codeaudit 1.5.0__py3-none-any.whl → 1.6.0__py3-none-any.whl

codeaudit/__about__.py

@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2025-present Maikel Mardjan <mike@bm-support.org>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
-__version__ = "1.5.0"
+__version__ = "1.6.0"

codeaudit/api_interfaces.py

@@ -19,6 +19,7 @@ from codeaudit.security_checks import perform_validations , ast_security_checks
 from codeaudit.totals import overview_per_file , get_statistics , overview_count , total_modules
 from codeaudit.checkmodules import get_all_modules , get_imported_modules_by_file , get_standard_library_modules , check_module_vulnerability
 from codeaudit.pypi_package_scan import get_pypi_download_info , get_package_source
+from codeaudit.suppression import filter_sast_results
 
 from pathlib import Path
 import json
@@ -27,6 +28,7 @@ import pandas as pd
 import platform
 from collections import Counter
 
+
 import altair as alt
 
 def version():
@@ -35,7 +37,7 @@ def version():
     return {"name" : "Python_Code_Audit",
              "version" : ca_version}
 
-def filescan(input_path):
+def filescan(input_path , nosec=False):
     """
     Scan a Python source file, a local directory, or a **PyPI package** from PyPI.org for
     security weaknesses and return the results as a JSON-serializable
@@ -102,14 +104,14 @@ def filescan(input_path):
     if file_path.is_dir(): #local directory scan
         package_name = get_filename_from_path(input_path)
         output |= {"package_name": package_name}
-        scan_output = _codeaudit_directory_scan(input_path)
+        scan_output = _codeaudit_directory_scan(input_path, nosec_flag=nosec )
         output |= scan_output
         return output            
     elif file_path.suffix.lower() == ".py" and file_path.is_file() and is_ast_parsable(input_path):   #check on parseable single Python file   
         # do a file check
         file_information = overview_per_file(input_path) 
         module_information = get_modules(input_path) # modules per file
-        scan_output = _codeaudit_scan(input_path)                
+        scan_output = _codeaudit_scan(input_path , nosec_flag=nosec)                
         file_output["0"] = file_information | module_information | scan_output #there is only 1 file , so index 0 equals as for package to make functionality that use the output that works on the dict or json can equal for a package or a single file!
         output |= { "file_security_info" : file_output}
         return output
@@ -122,7 +124,7 @@ def filescan(input_path):
             output |= {"package_name": package_name,
                        "package_release": release}
             try:
-                scan_output = _codeaudit_directory_scan(src_dir)
+                scan_output = _codeaudit_directory_scan(src_dir , nosec_flag=nosec)
                 output |= scan_output
             finally:
                 # Cleaning up temp directory
@@ -132,20 +134,24 @@ def filescan(input_path):
         # Its not a directory nor a valid Python file:
         return {"Error" : "File is not a *.py file, does not exist or is not a valid directory path towards a Python package."}
 
-def _codeaudit_scan(filename):
+def _codeaudit_scan(filename , nosec_flag):
     """Internal helper function to do a SAST scan on a single file
     To scan a file, or Python package using the API interface, use the `filescan` API call!
     """
     #get the file name
-    name_of_file = get_filename_from_path(filename)
-    sast_data = perform_validations(filename)
+    name_of_file = get_filename_from_path(filename)    
+    if not nosec_flag:  #no filtering on reviewed items with markers in code
+        sast_data = perform_validations(filename)
+    else:
+        unfiltered_scan_output = perform_validations(filename) #scans for weaknesses in the file
+        sast_data = filter_sast_results(unfiltered_scan_output)
     sast_data_results = sast_data["result"]    
     sast_result = dict(sorted(sast_data_results.items()))
     output = { "file_name" : name_of_file ,
               "sast_result": sast_result}    
     return output
 
-def _codeaudit_directory_scan(input_path):
+def _codeaudit_directory_scan(input_path , nosec_flag):
     """Performs a scan on a local directory
     Function is also used with scanning directory PyPI.org packages, since in that case a tmp directory is used
     """
@@ -160,7 +166,7 @@ def _codeaudit_directory_scan(input_path):
         for i,file in enumerate(files_to_check):
             file_information = overview_per_file(file)
             module_information = get_modules(file) # modules per file            
-            scan_output = _codeaudit_scan(file)
+            scan_output = _codeaudit_scan(file , nosec_flag )
             file_output[i] = file_information | module_information | scan_output
         output |= { "file_security_info" : file_output}
         return output
@@ -216,36 +222,90 @@ def read_input_file(filename):
         raise json.JSONDecodeError(f"Invalid JSON in file: {filename}", e.doc, e.pos)
 
 
-def get_construct_counts(input_file):
+
+
+
+def get_weakness_counts(input_file, nosec=False):
     """
-    Analyze a Python file or package(directory) and count occurrences of code constructs (aka weaknesses).
+    Analyze a Python file or package (directory) and count occurrences of code weaknesses.
 
-    This function uses `filescan` API call to retrieve security-related information
-    about the input file. This returns a dict. Then it counts how many times each code construct
-    appears across all scanned files.
+    This function uses the `filescan` API call to retrieve security-related information
+    and aggregates the total number of occurrences per weakness construct.
 
     Args:
-        input_file (str): Path to the file or directory(package) to scan.
+        input_file (str): Path to the file or directory (package) to scan.
+        nosec (bool): Whether to suppress findings marked with nosec comments.
 
