codeaudit 1.4.2__py3-none-any.whl → 1.6.0__py3-none-any.whl

codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.4.2"
+__version__ = "1.6.0"

codeaudit/api_interfaces.py

@@ -19,6 +19,7 @@ from codeaudit.security_checks import perform_validations , ast_security_checks
 from codeaudit.totals import overview_per_file , get_statistics , overview_count , total_modules
 from codeaudit.checkmodules import get_all_modules , get_imported_modules_by_file , get_standard_library_modules , check_module_vulnerability
 from codeaudit.pypi_package_scan import get_pypi_download_info , get_package_source
+from codeaudit.suppression import filter_sast_results
 
 from pathlib import Path
 import json
@@ -27,6 +28,7 @@ import pandas as pd
 import platform
 from collections import Counter
 
+
 import altair as alt
 
 def version():
@@ -35,7 +37,7 @@ def version():
     return {"name" : "Python_Code_Audit",
              "version" : ca_version}
 
-def filescan(input_path):
+def filescan(input_path , nosec=False):
     """
     Scan a Python source file, a local directory, or a **PyPI package** from PyPI.org for
     security weaknesses and return the results as a JSON-serializable
@@ -102,14 +104,14 @@ def filescan(input_path):
     if file_path.is_dir(): #local directory scan
         package_name = get_filename_from_path(input_path)
         output |= {"package_name": package_name}
-        scan_output = _codeaudit_directory_scan(input_path)
+        scan_output = _codeaudit_directory_scan(input_path, nosec_flag=nosec )
         output |= scan_output
         return output            
     elif file_path.suffix.lower() == ".py" and file_path.is_file() and is_ast_parsable(input_path):   #check on parseable single Python file   
         # do a file check
         file_information = overview_per_file(input_path) 
         module_information = get_modules(input_path) # modules per file
-        scan_output = _codeaudit_scan(input_path)                
+        scan_output = _codeaudit_scan(input_path , nosec_flag=nosec)                
         file_output["0"] = file_information | module_information | scan_output #there is only 1 file , so index 0 equals as for package to make functionality that use the output that works on the dict or json can equal for a package or a single file!
         output |= { "file_security_info" : file_output}
         return output
@@ -122,7 +124,7 @@ def filescan(input_path):
             output |= {"package_name": package_name,
                        "package_release": release}
             try:
-                scan_output = _codeaudit_directory_scan(src_dir)
+                scan_output = _codeaudit_directory_scan(src_dir , nosec_flag=nosec)
                 output |= scan_output
             finally:
                 # Cleaning up temp directory
@@ -132,20 +134,24 @@ def filescan(input_path):
         # Its not a directory nor a valid Python file:
         return {"Error" : "File is not a *.py file, does not exist or is not a valid directory path towards a Python package."}
 
-def _codeaudit_scan(filename):
+def _codeaudit_scan(filename , nosec_flag):
     """Internal helper function to do a SAST scan on a single file
     To scan a file, or Python package using the API interface, use the `filescan` API call!
     """
     #get the file name
-    name_of_file = get_filename_from_path(filename)
-    sast_data = perform_validations(filename)
+    name_of_file = get_filename_from_path(filename)    
+    if not nosec_flag:  #no filtering on reviewed items with markers in code
+        sast_data = perform_validations(filename)
+    else:
+        unfiltered_scan_output = perform_validations(filename) #scans for weaknesses in the file
+        sast_data = filter_sast_results(unfiltered_scan_output)
     sast_data_results = sast_data["result"]    
     sast_result = dict(sorted(sast_data_results.items()))
     output = { "file_name" : name_of_file ,
               "sast_result": sast_result}    
     return output
 
-def _codeaudit_directory_scan(input_path):
+def _codeaudit_directory_scan(input_path , nosec_flag):
     """Performs a scan on a local directory
     Function is also used with scanning directory PyPI.org packages, since in that case a tmp directory is used
     """
@@ -160,7 +166,7 @@ def _codeaudit_directory_scan(input_path):
         for i,file in enumerate(files_to_check):
             file_information = overview_per_file(file)
             module_information = get_modules(file) # modules per file            
-            scan_output = _codeaudit_scan(file)
+            scan_output = _codeaudit_scan(file , nosec_flag )
             file_output[i] = file_information | module_information | scan_output
         output |= { "file_security_info" : file_output}
         return output
@@ -216,36 +222,90 @@ def read_input_file(filename):
         raise json.JSONDecodeError(f"Invalid JSON in file: {filename}", e.doc, e.pos)
 
