-66471)

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/codeauditcommands.md

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Commands Overview
-Python Code Audit commands for: version: 1.2.0
+Python Code Audit commands for: version: 1.3.0
 ```
 ----------------------------------------------------
  _                    __             _             
@@ -17,7 +17,7 @@ Depending on the command, a directory or file name must be specified. The output
 
 Commands:
   overview             Reports complexity and statistics for Python files in a project directory.
-  filescan             Scans Python projects/files, reporting potential security weaknesses.
+  filescan             Scans Python code or packages on PyPI.org on security weaknesses.
   modulescan           Reports module vulnerability information.
   checks               Creates an HTML report of all implemented security checks.
   version              Prints the module version. Or use codeaudit [-v] [--v] [-version] or [--version].
@@ -59,7 +59,7 @@ errors defaults to 'strict'.
 ```
 ## Code Audit filescan
 ```text
-Scans Python projects/files, reporting potential security weaknesses.
+Scans Python code or packages on PyPI.org on security weaknesses.
     
 This function performs security validations on the specified file or directory, 
 formats the results into an HTML report, and writes the output to an HTML file. 

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/complexitycheck.md

@@ -1,27 +1,50 @@
 # Complexity Check
 
-The Python `codeaudit` tool implements a Simple Cyclomatic complexity check.
+**Python Code Audit** implements a Simple Cyclomatic Complexity check, operating on the principle that secure systems are simple systems.
+
+
+Complexity directly impacts security. Simple systems are:
+
+* Maintainable: Easier to change and manage.
+
+* Reliable: Less prone to logic errors.
+
+* Testable: Easier to validate and test.
+
+**Python Code Audit** tool calculates the complexity per file and provides a module-level overview to help you track this metric.
+
+
+
+:::{tip} 
+**Embrace Simplicity**
+
+* Keep your architecture simple. 
+
+* Prefer straightforward designs over complex, highly specific ones. 
+
+This ensures your code is easy for others to read, manage, and change. Practice and use the [0complexity principles](https://nocomplexity.com/documents/0complexity/abstract.html)
+
+:::
+
 
 
 [Cyclomatic complexity](https://en.wikipedia.org/wiki/Cyclomatic_complexity) is a software metric used to indicate the complexity of a program. It was developed by Thomas J. McCabe, Sr. in 1976. 
 
-Calculating the Cyclomatic complexity for Python sources is complex to do right. And seldom needed! Most implementations for calculating a very thorough Cyclomatic Complexity end up being opinionated sooner or later.
+Calculating the cyclomatic complexity for Python source code is difficult to do accurately. Most implementations aiming for a thorough complexity score eventually become somewhat subjective or opinionated.
 
 :::{note} 
 Codeaudit takes a pragmatic and simple approach to determine and calculate the complexity of a source file.
 
-**BUT:**
-The Complexity Score that Codeaudit presents gives a **good and solid** representation for the complexity of a Python source file.
+The Complexity Score that Python Code Audit** presents gives a **good and solid** representation for the complexity of a Python source file.
 :::
 
 
-But I known the complexity score is not an exact exhaustive cyclomatic complexity measurement.
 
 
-The complexity is determined per file, and not per function within a Python source file. I have worked long ago with companies that calculated [function points](https://en.wikipedia.org/wiki/Function_point) for software that needed to be created or adjusted. Truth is: Calculating exact metrics about complexity for software code projects is a lot of work, is seldom done correctly and are seldom used with nowadays devops or scrum development teams. 
+The complexity is determined per file, and not per function within a Python source file. I have worked with companies that calculated [function points](https://en.wikipedia.org/wiki/Function_point) for systems that needed to be created or adjusted. Truth is: Calculating exact metrics about complexity for software code projects is a lot of work, is seldom done correctly and are seldom used with nowadays devops or scrum development teams. 
 
 
-:::{tip} 
+:::{note} 
 The complexity score of source code gives presented gives a solid indication from a security perspective.