     Returns:
         dict: A dictionary mapping each construct name (str) to the total
-              number of occurrences (int) across all scanned files.
+              number of occurrences (int).
+
+    Raises:
+        ValueError: If the scan fails or returns an error result.
+        TypeError: If the scan result has an unexpected structure.
+    """
+    scan_result = filescan(input_file, nosec)
+
+    # Explicitly handle scan failure or unexpected return
+    if not isinstance(scan_result, dict):
+        raise ValueError("filescan() did not return a valid result dictionary")
+
+    if "Error" in scan_result:
+        raise ValueError(scan_result["Error"])
+
+    file_security_info = scan_result.get("file_security_info")
+    if not isinstance(file_security_info, dict):
+        # Valid scan, but no findings (e.g. empty or non-parsable input)
+        return {}
 
-    Notes:
-        - The `filescan` function is expected to return a dictionary with
-          a 'file_security_info' key, containing per-file information.
-        - Each file's 'sast_result' should be a dictionary mapping
-          construct names to lists of occurrences.
-    """    
-    scan_result = filescan(input_file)
     counter = Counter()
+
+    for file_info in file_security_info.values():
+        if not isinstance(file_info, dict):
+            continue
+
+        sast_result = file_info.get("sast_result", {})
+        if not isinstance(sast_result, dict):
+            continue
+
+        for construct, occurrences in sast_result.items():
+            if isinstance(occurrences, (list, tuple)):
+                counter[construct] += len(occurrences)
+
+    return dict(counter)
+
+
+
+# def get_weakness_counts(input_file , nosec=False):
+#     """
+#     Analyze a Python file or package(directory) and count occurrences of code weaknesses.
+
+#     This function uses `filescan` API call to retrieve security-related information
+#     about the input file. This returns a dict. Then it counts how many times each code construct
+#     appears across all scanned files.
+
+#     Args:
+#         input_file (str): Path to the file or directory(package) to scan.
+
+#     Returns:
+#         dict: A dictionary mapping each construct name (str) to the total
+#               number of occurrences (int) across all scanned files.
+
+#     Notes:
+#         - The `filescan` function is expected to return a dictionary with
+#           a 'file_security_info' key, containing per-file information.
+#         - Each file's 'sast_result' should be a dictionary mapping
+#           construct names to lists of occurrences.
+#     """    
+#     scan_result = filescan(input_file, nosec)
+#     counter = Counter()
     
-    for file_info in scan_result.get('file_security_info', {}).values():
-        sast_result = file_info.get('sast_result', {})
-        for construct, occurence in sast_result.items(): #occurence is times the construct appears in a single file
-            counter[construct] += len(occurence)
+#     for file_info in scan_result.get('file_security_info', {}).values():
+#         sast_result = file_info.get('sast_result', {})
+#         for construct, occurrence in sast_result.items(): #occurrence is times the construct appears in a single file
+#             counter[construct] += len(occurrence)
     
-    return dict(counter)
+#     return dict(counter)
 
 def get_modules(filename):
     """Gets modules of a Python file """

codeaudit/data/sastchecks.csv

@@ -47,6 +47,9 @@ Subprocess Usage,subprocess.call,High,Requires careful input validation to preve
 Subprocess Usage,subprocess.check_call,High,Requires careful input validation to prevent command injection vulnerabilities.
 Subprocess Usage,subprocess.Popen,Medium,Requires careful input validation to prevent command injection vulnerabilities.
 Subprocess Usage,subprocess.run,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.check_output,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.getstatusoutput,Medium,Requires careful input validation to prevent command injection vulnerabilities.
+Subprocess Usage,subprocess.getoutput,Medium,Requires careful input validation to prevent command injection vulnerabilities.
 Tarfile Extraction,tarfile.TarFile,High,Vulnerable to path traversal attacks if used with untrusted archives.
 Base64 Encoding ,base64,Low,"Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code."
 XML-RPC Client,xmlrpc.client,High,Vulnerable to denial-of-service via decompression bombs.

codeaudit/data/secretslist.txt

@@ -19,6 +19,7 @@ APP_KEY
 APP_SECRET
 AUTH
 auth_key
+auth_password
 AUTH_SECRET
 auth_token
 AUTH_TOKEN

codeaudit/issuevalidations.py

@@ -78,7 +78,7 @@ def find_constructs(source_code, constructs_to_detect):
                     elif node.func.attr in ('input') and 'builtins' in core_modules:   #catch obfuscating construct with builtins module                        
                         construct = 'input'
                     elif node.func.attr in ('compile') and 'builtins' in core_modules:   #catch obfuscating construct with builtins module                        
-                        construct = 'compile'
+                        construct = 'compile'                                     
                 elif isinstance(func, ast.Name):
                     resolved = alias_map.get(func.id, func.id)                
                     if resolved in constructs_to_detect:

codeaudit/privacy_lint.py

@@ -148,11 +148,11 @@ def match_secret(secrets, name, value):
     value_lower = str(value).lower()
 