 
-def get_construct_counts(input_file):
+
+
+
+def get_weakness_counts(input_file, nosec=False):
     """
-    Analyze a Python file or package(directory) and count occurrences of code constructs (aka weaknesses).
+    Analyze a Python file or package (directory) and count occurrences of code weaknesses.
 
-    This function uses `filescan` API call to retrieve security-related information
-    about the input file. This returns a dict. Then it counts how many times each code construct
-    appears across all scanned files.
+    This function uses the `filescan` API call to retrieve security-related information
+    and aggregates the total number of occurrences per weakness construct.
 
     Args:
-        input_file (str): Path to the file or directory(package) to scan.
+        input_file (str): Path to the file or directory (package) to scan.
+        nosec (bool): Whether to suppress findings marked with nosec comments.
 
     Returns:
         dict: A dictionary mapping each construct name (str) to the total
-              number of occurrences (int) across all scanned files.
+              number of occurrences (int).
+
+    Raises:
+        ValueError: If the scan fails or returns an error result.
+        TypeError: If the scan result has an unexpected structure.
+    """
+    scan_result = filescan(input_file, nosec)
+
+    # Explicitly handle scan failure or unexpected return
+    if not isinstance(scan_result, dict):
+        raise ValueError("filescan() did not return a valid result dictionary")
+
+    if "Error" in scan_result:
+        raise ValueError(scan_result["Error"])
+
+    file_security_info = scan_result.get("file_security_info")
+    if not isinstance(file_security_info, dict):
+        # Valid scan, but no findings (e.g. empty or non-parsable input)
+        return {}
 
-    Notes:
-        - The `filescan` function is expected to return a dictionary with
-          a 'file_security_info' key, containing per-file information.
-        - Each file's 'sast_result' should be a dictionary mapping
-          construct names to lists of occurrences.
-    """    
-    scan_result = filescan(input_file)
     counter = Counter()
+
+    for file_info in file_security_info.values():
+        if not isinstance(file_info, dict):
+            continue
+
+        sast_result = file_info.get("sast_result", {})
+        if not isinstance(sast_result, dict):
+            continue
+
+        for construct, occurrences in sast_result.items():
+            if isinstance(occurrences, (list, tuple)):
+                counter[construct] += len(occurrences)
+
+    return dict(counter)
+
+
+
+# def get_weakness_counts(input_file , nosec=False):
+#     """
+#     Analyze a Python file or package(directory) and count occurrences of code weaknesses.
+
+#     This function uses `filescan` API call to retrieve security-related information
+#     about the input file. This returns a dict. Then it counts how many times each code construct
+#     appears across all scanned files.
+
+#     Args:
+#         input_file (str): Path to the file or directory(package) to scan.
+
+#     Returns:
+#         dict: A dictionary mapping each construct name (str) to the total
+#               number of occurrences (int) across all scanned files.
+
+#     Notes:
+#         - The `filescan` function is expected to return a dictionary with
+#           a 'file_security_info' key, containing per-file information.
+#         - Each file's 'sast_result' should be a dictionary mapping
+#           construct names to lists of occurrences.
+#     """    
+#     scan_result = filescan(input_file, nosec)
+#     counter = Counter()
     
-    for file_info in scan_result.get('file_security_info', {}).values():
-        sast_result = file_info.get('sast_result', {})
-        for construct, occurence in sast_result.items(): #occurence is times the construct appears in a single file
-            counter[construct] += len(occurence)
+#     for file_info in scan_result.get('file_security_info', {}).values():
+#         sast_result = file_info.get('sast_result', {})
+#         for construct, occurrence in sast_result.items(): #occurrence is times the construct appears in a single file
+#             counter[construct] += len(occurrence)
     
