codeaudit 1.6.0__tar.gz → 1.6.2__tar.gz

{codeaudit-1.6.0 → codeaudit-1.6.2}/CHANGELOG.md

@@ -1,5 +1,49 @@
 # Change Log
 
+## Version 1.6.2:
+
+## Changelog
+
+**Added**
+* **Automated Python Testing:** Implemented automation for testing across various Python versions to ensure cross-version compatibility.
+
+**Changed**
+
+* **Internal Logic Improvements:** Enhanced the `count_privacy_check_results` function to provide more robust egress count testing.
+* **CLI Reporting:** Updated the command-line interface to dynamically toggle between "issue" (singular) and "issues" (plural) based on the findings.
+* **Architecture Refactoring:** Refined internal logic for increased stability and to ensure the codebase is **WASM ready**.
+* **License Standardization:** Updated the **GPLv3** license banner across key Python files for stylistic consistency. (see also issue #4)
+
+**Fixed**
+* **Issue #6 (Defensive Coding):** Resolved `KeyError` and syntax error during code snippet creation through more defensive programming practices.
+
+**Documentation**
+* Typos fixed and various improvements.
+
+
+## Version 1.6.1:
+
+**Added**
+Data Exfiltration Logic: Introduced improved and refactored logic for data egress (data exfiltration) risk detection.
+
+False Positive Prevention: Updated the secretlist to prevent false positives associated with common class definitions and NLP modules.
+
+**Changed**
+API Robustness: Performed minor code refactoring to ensure error handling is more robust when interacting with APIs.
+
+Maintenance Refactor: Renamed several functions to ensure the codebase remains simple, intuitive, and easy to maintain.
+
+Project Branding: Updated the PyPI.org description to more accurately reflect the tool’s core purpose and capabilities.
+
+**Fixed**
+Logic Refinement: Refined the data egress detection scripts to improve accuracy and performance.
+
+**Documentation**
+Report Clarity: Improved the HTML filescan report text to clarify that external egress detection is distinct from identifying secrets within Python code.
+
+General Maintenance: Applied various fixes and improvements to the project documentation for better readability.
+
+
 ## Version 1.6.0:
 
 **Added**:

{codeaudit-1.6.0 → codeaudit-1.6.2}/PKG-INFO

@@ -1,7 +1,7 @@
 Metadata-Version: 2.4
 Name: codeaudit
-Version: 1.6.0
-Summary: Simplified static security checks for Python 
+Version: 1.6.2
+Summary: A modern Python security source code analyzer (SAST) based on distrust.
 Project-URL: Documentation, https://github.com/nocomplexity/codeaudit#readme
 Project-URL: Issues, https://github.com/nocomplexity/codeaudit/issues
 Project-URL: Source, https://github.com/nocomplexity/codeaudit

{codeaudit-1.6.0 → codeaudit-1.6.2}/docs/_toc.yml

@@ -9,6 +9,9 @@ parts:
   - file: howtoscan
   - file: whatissast
   - file: whysast
+  - url: https://securitytesting.nocomplexity.com/ 
+    title: Mastering Security Testing for Python
+  
   
 
 
@@ -20,7 +23,11 @@ parts:
     - file: filescan
     - file: modulescan
     - file: codeauditchecks  
+  - file: data_exfiltration_detection
+    sections:
+    - file: data_egress_implementation
   - file: issues
+  - file: markingissues
   - file: securecoding
   - file: complexitycheck
   - file: warnings