     # Shorter secrets first to preserve original behavior
-    for secret in sorted(secrets, key=len):
-        pattern = re.compile(rf"\b{re.escape(secret)}\b")
+    for secret_tag in sorted(secrets, key=len):
+        pattern = re.compile(rf"\b{re.escape(secret_tag)}\b")
 
         if pattern.search(name_lower) or pattern.search(value_lower):
-            return secret
+            return secret_tag
 
     return None
 

codeaudit/pypi_package_scan.py

@@ -104,7 +104,7 @@ def get_package_source(url, nocxheaders=NOCX_HEADERS, nocxtimeout=10):
             f.write(content)
 
         with tarfile.open(tar_path, "r:gz") as tar:
-            tar.extractall(path=temp_dir,filter='data')  #Possible risks are mitigated as far as possible, see architecture notes.
+            tar.extractall(path=temp_dir,filter='data')  # nosec Possible risks are mitigated as far as possible, see architecture notes.
 
         return temp_dir, tmpdir_obj  # return both so caller controls lifetime
 

codeaudit/reporting.py

@@ -16,6 +16,7 @@ Reporting functions for codeaudit
 import re
 import os
 from pathlib import Path
+import sys
 
 import pandas as pd
 import html
@@ -30,10 +31,14 @@ from codeaudit.htmlhelpfunctions import json_to_html , dict_list_to_html_table
 from codeaudit import __version__
 from codeaudit.pypi_package_scan import get_pypi_download_info , get_package_source
 from codeaudit.privacy_lint import secret_scan , has_privacy_findings
+from codeaudit.suppression import filter_sast_results
 
 from importlib.resources import files
 
 
+
+
+
 PYTHON_CODE_AUDIT_TEXT = '<a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a>'
 DISCLAIMER_TEXT = (
     "<p><b>Disclaimer:</b> <i>This SAST tool "
@@ -41,6 +46,7 @@ DISCLAIMER_TEXT = (
     + " provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p>"
 )
 
+NOSEC_WARNING = '<p><b>INFO</b>: The --nosec flag is active. Security findings with in-line suppressions will be excluded from the report.</p>'
 
 SIMPLE_CSS_FILE = files('codeaudit') / 'simple.css'
 
@@ -207,30 +213,35 @@ def display_found_modules(modules_discovered):
     return output
 
 
-def scan_report(input_path, filename=DEFAULT_OUTPUT_FILE):
+def scan_report(input_path, filename=DEFAULT_OUTPUT_FILE, nosec=False):
     """Scans Python source code or PyPI packages for security weaknesses.
-
     This function performs static application security testing (SAST) on a
-    given input, which can be:
+    specified input. The input can be one of the following:
 
-    - A local directory containing Python source code
-    - A single local Python file 
-    - A package name hosted on PyPI.org
+    * A local directory containing Python source code
+    * A single local Python file
+    * The name of a package hosted on PyPI
 
-    codeaudit filescan <pythonfile|package-name|directory> [reportname.html]
+    codeaudit filescan <pythonfile|package-name|directory> [reportname.html] [--nosec]
 
-    Depending on the input type, the function analyzes the source code for
-    potential security issues, generates an HTML report summarizing the
-    findings, and writes the report to a static HTML file.
+    Based on the input type, the function analyzes the source code for potential
+    security issues, generates an HTML report summarizing the findings, and
+    writes the report to disk.
 
     If a PyPI package name is provided, the function downloads the source
-    distribution (sdist), scans the extracted source code, and removes all
-    temporary files after the scan completes.
+    distribution (sdist), extracts it to a temporary directory, scans the
+    extracted source code, and cleans up all temporary files after the scan
+    completes.
+
+     Examples:
 
-    Example:
         Scan a local directory and write the report to ``report.html``::
 
-            codeaudit filescan_/shitwork/custompythonmodule/ 
+            codeaudit filescan /path/to/custompythonmodule report.html
+
+        Scan a local directory::
+
+            codeaudit filescan /path/to/project
 
         Scan a single Python file::
 
@@ -238,31 +249,66 @@ def scan_report(input_path, filename=DEFAULT_OUTPUT_FILE):
 
         Scan a package hosted on PyPI::
 
-            codeaudit filescan linkaudit  #A nice project to check broken links in markdown files
+            codeaudit filescan linkaudit
 
             codeaudit filescan requests
 
+
+        Specify an output report file::
+
+            codeaudit filescan /path/to/project report.html
+
+        Enable filtering of issues marked with ``#nosec`` or another marker on potential code weaknesses that mitigated or known  ::
+
+            codeaudit filescan myexample.py --nosec
+    
+    POSITIONAL ARGUMENTS
+    INPUT_PATH
+        Path to a local Python file or directory, or the name of a package available on PyPI.
+
+    
+    FLAGS
+    -f, --filename=FILENAME
+        Default: 'codeaudit-report.html'
+    -n, --nosec=NOSEC
+        Default: False
+
+                
     Args:
+
+    -f, --filename=FILENAME
+        Default: 'codeaudit-report.html'
+        Name (and optional path) of the HTML file to write the scan report to. The filename should use the ``.html`` extension. Defaults to ``DEFAULT_OUTPUT_FILE``.
+    -n, --nosec=NOSEC
+        Default: False
+        Whether to filter out issues marked as reviewed or ignored in the source code. Defaults to ``False``, no filtering.
+
         input_path (str): Path to a local Python file or directory, or the name
-            of a package available on PyPI.org.
+            of a package available on PyPI.
         filename (str, optional): Name (and optional path) of the HTML file to
             write the scan report to. The filename should use the ``.html``
             extension. Defaults to ``DEFAULT_OUTPUT_FILE``.
+        nosec (bool, optional): Whether to filter out issues marked as reviewed
+            or ignored in the source code. Defaults to ``False``, no filtering.
 