-    return dict(counter)
+#     return dict(counter)
 
 def get_modules(filename):
     """Gets modules of a Python file """

codeaudit/data/sastchecks.csv

@@ -47,6 +47,9 @@ Subprocess Usage,subprocess.call,High,Requires careful input validation to preve
 Subprocess Usage,subprocess.check_call,High,Requires careful input validation to prevent command injection vulnerabilities.
 Subprocess Usage,subprocess.Popen,Medium,Requires careful input validation to prevent command injection vulnerabilities.
 Subprocess Usage,subprocess.run,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.check_output,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.getstatusoutput,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.getoutput,Medium,Requires careful input validation to prevent command injection vulnerabilities.
 Tarfile Extraction,tarfile.TarFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
 Base64 Encoding ,base64,Low,"Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code."
 XML-RPC Client,xmlrpc.client,High,Vulnerable to denial-of-service via decompression bombs.

codeaudit/data/secretslist.txt

@@ -0,0 +1,136 @@
+
+_KEY
+_passwd
+_PASSWORD
+access_key
+access_key_id
+ACCESS_SECRET
+ACCESS_TOKEN
+AccountKey
+AI21_API_KEY
+ALIBABA_CLOUD_ACCESS_KEY_ID
+ALIBABA_CLOUD_ACCESS_KEY_SECRET
+ANTHROPIC_API_KEY
+api_key
+API_TOKEN
+ApiKey
+ApiSecret
+APP_KEY
+APP_SECRET
+AUTH
+auth_key
+auth_password
+AUTH_SECRET
+auth_token
+AUTH_TOKEN
+Authorization
+AWS_ACCESS_KEY_ID
+aws_account_id
+aws_secret_access_key
+AWS_SECRET_ACCESS_KEY
+aws_session_token
+AWS_SESSION_TOKEN
+AZURE_OPENAI_API_KEY
+AZURE_OPENAI_API_VERSION
+AZURE_OPENAI_ENDPOINT
+AzureStorageKey
+BAIDU_API_KEY
+BAIDU_SECRET_KEY
+BASIC_AUTH
+BEARER
+BEARER_TOKEN
+BEDROCK_REGION
+CLIENT_ID
+client_key
+CLIENT_SECRET
+ClientSecret
+COHERE_API_KEY
+CONNECTION_STRING
+credential
+credentials
+CREDENTIALS_JSON
+creds
+CSRF_TOKEN
+DASHSCOPE_API_KEY
+DEEPSEEK_API_KEY
+DEPLOY_KEY
+encryptedPassword
+ENCRYPTION_SECRET
+EncryptionKey
+FERNET_KEY
+FIREWORKS_API_KEY
+GCP_SERVICE_ACCOUNT_KEY
+GEMINI_API_KEY
+get_api_token
+get_secret
+get_token
+GITHUB_TOKEN
+GOOGLE_API_KEY
+GOOGLE_API_KEY
+HMAC_KEY
+HUGGINGFACE_API_TOKEN
+IBM_WATSONX_API_KEY
+IBM_WATSONX_PROJECT_ID
+ID_TOKEN
+INTEGRATION_KEY
+JWT_ACCESS_TOKEN
+JWT_ALGORITHM
+JWT_AUDIENCE
+JWT_ISSUER
+JWT_PRIVATE_KEY
+JWT_PUBLIC_KEY
+JWT_REFRESH_TOKEN
+JWT_SECRET
+JWT_SECRET_KEY
+JWT_SIGNING_KEY
+JWT_TOKEN
+KEYFILE
+KUBE_TOKEN
+MASTER_KEY
+MISTRAL_API_KEY
+MLAB_PASS
+MOONSHOT_API_KEY
+NetworkCredential
+NVIDIA_API_KEY
+OAUTH_TOKEN
+OLLAMA_API_BASE
+OPENAI_API_KEY
+OPENROUTER_API_KEY
+OTEL_EXPORTER
+PASSPHRASE
+password
+POSTGRES_PASSWORD
+PPLX_API_KEY
+PRIVATE_KEY
+PRIVATE_TOKEN
+REDIS_PASSWORD
+REFRESH_TOKEN
+REPLICATE_API_TOKEN
+ROOT_PASSWORD
+RSA_PRIVATE_KEY
+SAS_TOKEN
+secret
+secret_key
+secret_key_base
+SECRET_TOKEN
+SERVICE_ACCOUNT_KEY
+SESSION_KEY
+SIGNING_KEY
+SILICONFLOW_API_KEY
+SLACK_TOKEN
+SMTP_PASSWORD
+SSH_KEY
+static_key
+STRIPE_API_KEY
+SYSTEM_PASSWORD
+TENCENT_HUNYUAN_API_KEY
+TLS_PRIVATE_KEY
+TOGETHER_API_KEY
+TOKEN
+VAULT_TOKEN
+WEBHOOK_SECRET
+WEBHOOK_TOKEN
+X_API_KEY
+XAI_API_KEY
+YI_API_KEY
+ZHIPUAI_API_KEY