 :::
 

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/examples/demoscan.json

@@ -1,7 +1,7 @@
 {
   "name": "Python_Code_Audit",
-  "version": "1.2.0",
-  "generated_on": "2025-10-15 15:23",
+  "version": "1.3.0",
+  "generated_on": "2025-12-13 15:38",
   "file_security_info": {
     "0": {
       "FileName": "demofile.py",

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/filescan.md

@@ -17,6 +17,11 @@ codeaudit filescan <INPUTFILE>  [OUTPUTFILE]
 The `<INPUTFILE>` is mandatory. **Python Code Audit** will create a detailed security scan report. 
 
 
+**`<INPUTFILE>`** can be:
+* A single Python file;
+* A package on PyPI.org: Python Code Audit checks this package on security weakness, so cloning the sources local is not needed!
+* A local directory with Python files, e.g. a local package development environment or a cloned package.
+
 If you do not specify [OUTPUTFILE], a HTML output file, a HTML report file is created in the current directory and will be named codeaudit-report.html.
 
 When running `codeaudit filescan` detailed information is determined for a Python file or package based on more than 70 validations implemented.

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/help.md

@@ -1,6 +1,6 @@
 # Help
 
-This Open Source tool is created to [simplifying cyber security](https://nocomplexity.com/documents/simplifysecurity/intro.html).
+This **Python Code Audit** Open Source(F/OSS) tool is created to [simplifying cyber security](https://nocomplexity.com/documents/simplifysecurity/intro.html).
 
 :::{hint} 
 Everyone can help with improving this tool!

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/howtoscan.md

@@ -24,9 +24,16 @@ Even if you already have it installed, it’s recommended to run the command aga
 
 
 
-## 2. Clone the Repository you want to scan
+## 2. Clone the Repository you want to scan or use the PyPI package name 
 
-To clone a repository:  
+### To scan a directory based on the PyPI package name:
+
+codeaudit filescanscan <package-name-of-package-on-PyPI> [OUTPUTFILE]
+
+
+### Or clone a repository:  
+
+For direct improvement and inspection of all code using your Python code editor, after examining the Code Audit weakness report:
 
 1. Go to the repository page (e.g., on GitHub).  
 2. Click the green **Code** button.  

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/project_philosophy.md

@@ -4,7 +4,9 @@ The rapid growth and increasing complexity of Python-based web applications and
 
 To strengthen cyber security, we must make protection both **better and simpler** — simpler to use, simpler to maintain, and simpler to understand.
 
-Too often, complex security tools end up **reducing security** rather than improving it. The goal should be to **do the simple things well** — ensuring strong fundamentals rather than adding unnecessary complexity.
+Too often, complex security tools end up **reducing security** rather than improving it. The goal should be to **do the simple things well** — ensuring strong fundamentals rather than adding unnecessary complexity. 
+
+We believe that openly sharing ideas, specifications, and other intellectual property is key to maximizing security innovation and reducing vulnerabilities in Python software components.
 
 Security validation for Python code should be **fast, straightforward, and effective**.
 

codeaudit-1.4.0/docs/securecoding.md

@@ -0,0 +1,116 @@
+# Secure Coding Guidelines
+
+Security breaches that are possible when running untrusted Python programs are real.  
+
+This checklist is created for anyone who wants to create Python programs that are [**secure by design**](https://nocomplexity.com/documents/securitybydesign/intro.html).
+
+Programming in Python is fun, but when you create programs for others, you **SHOULD NOT** introduce security weaknesses.  
+
+The key words **“MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”,** and **“OPTIONAL”** in this document are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119).
+
+
+## Things to Do
+
+- **Input Validation:**  
+  All user input **MUST** be validated for type, size, and format, and **MUST** be sanitised before use.
+
++++
+
+- **Static Security Analysis:**  
+  A Static Application Security Test (**SAST**) **MUST** be performed before releasing the program.  
+  To minimize effort, it is **RECOMMENDED** to perform SAST automatically in the CI/CD workflow.  
+  The preferred SAST tool for Python is **[Python Code Audit](https://github.com/nocomplexity/codeaudit)**.
+
++++
+
+
+- **Addressing Weaknesses:**  
+  Weaknesses found by SAST tools **MUST** be addressed by taking mitigation measures such as:  
+  1. Rewriting the vulnerable code.  