     Returns:
-        None. The function writes a static HTML security report to disk.
+        None: The function writes a static HTML security report to disk.
 
     Raises:
-        None explicitly. Errors and invalid inputs are reported to stdout.    
+        None: Errors and invalid inputs are reported to stdout.    
     """
     # Check if the input is a valid directory or a single valid Python file 
     # In case no local file or directory is found, check if the givin input is pypi package name
     file_path = Path(input_path)
     if file_path.is_dir():
-        directory_scan_report(input_path , filename ) #create a package aka directory scan report
+        directory_scan_report(input_path , nosec_flag=nosec, filename=filename) #create a package aka directory scan report
     elif file_path.suffix == ".py" and file_path.is_file() and is_ast_parsable(input_path):        
         #create a sast file check report
-        scan_output = perform_validations(input_path) #scans for weaknesses in the file
+        if not nosec:  #no filtering on reviewed items with markers in code            
+            scan_output = perform_validations(input_path) #scans for weaknesses in the file
+        else:            
+            unfiltered_scan_output = perform_validations(input_path) #scans for weaknesses in the file
+            scan_output = filter_sast_results(unfiltered_scan_output)
         spy_output = secret_scan(input_path) #scans for secrets in the file
         file_report_html = single_file_report(input_path , scan_output)
         secrets_report_html = secrets_report(spy_output)
@@ -270,6 +316,8 @@ def scan_report(input_path, filename=DEFAULT_OUTPUT_FILE):
         html_output = '<h1>Python Code Audit Report</h1>' #prepared to be embedded to display multiple reports, so <h2> used
         html_output += f'<h2>Security scan: {name_of_file}</h2>'    
         html_output += '<p>' + f'Location of the file: {input_path} </p>'  
+        if nosec:
+            html_output += NOSEC_WARNING 
         html_output += file_report_html    
         html_output += secrets_report_html    
         html_output += '<br>'
@@ -285,8 +333,8 @@ def scan_report(input_path, filename=DEFAULT_OUTPUT_FILE):
         if url is not None:
             print(url)
             print(release)
-            src_dir, tmp_handle = get_package_source(url)
-            directory_scan_report(src_dir , filename , package_name, release ) #create scan report for a package or directory
+            src_dir, tmp_handle = get_package_source(url)            
+            directory_scan_report(src_dir , nosec_flag=nosec, filename=filename, package_name=package_name , release=release  ) #create a package aka directory scan report
             # Cleaning up temp directory 
             tmp_handle.cleanup()  # deletes everything from temp directory
         else:
@@ -411,7 +459,7 @@ def single_file_report(filename , scan_output):
     return output 
 
 
-def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE , package_name=None , release=None):
+def directory_scan_report(directory_to_scan ,  nosec_flag, filename=DEFAULT_OUTPUT_FILE , package_name=None , release=None ):
     """Reports potential security issues for all Python files found in a directory.
     
     This function performs security validations on all files found in a specified directory.
@@ -444,12 +492,18 @@ def directory_scan_report(directory_to_scan , filename=DEFAULT_OUTPUT_FILE , pac
     else:
         output += f'<p>Below the result of the Codeaudit scan of the directory:<b> {name_of_package}</b></p>' 
     output += f'<p>Total Python files found: <b>{len(files_to_check)}</b></p>'
+    if nosec_flag:
+        output += NOSEC_WARNING
     number_of_files = len(files_to_check)
     print(f'Number of files that are checked for security issues:{number_of_files}')
     printProgressBar(0, number_of_files, prefix='Progress:', suffix='Complete', length=50)    
     for i,file_to_scan in enumerate(files_to_check):
-        printProgressBar(i + 1, number_of_files, prefix='Progress:', suffix='Complete', length=50)
-        scan_output = perform_validations(file_to_scan)
+        printProgressBar(i + 1, number_of_files, prefix='Progress:', suffix='Complete', length=50)        
+        if not nosec_flag:  #no filtering on reviewed items with markers in code
+            scan_output = perform_validations(file_to_scan) #scans for weaknesses in the file
+        else:            
+            unfiltered_scan_output = perform_validations(file_to_scan) #scans for weaknesses in the file
+            scan_output = filter_sast_results(unfiltered_scan_output)
         spy_output = secret_scan(file_to_scan) #scans for secrets in the file 
         data = scan_output["result"]
         if data or has_privacy_findings(spy_output):
@@ -599,64 +653,132 @@ def collect_issue_lines(filename, line):
     return code_lines
 
 
-def create_htmlfile(html_input,outputfile):
-    """ Creates a clean html file based on html input given """ 
-    # Read CSS from the file - So it is included in the reporting HTML file
+def create_htmlfile(html_input, outputfile):
+    """Creates a clean html file based on html input given"""
+
+    output_path = Path(outputfile).expanduser().resolve()
+
+    # Validate output directory (CLI-friendly)
+    if not output_path.parent.is_dir():
+        print(
+            f"Error: output directory does not exist:\n  {output_path.parent}",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+    # Read CSS so it is included in the reporting HTML file
+    css_content = Path(SIMPLE_CSS_FILE).read_text(encoding="utf-8")
 