codeaudit/filehelpfunctions.py

@@ -24,7 +24,7 @@ def read_in_source_file(file_path):
 
     if file_path.is_dir():
         print(
-            "Error: The given path is a directory.\nUse 'codeaudit directoryscan' to audit all Python files in a directory.\nThe 'codeaudit modulescan' command works per file only, not on a directory.\nUse codeaudit -h for help"
+            "Error: The given path is a directory.\nUse 'codeaudit filescan' to security audit Python files in a directory or PyPI package.\nThe 'codeaudit modulescan' command works per file only, not on a directory.\nUse codeaudit -h for help"
         )
         sys.exit(1)
 

codeaudit/issuevalidations.py

@@ -78,7 +78,7 @@ def find_constructs(source_code, constructs_to_detect):
                     elif node.func.attr in ('input') and 'builtins' in core_modules:   #catch obfuscating construct with builtins module                        
                         construct = 'input'
                     elif node.func.attr in ('compile') and 'builtins' in core_modules:   #catch obfuscating construct with builtins module                        
-                        construct = 'compile'
+                        construct = 'compile'                                     
                 elif isinstance(func, ast.Name):
                     resolved = alias_map.get(func.id, func.id)                
                     if resolved in constructs_to_detect:

codeaudit/privacy_lint.py

@@ -0,0 +1,292 @@
+from codeaudit.api_interfaces import version
+from codeaudit.filehelpfunctions import get_filename_from_path , collect_python_source_files , is_ast_parsable , read_in_source_file
+from codeaudit.pypi_package_scan import get_pypi_download_info , get_package_source
+
+
+import ast
+from pathlib import Path
+import datetime 
+import re
+
+
+from importlib.resources import files
+
+
+SECRETS_LIST = files("codeaudit.data").joinpath("secretslist.txt") 
+
+def secret_scan(input_path):
+    """Scans Python file or a PyPI package for potential privacy leaks.
+
+    This function analyzes Python code for possible privacy-related issues
+    (which often overlap with security weaknesses). The input can be:
+    - A local directory containing a Python package
+    - A single Python file
+    - A PyPI package name (which will be downloaded and scanned)
+
+    Depending on the input type, the function performs an AST-based scan
+    and returns structured metadata along with scan results.
+
+    Args:
+        input_path (str): Path to a local directory, path to a Python
+            file, or the name of a PyPI package to scan.
+
+    Returns:
+        dict: A dictionary containing scan metadata and results. The
+        structure varies depending on the input:
+            - For a directory or PyPI package, results include package-level
+              privacy findings.
+            - For a single Python file, results include file-level privacy
+              findings.
+            - If the input is invalid, an error dictionary is returned with
+              an `"Error"` key.
+
+    Raises:
+        None: All errors are handled internally and reported in the
+        returned dictionary.
+    """
+    file_output = {}
+    file_path = Path(input_path)
+    ca_version_info = version()
+    now = datetime.datetime.now()
+    timestamp_str = now.strftime("%Y-%m-%d %H:%M")
+    output = ca_version_info | {"generated_on" : timestamp_str}    
+    # Check if the input is a valid directory or a single valid Python file
+    if file_path.is_dir(): #local directory scan
+        package_name = get_filename_from_path(input_path)
+        output |= {"package_name": package_name}
+        spycheck_output = _codeaudit_directory_spyscan(input_path)        
+        output |= spycheck_output
+        return output            
+    elif file_path.suffix.lower() == ".py" and file_path.is_file() and is_ast_parsable(input_path):   #check on parseable single Python file   
+        # do a file spy check        
+        name_of_file = get_filename_from_path(input_path)
+        name_dict = {"FileName": name_of_file}
+        spycheck_output = spy_check(input_path)                