+  2. Adding a clear comment line explaining why the reported issue is not relevant.  
+  3. Creating user documentation to notify users of potential risks.
+
++++
+
+- **Least Privilege Principle:**  
+  Programs **MUST** be designed and implemented according to the *principle of least privilege* for all functionality.
+
++++
+
+- **Dangerous Built-ins:**  
+  Avoid using Python built-in calls such as `compile()`, `eval()`, `exec()`, and `os.system()` to minimize security risks.
+
++++
+
+- **Secrets Management:**  
+  Hardcoded secrets **MUST NOT** be used.  
+  If secrets are required (e.g., for API keys), they **MUST** be handled securely in code and stored using a secure secret management mechanism.
+
++++
+
+- **Error Handling:**  
+  Errors and exceptions **MUST** be handled securely.  
+  Unhandled or verbose error messages can reveal sensitive information.
+
++++
+
+- **File System Security:**  
+  Secure functions from the `os` and `pathlib` modules **MUST** be used for handling file system paths.  
+  Functions such as `os.path.realpath()` **SHOULD** be used to resolve symbolic links and **MAY** help prevent path traversal attacks.
+
++++
+
+When using External Modules:
+- All imported modules **MUST** be checked for known vulnerabilities. This **SHOULD** be done using [**Python Code Audit**](modulescan). **Python Code Audit** tool  uses the OSV (Open Source Vulnerability Database). Or by searching using the **[NVD](https://nocomplexity.com/documents/securityarchitecture/protection/vulnerabilities-search.html)**.
+
+
+## Things to Avoid:
+
+- A developer **SHOULD NOT** design or implement custom encryption protocols.  
+  Designing encryption correctly requires specialized knowledge and skills.  
+  Many security breaches have resulted from the use of custom encryption algorithms.
+
++++
+
+- The Python `assert` statement **SHOULD NOT** be used in production code.  
+  Assertions are intended for debugging and development only.  
+  They can be disabled at runtime, and their use in production **MAY** introduce vulnerabilities. See also [this example](https://nocomplexity.com/stop-using-assert/).
+  
+
++++
+
+- The use of `subprocess.*` calls **SHOULD** be avoided whenever possible to prevent command injection vulnerabilities.
+
++++
+
+- The use of dynamic imports (e.g., importing modules dynamically at runtime) **SHOULD** be avoided, as this can lead to the execution of untrusted code.
+
++++
+
+- Extraction of untrusted or unknown archive files using `zipfile`, `lzma`, or `tarfile` **SHOULD** be avoided to prevent path traversal attacks.
+
++++
+
+- Secrets **SHOULD NOT** be stored in Python code or files that will be uploaded in a code repository.
+
++++
+
+ - `*pyc` files **SHOULD NOT** be checked in to source control. `pyc` files can contain secrets. Use a standard Python `.gitignore` file. Bad actors search for secrets in code, Python Bytecode (`.pyc` files ) and `.git` directories to find if a secret was ever uploaded in a source control system. 
+
+ +++
+
+
+:::{admonition} **Disclaimer**  
+:class: note
+
+These **Python Secure Coding Guidelines** are based on real-world breaches and [CWE](https://cwe.mitre.org/index.html) entries from the *Most Dangerous Software Weaknesses* list.  
+ 
+However, a checklist is never a substitute for critical thinking. Cybersecurity is inherently complex, and mistakes are unavoidable.  
+  
+The [use of AI tools](https://nocomplexity.com/documents/simplifysecurity/useaisolutions.html#ai-ml-for-cyber-security) for coding **DOES NOT** guarantee that your Python code is secure by default.
+:::
+
+
+:::{hint} 
+If you wish to provide feedback or suggest improvements to these guidelines, please open a [GitHub issue](https://github.com/nocomplexity/codeaudit). See also [section Help](help) if you want to contribute to this project!