-    with open(SIMPLE_CSS_FILE, 'r') as css_file:
-        css_content = css_file.read()
     # Start building the HTML
     output = '<!DOCTYPE html><html lang="en-US"><head>'
     output += '<meta charset="UTF-8"/>'
     output += '<title>Python_Code_Audit_SecurityReport</title>'
-    # Inline CSS inside <style> block
-    output += f'<style>\n{css_content}\n</style>'    
-    output += '<script src="https://cdn.jsdelivr.net/npm/vega@5"></script>' # needed for altair plots
-    output += '<script src="https://cdn.jsdelivr.net/npm/vega-lite@5"></script>' # needed for altair plots
-    output += '<script src="https://cdn.jsdelivr.net/npm/vega-embed@6"></script>' # needed for altair plots   
+    output += f'<style>\n{css_content}\n</style>'
+    output += '<script src="https://cdn.jsdelivr.net/npm/vega@5"></script>'
+    output += '<script src="https://cdn.jsdelivr.net/npm/vega-lite@5"></script>'
+    output += '<script src="https://cdn.jsdelivr.net/npm/vega-embed@6"></script>'
     output += '</head><body>'
     output += '<div class="container">'
     output += html_input
+
     now = datetime.datetime.now()
     timestamp_str = now.strftime("%Y-%m-%d %H:%M")
-    code_audit_version = __version__    
+    code_audit_version = __version__
+
     output += (
         f"<p>This Python security report was created on: <b>{timestamp_str}</b> with "
         + PYTHON_CODE_AUDIT_TEXT
         + f" version <b>{code_audit_version}</b></p>"
     )
+
     output += '<hr>'
-    output += '<footer>'    
+    output += '<footer>'
     output += (
         '<div class="footer-links">'
         'Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" '
         'target="_blank">documentation</a> for help on found issues.<br>'
         'Codeaudit is made with <span class="heart">&#10084;</span> by cyber security '
-        'professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br>'
-        '<a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!'
-        "</div>"
+        'professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" '
+        'target="_blank">open simple security solutions</a>.<br>'
+        '<a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" '
+        'target="_blank">Join the community</a> and contribute to make this tool better!'
+        '</div>'
     )
-    output += "</footer>"
-    output += '</div>' #base container
+    output += '</footer>'
+    output += '</div>'
     output += '</body></html>'
-    # Now create the HTML output file
-    with open(outputfile, 'w') as f:
-        f.write(output)    
-    current_directory = os.getcwd()
-    # Get the directory of the output file (if any)
-    directory_for_output = os.path.dirname(os.path.abspath(outputfile))    
-    filename_only = os.path.basename(outputfile)
-    # Determine the effective directory to use in the file URL
-    if not directory_for_output or directory_for_output == current_directory:
-        file_url = f'file://{current_directory}/{filename_only}'
-    else:
-        file_url = f'file://{directory_for_output}/{filename_only}'
-    # Print the result
+
+    # Write the HTML file
+    output_path.write_text(output, encoding="utf-8")
+
     print("\n=====================================================================")
-    print(f'Code Audit report file created!\nPaste the line below directly into your browser bar:\n\t{file_url}\n')
+    print(
+        "Code Audit report file created!\n"
+        "Paste the line below directly into your browser bar:\n"
+        f"\t{output_path.as_uri()}\n"
+    )
     print("=====================================================================\n")
 
 
+
+# def create_htmlfile(html_input,outputfile):
+#     """ Creates a clean html file based on html input given """ 
+#     # Read CSS from the file - So it is included in the reporting HTML file
+
+#     with open(SIMPLE_CSS_FILE, 'r') as css_file:
+#         css_content = css_file.read()
+#     # Start building the HTML
+#     output = '<!DOCTYPE html><html lang="en-US"><head>'
+#     output += '<meta charset="UTF-8"/>'
+#     output += '<title>Python_Code_Audit_SecurityReport</title>'
+#     # Inline CSS inside <style> block
+#     output += f'<style>\n{css_content}\n</style>'    
+#     output += '<script src="https://cdn.jsdelivr.net/npm/vega@5"></script>' # needed for altair plots
+#     output += '<script src="https://cdn.jsdelivr.net/npm/vega-lite@5"></script>' # needed for altair plots
+#     output += '<script src="https://cdn.jsdelivr.net/npm/vega-embed@6"></script>' # needed for altair plots   
+#     output += '</head><body>'
+#     output += '<div class="container">'
+#     output += html_input
+#     now = datetime.datetime.now()
+#     timestamp_str = now.strftime("%Y-%m-%d %H:%M")
+#     code_audit_version = __version__    
+#     output += (
+#         f"<p>This Python security report was created on: <b>{timestamp_str}</b> with "
+#         + PYTHON_CODE_AUDIT_TEXT
+#         + f" version <b>{code_audit_version}</b></p>"
+#     )
+#     output += '<hr>'
+#     output += '<footer>'    
+#     output += (
+#         '<div class="footer-links">'
+#         'Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" '
+#         'target="_blank">documentation</a> for help on found issues.<br>'
+#         'Codeaudit is made with <span class="heart">&#10084;</span> by cyber security '
+#         'professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br>'
+#         '<a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!'
+#         "</div>"
+#     )
+#     output += "</footer>"
+#     output += '</div>' #base container
+#     output += '</body></html>'
+#     # Now create the HTML output file
+#     with open(outputfile, 'w') as f:
+#         f.write(output)    
+#     current_directory = os.getcwd()
+#     # Get the directory of the output file (if any)
+#     directory_for_output = os.path.dirname(os.path.abspath(outputfile))    
+#     filename_only = os.path.basename(outputfile)
+#     # Determine the effective directory to use in the file URL
+#     if not directory_for_output or directory_for_output == current_directory:
+#         file_url = f'file://{current_directory}/{filename_only}'
+#     else:
+#         file_url = f'file://{directory_for_output}/{filename_only}'
+#     # Print the result
+#     print("\n=====================================================================")
+#     print(f'Code Audit report file created!\nPaste the line below directly into your browser bar:\n\t{file_url}\n')
+#     print("=====================================================================\n")
+
+
 def extract_altair_html(plot_html):
     match = re.search(r"<body[^>]*>(.*?)</body>", plot_html, re.DOTALL | re.IGNORECASE)
     if match:

codeaudit/security_checks.py

@@ -49,9 +49,9 @@ def perform_validations(sourcefile):
 
     name_of_file = get_filename_from_path (sourcefile)
     
-    result = {'Name file' : name_of_file ,
+    result = {'file_name' : name_of_file ,
               'file_location': sourcefile ,
-              'Checks done:' : constructs ,
+              'checks_done:' : constructs ,
               'result': scan_result}
 
     return result

codeaudit/suppression.py

@@ -0,0 +1,233 @@
+import ast
+import tokenize
+from collections import defaultdict
+import re
+import sys
+
+def get_all_comments_by_line(filename):
+    """
+    Tokenize the file once and collect all real # comments
+    grouped by their starting line number.
+    """
+    comments_by_line = defaultdict(list)
+
+    try:
+        with tokenize.open(filename) as f:
+            for token in tokenize.generate_tokens(f.readline):
+                if token.type == tokenize.COMMENT:
+                    text = token.string.lstrip("# \t").rstrip()
+                    if text:
+                        comments_by_line[token.start[0]].append(text)
+
+    except (OSError, UnicodeDecodeError, tokenize.TokenError) as exc:
+        # Fail loudly with context instead of silently ignoring
+        raise RuntimeError(
+            f"Failed to extract comments from {filename}"
+        ) from exc
+
+    return {
+        line: "\n".join(texts)
+        for line, texts in comments_by_line.items()
+    }
+
+
+
+
+
+
+def get_start_to_end_lines(filename):
+    """
+    Parse the file once using AST and build a mapping:
+    start_line → highest end_lineno found for any node starting on that line.
+
+    Returns:
+        dict[int, int] — line numbers are 1-based
+        Returns empty dict if the file cannot be read or parsed.
+    """
+    end_lines = {}
+
+    try:
+        with open(filename, 'r', encoding='utf-8') as f:
+            source = f.read()
+
+        try:
+            tree = ast.parse(source, filename=filename)
+
+            for node in ast.walk(tree):
+                # Most nodes have lineno, but some (like comprehension ifs) might not
+                if not hasattr(node, 'lineno'):
+                    continue
+
+                start = node.lineno
+                # end_lineno may be missing in very old Python versions → fallback to start
+                end = getattr(node, 'end_lineno', start)
+
+                # Keep the maximum span for nodes starting on the same line
+                if start not in end_lines or end > end_lines[start]:
+                    end_lines[start] = end
+
+        except SyntaxError as e:
+            print(
+                f"Syntax error in {filename} (line {e.lineno}): {e.msg}",
+                file=sys.stderr
+            )
+            return {}
+        except (ValueError, UnicodeDecodeError) as e:
+            print(
+                f"Cannot read {filename} properly: {type(e).__name__}: {e}",
+                file=sys.stderr
+            )
+            return {}
+        except MemoryError:
+            print(f"Out of memory while parsing {filename}", file=sys.stderr)
+            return {}
+        except Exception as e:
+            print(
+                f"Unexpected error parsing AST of {filename}: "
+                f"{type(e).__name__}: {e}",
+                file=sys.stderr
+            )
+            return {}
+
+    except FileNotFoundError:
+        print(f"File not found: {filename}", file=sys.stderr)
+        return {}
+    except PermissionError:
+        print(f"Permission denied: {filename}", file=sys.stderr)
+        return {}
+    except IsADirectoryError:
+        print(f"Is a directory, not a file: {filename}", file=sys.stderr)
+        return {}
+    except OSError as e:
+        print(f"OS error opening {filename}: {e}", file=sys.stderr)
+        return {}
+    except Exception as e:
+        print(
+            f"Critical error while accessing {filename}: "
+            f"{type(e).__name__}: {e}",
+            file=sys.stderr
+        )
+        return {}
+
+    return end_lines
+
+
+# def get_start_to_end_lines(filename):
+#     """
+#     Parse AST once and build mapping: start_line → highest end_line found for nodes
+#     starting on that line.
+#     """
+#     end_lines = {}
+
+#     try:
+#         with open(filename, 'r', encoding='utf-8') as f:
+#             source = f.read()
+#         tree = ast.parse(source)
+
+#         for node in ast.walk(tree):
+#             if not hasattr(node, 'lineno'):
+#                 continue
+#             start = node.lineno
+#             end = getattr(node, 'end_lineno', start)
+#             # Take the maximum end line if multiple nodes start on same line
+#             if start not in end_lines or end > end_lines[start]:
+#                 end_lines[start] = end
+#     except Exception:
+#         pass
+
+#     return end_lines
+
+
+def is_suppressed(line, comments_by_line, start_to_end, match_func):
+    """
+    Check if the statement starting at `line` is suppressed by looking at comments
+    from start_line to end_line inclusive.
+    """
+    end = start_to_end.get(line, line)
+    for comment_line in range(line, end + 1):
+        comment = comments_by_line.get(comment_line, "")
+        if match_func(comment):
+            return True
+    return False
+
+
+def filter_sast_results(sast_dict):
+    """
+    Returns a new filtered dictionary with suppressed findings removed.
+    Parses & tokenizes the file only once.
+    Respects multi-line statements via AST end_lineno.
+    Empty lists and their keys are removed from the result.
+    """
+    file_location = sast_dict["file_location"]
+    original_result = sast_dict.get("result", {})
+
+    if not original_result:
+        return sast_dict.copy()
+
+    # Collect all unique line numbers that have findings
+    all_issue_lines = set()
+    for lines in original_result.values():
+        if isinstance(lines, list):
+            all_issue_lines.update(lines)
+
+    if not all_issue_lines:
+        return sast_dict.copy()
+
+    # Parse and tokenize **once**
+    comments_by_line = get_all_comments_by_line(file_location)
+    start_to_end = get_start_to_end_lines(file_location)
+
+    # Decide which lines to KEEP
+    keep_lines = set()
+    for line in sorted(all_issue_lines):
+        if not is_suppressed(line, comments_by_line, start_to_end, match_suppression_keyword):
+            keep_lines.add(line)
+
+    # Build new result dictionary
+    new_result = {}
+    for key, value in original_result.items():
+        if isinstance(value, list):
+            filtered = [ln for ln in value if ln in keep_lines]
+            if filtered:
+                new_result[key] = filtered
+        else:
+            new_result[key] = value
+
+    # Return new full dictionary
+    filtered_dict = sast_dict.copy()
+    filtered_dict["result"] = new_result
+    return filtered_dict
+
+
+def match_suppression_keyword(comment_line):
+    """
+    Checks if a SAST suppression marker is present in the comment.
+    """
+
+    MARKER_LIST = [
+        "nosec",
+        "nosemgrep",
+        "sast-ignore",
+        "ignore-sast",
+        "security-ignore",
+        "ignore-security",
+        "NOSONAR",
+        "noqa",
+        # False positive / risk handling
+        "false-positive",
+        "falsepositive",
+        "risk-accepted",
+        "security-accepted",
+        "security-reviewed",
+        "security-exception",
+    ]
+
+    if not comment_line:
+        return False
+
+    normalized = " ".join(
+        word.lstrip("#").lower()
+        for word in comment_line.split()
+    )
+    tokens = re.split(r"[^\w\-]+", normalized)
+    return any(marker.lower() in tokens for marker in MARKER_LIST)