+        file_output["0"] = spycheck_output #there is only 1 file , so index 0 equals as for package to make functionality that use the output that works on the dict or json can equal for a package or a single file!
+        output |= { "file_name": name_dict,
+                   "file_privacy_check" : file_output}        
+        return output
+    elif (pypi_data := get_pypi_download_info(input_path)):    
+        package_name = input_path #The variable input_path is now equal to the package name        
+        url = pypi_data['download_url']
+        release = pypi_data['release']
+        if url is not None:
+            src_dir, tmp_handle = get_package_source(url)            
+            output |= {"package_name": package_name,
+                       "package_release": release}
+            try:                
+                spycheck_output = _codeaudit_directory_spyscan(src_dir)  
+                output |= spycheck_output
+            finally:
+                # Cleaning up temp directory
+                tmp_handle.cleanup()  # deletes everything from temp directory
+            return output
+    else:
+        # Its not a directory nor a valid Python file:
+        return {"Error" : "File is not a *.py file, does not exist or is not a valid directory path towards a Python package."}
+
+
+def spy_check(file):
+    """runs the AST function to get spy info"""
+    code = read_in_source_file(file)
+    spy_output = collect_secret_values(code)
+    name_of_file = get_filename_from_path(file)    
+    output = { "file_name": name_of_file,
+                "privacy_check_result" : spy_output}  
+    return output
+
+
+def _codeaudit_directory_spyscan(input_path):
+    """Performs a spyscan on a local directory
+    Function is also used with scanning directory PyPI.org packages, since in that case a tmp directory is used
+    """
+    output ={}
+    file_output = {}
+    files_to_check = collect_python_source_files(input_path)    
+    if len(files_to_check) > 1:                        
+        for i,file in enumerate(files_to_check):                                                
+            file_output[i] = spy_check(file)
+        output |= { "file_privacy_check" : file_output}
+        return output
+    else:
+        output_msg = f'Directory path {input_path} contains no Python files.'
+        return {"Error" : output_msg}
+
+
+def load_secrets_list(filename=SECRETS_LIST):
+    """
+    Load secrets from SECRETS_LIST and return a list of lines,
+    excluding empty lines and lines starting with '#'.
+    """
+    secrets_patterns = []
+
+    with open(filename, "r", encoding="utf-8") as f:
+        for line in f:
+            line = line.strip()
+            if not line or line.startswith("#"):
+                continue
+            secrets_patterns.append(line.lower()) #lower all patterns
+
+    return secrets_patterns
+
+
+def match_secret(secrets, name, value):
+    """
+    Check whether a name or value contains a secret.
+
+    Assumptions:
+    - `secrets` are already lowercased.
+
+    Matching rules (in priority order):
+    1. Whole-word match in name
+    2. Whole-word match in value
+
+    Returns:
+        The matching secret (lowercased) if found, otherwise None.
+    """
+    name_lower = str(name).lower()
+    value_lower = str(value).lower()
+
+    # Shorter secrets first to preserve original behavior
+    for secret_tag in sorted(secrets, key=len):
+        pattern = re.compile(rf"\b{re.escape(secret_tag)}\b")
+
+        if pattern.search(name_lower) or pattern.search(value_lower):
+            return secret_tag
+
+    return None
+
+
+def collect_secret_values(source_code, secrets_file=SECRETS_LIST):
+    secrets = load_secrets_list(secrets_file)
+    results = []
+    source_lines = source_code.splitlines()
+
+    # -------------------------
+    # Helpers
+    # -------------------------
+    def get_constant(node):
+        return getattr(node, "value", None)
+
+    def is_os_environ(node):
+        return (
+            getattr(getattr(node, "value", None), "attr", None) == "environ"
+            and getattr(getattr(getattr(node, "value", None), "value", None), "id", None) == "os"
+        )
+