+:::

{codeaudit-1.3.0 → codeaudit-1.4.0}/docs/userguide.md

@@ -1,4 +1,4 @@
-# Getting Started
+# Get Started
 
 ## Installation
 

{codeaudit-1.3.0 → codeaudit-1.4.0}/src/codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.3.0"
+__version__ = "1.4.0"

{codeaudit-1.3.0 → codeaudit-1.4.0}/src/codeaudit/altairplots.py

@@ -117,3 +117,29 @@ def issue_plot(input_dict):
     )
 
     return chart
+
+
+def issue_overview(df):
+    """
+    Create an Altair arc (donut) chart from a DataFrame 
+    with 'call' and 'count' columns, showing counts in the legend.
+    """
+    # Create a label combining call and count for the legend
+    df = df.copy()
+    df["label"] = df["call"] + " (" + df["count"].astype(str) + ")"
+
+    chart = (
+        alt.Chart(df)
+        .mark_arc(innerRadius=50, outerRadius=120)
+        .encode(
+            theta=alt.Theta("count:Q", title="Count"),
+            color=alt.Color("label:N", title="Calls (Count)"),
+            tooltip=["call", "count"]
+        )
+        .properties(
+            title="Overview of Security Weaknesses",
+            width=600,
+            height=600
+        )
+    )
+    return chart

{codeaudit-1.3.0 → codeaudit-1.4.0}/src/codeaudit/api_interfaces.py

@@ -139,7 +139,7 @@ def read_input_file(filename):
 
 def get_construct_counts(input_file):
     """
-    Analyze a scan result and count occurrences of code constructs (aka weaknesses).
+    Analyze a Python file or package(directory) and count occurrences of code constructs (aka weaknesses).
 
     This function uses `filescan` API call to retrieve security-related information
     about the input file. This returns a dict. Then it counts how many times each code construct

codeaudit-1.4.0/src/codeaudit/api_reporting.py

@@ -0,0 +1,36 @@
+"""
+License GPLv3 or higher.
+
+(C) 2025 Created by Maikel Mardjan - https://nocomplexity.com/
+
+This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along with this program. If not, see <https://www.gnu.org/licenses/>. 
+
+
+Public API functions for Python Code Audit aka codeaudit on pypi.org
+
+All reporting API functions are created based on the Code Audit JSON format that is used when scan results are stored using the `codeaudit.api_interfaces.save_to_json` call!
+
+These API functions are on purpose opinionated for one goal: Keep things simple!
+So all results are returned as Pandas Dataframe. This makes things easier for further processing!
+
+"""
+import pandas as pd
+from collections import Counter
+
+def total_weaknesses(input_file):
+    """Returns the total weaknesses found"""
+    scan_result = input_file
+    counter = Counter()
+    
+    for file_info in scan_result.get('file_security_info', {}).values():
+        sast_result = file_info.get('sast_result', {})
+        for construct, occurence in sast_result.items(): #occurence is times the construct appears in a single file
+            counter[construct] += len(occurence)
+    
+    result = dict(counter)
+    df = pd.DataFrame(list(result.items()), columns=['call', 'count'])
+    return df

{codeaudit-1.3.0 → codeaudit-1.4.0}/src/codeaudit/data/sastchecks.csv

@@ -64,6 +64,8 @@ Shelve Usage,shelve.DbfilenameShelf,High,"The `shelve` module uses `pickle` inte
 Unsafe Deserialization: multiprocessing,connection.recv,High,"Uses pickle, which can execute arbitrary code when receiving data. "
 Unsafe Deserialization: multiprocessing,multiprocessing.connection.Connection,High,Relies on pickle; dangerous with untrusted data. 
 Zipfile Extraction,zipfile.ZipFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
+Zstandard (zstd) decompression,compression.zstd.open,High,Vulnerable to path traversal attacks if used with untrusted archives.
+Zstandard (zstd) decompression,compression.zstd.decompress,High,Vulnerable to path traversal attacks if used with untrusted archives.
 Gzip File Handling,gzip.open,Medium,Risk of decompression bombs or resource exhaustion with untrusted data.
 BZ2 File Handling,bz2.open,Medium,Decompressing untrusted data can lead to resource exhaustion attacks. 
 BZ2 File Handling,bz2.BZ2File,Medium,Decompressing untrusted data can lead to resource exhaustion attacks.