{codeaudit-1.5.0.dist-info → codeaudit-1.6.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.5.0
+Version: 1.6.0
 Summary: Simplified static security checks for Python 
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues

codeaudit-1.6.0.dist-info/RECORD

@@ -0,0 +1,25 @@
+codeaudit/__about__.py,sha256=EZ0swjOPnWsY4bG29vXRMJsA2zyCpDKGUv7nXcLLL5E,144
+codeaudit/__init__.py,sha256=YGs6qU0BVHPGtXCS-vfBDLO4TOfJDLTWMgaFDTmi_Iw,157
+codeaudit/altairplots.py,sha256=gBXN1_wxUmjzTNizvzbOeCKvUxpClGPdZmK7ICK1x68,4531
+codeaudit/api_interfaces.py,sha256=6GGz7k1fuSkzEXGjoqavQCmawTh0PVQNglttzSArFWI,17573
+codeaudit/api_reporting.py,sha256=W8eutTJ0d-TENbv5cCmAOfu4GEp_RwiQ4XU5FCmfkoI,1736
+codeaudit/checkmodules.py,sha256=aiF34KO-9HZDRgVBtSwVFdeUxT5_Ka5VtmlfgoLgNVs,5582
+codeaudit/codeaudit.py,sha256=g2HzRX6a3fckKUhyRrk6n3-5qNdVYtZRI1gqQ-QNl10,3775
+codeaudit/complexitycheck.py,sha256=A3_a5v-U0YQr80pWQwSVvOsY_eQtqwNkQf9Txr9mNtQ,3722
+codeaudit/filehelpfunctions.py,sha256=-5kIymEUcc7j0bRBS4XblvE3pbi3rWjkU5O2M_tinvM,4374
+codeaudit/htmlhelpfunctions.py,sha256=-SMsyfF7TRIfJkrUqoJuh7AoG1RVrYFsZfFljoxVHXc,3246
+codeaudit/issuevalidations.py,sha256=zf2Gr7KpyvA05K17IX05pQy-1oQWnbapVIvcUMcbNn8,6441
+codeaudit/privacy_lint.py,sha256=Rcefen7RswwJWnoE-Vrr2iE3zFjNoE19qW_O7LjGfN4,10264
+codeaudit/pypi_package_scan.py,sha256=dmk3xBUL0mZ5aCIc1fRVpuI1UIx1ejnOqfc4qB04748,4730
+codeaudit/reporting.py,sha256=AHgkbKOaAjBSh2ePZFFqm-MWdb2ZYTMmcFvOJy1wdLQ,43298
+codeaudit/security_checks.py,sha256=IuJMo99188TgJoYfTpMQiCs3Dchw4EvCGWuwh_Cds7k,2167
+codeaudit/simple.css,sha256=H7KT61oXJkVr9qXVrC5ME_Zph9jI-uR2IxOsXG1xs5k,4013
+codeaudit/suppression.py,sha256=zSLarg79pahStnXFklf_ERQvDXFgOr375BtPXEVSQjA,7060
+codeaudit/totals.py,sha256=b6OkzcMdqGKPwuGBKrwAeCxBOJxHa5FHauGWnEb-6zM,6387
+codeaudit/data/sastchecks.csv,sha256=dZDOgpVqFz3jPWWiLI-6CXE_SmOQ9Ay6N98NV72ay5w,10122
+codeaudit/data/secretslist.txt,sha256=BoVX6bijqaL5g-2JRGGf0x-S8NhZWtt7fzovZ1NrEK8,1905
+codeaudit-1.6.0.dist-info/METADATA,sha256=KMLuS8-HAhww_uVHYyEgWANkx5RZJTqcPDfxZgX5bC8,7814
+codeaudit-1.6.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+codeaudit-1.6.0.dist-info/entry_points.txt,sha256=7w6I8zii62nJHIIF30CRP5g1z8enMqF1pZEDdlw4HcQ,55
+codeaudit-1.6.0.dist-info/licenses/LICENSE.txt,sha256=-5gWaMGKJ54oX8TYP7oeg2zITdTapzyWl9PP0tispuA,34674
+codeaudit-1.6.0.dist-info/RECORD,,