+    def get_target_repr(node):
+        if hasattr(node, "id"):
+            return node.id
+        if hasattr(node, "attr") or hasattr(node, "slice"):
+            return ast.unparse(node)
+        return None
+
+    def classify_value(node):
+        if node is None:
+            return None
+
+        if isinstance(node, ast.Constant):
+            return node.value
+
+        if hasattr(node, "slice"):
+            if is_os_environ(node):
+                return get_constant(node.slice)
+            return ast.unparse(node)
+
+        if hasattr(node, "func") and getattr(node, "args", None):
+            first_arg = node.args[0]
+            if isinstance(first_arg, ast.Constant):
+                return first_arg.value
+
+        if hasattr(node, "id") or hasattr(node, "attr"):
+            return ast.unparse(node)
+
+        return ast.unparse(node)
+    
+    def get_original_line(node):
+        lineno = getattr(node, "lineno", None)
+        if lineno is None:
+            return None
+        lines = []
+        # line before
+        if lineno > 1:
+            lines.append(source_lines[lineno - 2].rstrip())
+
+        # current line
+        if 1 <= lineno <= len(source_lines):
+            lines.append(source_lines[lineno - 1].rstrip())
+
+        # line after
+        if lineno < len(source_lines):
+            lines.append(source_lines[lineno].rstrip())
+
+        return "\n".join(lines)
+
+   
+    def add_value(name, value_node, node):
+            value = classify_value(value_node)
+            matched = match_secret(secrets, name, value)
+            if matched is not None: #when no match is found, no results will be added to the result dict.
+                results.append(
+                    {
+                        "lineno": getattr(node, "lineno", None),
+                        "code": get_original_line(node),
+                       # "name": name,
+                       # "value": value,
+                        "matched": matched,
+                    }
+                )
+
+
+    # -------------------------
+    # Walk all AST nodes
+    # -------------------------
+    tree = ast.parse(source_code)
+    for node in ast.walk(tree):
+
+        # Assignments
+        for target in getattr(node, "targets", []):
+            name = get_target_repr(target)
+            if name:
+                add_value(name, getattr(node, "value", None), node)
+                
+
+        # Annotated assignments
+        if isinstance(node, ast.AnnAssign):
+            name = get_target_repr(node.target)
+            if name:
+                add_value(name, getattr(node, "value", None), node)
+                
+
+        # Function calls (keyword arguments only)
+        if isinstance(node, ast.Call):
+            for kw in node.keywords:
+                if kw.arg:
+                    add_value(kw.arg, kw.value, kw)
+                    
+
+    return sorted(results, key=lambda item: item["lineno"])
+
+def has_privacy_findings(data):
+    """
+    Returns True if at least one file has a non-empty
+    'privacy_check_result' list, otherwise False.
+    """
+    filesscanned = data.get("file_privacy_check", {})
+
+    for file_info in filesscanned.values():
+        results = file_info.get("privacy_check_result")
+        if results and len(results) > 0:
+            return True
+
+    return False
+
+def count_privacy_check_results(data):
+    """
+    count number of secrets found for a dict created with secret_scan(filename)
+    
+    :param data: Description
+    """
+    return len(
+        data["file_privacy_check"]["0"]["privacy_check_result"]
+    )

codeaudit/pypi_package_scan.py

@@ -104,7 +104,7 @@ def get_package_source(url, nocxheaders=NOCX_HEADERS, nocxtimeout=10):
             f.write(content)
 
         with tarfile.open(tar_path, "r:gz") as tar:
-            tar.extractall(path=temp_dir,filter='data')  #Possible risks are mitigated as far as possible, see architecture notes.
+            tar.extractall(path=temp_dir,filter='data')  # nosec Possible risks are mitigated as far as possible, see architecture notes.
 
         return temp_dir, tmpdir_obj  # return both so caller controls lifetime