codeaudit-1.5.0.dist-info/RECORD

@@ -1,24 +0,0 @@
-codeaudit/__about__.py,sha256=m0MoVjbAY6gx2X7P9BlRpPZOet3Ry3xAdoXoKNHrJXk,144
-codeaudit/__init__.py,sha256=YGs6qU0BVHPGtXCS-vfBDLO4TOfJDLTWMgaFDTmi_Iw,157
-codeaudit/altairplots.py,sha256=gBXN1_wxUmjzTNizvzbOeCKvUxpClGPdZmK7ICK1x68,4531
-codeaudit/api_interfaces.py,sha256=zWJrLDM8b3b2-rN0gCoPdflEFMzKUz3M7PfXtXvDpd4,15358
-codeaudit/api_reporting.py,sha256=W8eutTJ0d-TENbv5cCmAOfu4GEp_RwiQ4XU5FCmfkoI,1736
-codeaudit/checkmodules.py,sha256=aiF34KO-9HZDRgVBtSwVFdeUxT5_Ka5VtmlfgoLgNVs,5582
-codeaudit/codeaudit.py,sha256=g2HzRX6a3fckKUhyRrk6n3-5qNdVYtZRI1gqQ-QNl10,3775
-codeaudit/complexitycheck.py,sha256=A3_a5v-U0YQr80pWQwSVvOsY_eQtqwNkQf9Txr9mNtQ,3722
-codeaudit/filehelpfunctions.py,sha256=-5kIymEUcc7j0bRBS4XblvE3pbi3rWjkU5O2M_tinvM,4374
-codeaudit/htmlhelpfunctions.py,sha256=-SMsyfF7TRIfJkrUqoJuh7AoG1RVrYFsZfFljoxVHXc,3246
-codeaudit/issuevalidations.py,sha256=-WdaXT_R-P9w0JbQpJ5ngVoVhG9Yee2ri0aH5SoC1Ao,6404
-codeaudit/privacy_lint.py,sha256=TNS_BnWFXv14PslK9mBsQLwt73Ujcn9FbI7TQSYT0k8,10252
-codeaudit/pypi_package_scan.py,sha256=yxCXrRvjc4r0YsJYHvHJuJTyHC5QZl3sRQp73akCXx8,4723
-codeaudit/reporting.py,sha256=s3OuiPj6au5oELz-kmI6n-8NooJXjqvBLWKs4tzEg7s,38269
-codeaudit/security_checks.py,sha256=wEO_A054zXmLccWGREi6cNADa4IgoOPxHsq-Je5iMIY,2167
-codeaudit/simple.css,sha256=H7KT61oXJkVr9qXVrC5ME_Zph9jI-uR2IxOsXG1xs5k,4013
-codeaudit/totals.py,sha256=b6OkzcMdqGKPwuGBKrwAeCxBOJxHa5FHauGWnEb-6zM,6387
-codeaudit/data/sastchecks.csv,sha256=fIcyZgymCtAluPta9fTEk6a9DJ2AGJczZYRPUIQuSag,9738
-codeaudit/data/secretslist.txt,sha256=2Jqt9B5UfcRNeNpys8okmXCn4SYkp9M3_rJrI-KXCbE,1891
-codeaudit-1.5.0.dist-info/METADATA,sha256=ZWeMEYTu4ASLGJU5l8Stk8GjMcogzAFDF6NEdFsFmeA,7814
-codeaudit-1.5.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-codeaudit-1.5.0.dist-info/entry_points.txt,sha256=7w6I8zii62nJHIIF30CRP5g1z8enMqF1pZEDdlw4HcQ,55
-codeaudit-1.5.0.dist-info/licenses/LICENSE.txt,sha256=-5gWaMGKJ54oX8TYP7oeg2zITdTapzyWl9PP0tispuA,34674
-codeaudit-1.5.0.dist-info/RECORD,,