{codeaudit-1.6.0 → codeaudit-1.6.2}/docs/codeauditcommands.md

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Commands Overview
-Python Code Audit commands for: version: 1.5.0
+Python Code Audit commands for: version: 1.6.2
 ```
 ----------------------------------------------------
  _                    __             _             
@@ -70,7 +70,7 @@ Returns:
 Raises:
     SystemExit: If the provided path is not a directory, contains no Python
         files, or is neither a valid local directory nor a valid PyPI
-        package name.    
+        package name.
 str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str
 
@@ -191,7 +191,7 @@ FLAGS
 -n, --nosec=NOSEC
     Default: False
 
-            
+
 Args:
 
 -f, --filename=FILENAME
@@ -213,7 +213,7 @@ Returns:
     None: The function writes a static HTML security report to disk.
 
 Raises:
-    None: Errors and invalid inputs are reported to stdout.    
+    None: Errors and invalid inputs are reported to stdout.
 str(object='') -> str
 str(bytes_or_buffer[, encoding[, errors]]) -> str
 
@@ -230,8 +230,8 @@ errors defaults to 'strict'.
 
 Creates an HTML report of all implemented security checks.
 
-This report provides a user-friendly overview of the static security checks 
-currently supported by Python Code Audit. It is intended to make it easier to review 
+This report provides a user-friendly overview of the static security checks
+currently supported by Python Code Audit. It is intended to make it easier to review
 the available validations without digging through the codebase.
 
 The generated HTML includes:
@@ -240,12 +240,12 @@ The generated HTML includes:
 - The version of Python Code Audit (codeaudit) used
 - A disclaimer about version-specific reporting
 
-The report is saved to the specified filename and is formatted to be 
+The report is saved to the specified filename and is formatted to be
 embeddable in larger multi-report documents.
 
 Help me continue developing Python Code Audit as free and open-source software.
 Join the community to contribute to the most complete, local first , Python Security Static scanner.
-Help!!  Join the journey, check: https://github.com/nocomplexity/codeaudit#contributing 
+Help!!  Join the journey, check: https://github.com/nocomplexity/codeaudit#contributing
 
 
 Parameters:

codeaudit-1.6.2/docs/data_egress_implementation.md

@@ -0,0 +1,91 @@
+# How Egress Detection works 
+
+
+This section explains the design choices used to detect potential data exfiltration as implemented in Python Code Audit.
+
+Python Code Audit analyses Python source code to determine whether data may be sent to external systems.
+
+:::{important}
+No single technique can detect telemetry or data exfiltration with 100% accuracy. All detection methods involve trade-offs between detection depth, complexity, and false-positive rates.
+:::
+
+## Detection Approaches
+
+Common techniques for detecting potential data exfiltration in Python code are:
+
+* Entropy analysis – Detects high-entropy strings that may represent API keys or tokens.
+
+* Regex pattern matching – Identifies known credential formats (e.g. AWS AKIA...).
+
+* Import monitoring – Detects libraries such as boto3, google-cloud-storage, or requests.
+
+* Machine learning – Analyses code and network behaviour patterns.
+
+* Taint analysis – Tracks whether sensitive data flows to external network calls.
+
+* Telemetry library detection – Identifies known analytics or telemetry SDKs.
+
+* Network module inspection – Detects modules capable of external communication (requests, httpx, urllib, aiohttp, socket, etc.).
+
+* Semantic pattern matching – Detects behavioural code patterns.
+
+* Data flow mapping – Identifies where sensitive data may reach external “sink” points.
+
+In practice these approaches often combine AST parsing, regex rules, and data-flow analysis, **but full accuracy is impossible due to edge cases such as aliasing, dynamic imports, and code obfuscation.**
+
+**Example:** Using an external telemetry service can be as simple as:
+
+```python
+import externalmonitoring as safereport
+
+safereport.init(
+    api_key="your-api-key",
+    project="mycompanymodule"
+)
+```
+
+## Design Philosophy
+
+Detecting data exfiltration is always a trade-off. Following the Python Code Audit [project philosophy](project_philosophy), our implementation prioritises:
+
+* Ease of use for quick audits of third-party Python code
+* Low maintenance
+* Clear and limited scope
+
+## Detection Strategy
+
+Python Code Audit focuses primarily on secrets used in function calls, which **indicate** communication with external services.
+
+Most telemetry platforms, SaaS services, and cloud APIs require API keys or tokens for authentication. Detecting these patterns is therefore an effective way to identify potential telemetry or data-exfiltration behaviour.
+
+Python Code Audit parses Python files into an Abstract Syntax Tree (AST) to detect authentication parameters such as API keys, tokens, or JWTs used in calls to external services.
+
+:::{note}
+Python Code Audit is **not** a secret-scanning tool.
+
+Detecting exposed secrets in repositories is a separate use case.
+
+Dedicated tools exist for this purpose, such as TruffleHog or Gitleaks. But Check and use relevant security FOSS tools from our [FOSS security solution catalogue](https://nocomplexity.com/documents/securitysolutions/intro.html).
+:::
+
+
+Advantages of our approach:
+
+- **Fast analysis** – Quickly identifies potential external service integrations.
+
+- **No code execution required** – Python code is analysed **safely** without running it.
+
+- No need to maintain large lists of network libraries or telemetry SDKs.
+
+- **Simpler and more maintainable detection logic** – Avoids complex taint analysis and large regex rule sets.
+
+
+
+The Python Code Audit design offers a **high-speed**, practical framework for detecting 'phone-home' behaviours and data exfiltration paths.
+
+:::{admonition} Paranoid? 
+:class: hint, dropdown
+If you want to prevent data exfiltration, you should **block all outgoing network traffic** from your applications to external systems, or only allow data flows that have been explicitly approved following a risk analysis.
+
+Detection of data exfiltration in Python code does not guarantee that no data is transmitted through other components of the system. This is particularly important in environments where technologies other than Python are also used.
+:::

codeaudit-1.6.2/docs/data_exfiltration_detection.md

@@ -0,0 +1,157 @@
+# Data Exfiltration Detection
+
+Python Code Audit has advanced functionality to detect External Egress Risk. This capability is essential when verifying security before using Python programs or when evaluating existing Python code.
+
+This section explains why detecting potential data exfiltration in Python programs is important and how this functionality can be used within **Python Code Audit**.
+
+:::{admonition} Detecting Data Exfiltration
+:class: danger
+Identifying data exfiltration in Python code—specifically within telemetry, remote analytics, and SaaS integrations—is a **critical step in mitigating security risks**.
+:::
+
+
+## Why Python Data Exfiltration Detection matters
+
+In the modern digital economy, data is an organization’s most valuable asset. When sensitive information falls into unauthorized hands, the consequences  are often irreversible.
+
+Within Static Application Security Testing (SAST), identifying interactions with remote services is more than a best practice; it is a necessity. 
+
+Detecting and validating potential data exfiltration paths in Python applications is essential to maintaining a secure, resilient, and trustworthy software ecosystem.
+
+
+### What is Data Egress?
+
+Data egress occurs when information travels from your secure internal perimeter to an external destination. In a Python context, this includes the public internet, third-party cloud environments, partner networks, or SaaS integrations.
+
+### The Challenge: Legitimate vs. Malicious Intent
+In Python development, outbound data flow is often a core functional requirement. Modern applications rely on authorized egress paths for:
+- Communication: Sending automated emails or notifications.
+- Integration: Delivering API responses to external consumers.
+- Infrastructure: Syncing database backups to remote cloud storage.
+
+However, Python’s flexibility makes it a prime candidate for advanced exfiltration techniques. Malicious actors or compromised dependencies can hide unauthorized data transfers within seemingly benign traffic, often bypassing standard network-level detection.
+
+### The Telemetry Trap: Remote Monitoring & Analytics
+
+Developers naturally want to understand application performance. This leads to the integration of telemetry (remote analytics), which is the automated collection and transmission of data from distributed systems to a central location.
+
+Common use cases include:
+* Usage Analytics: Monitoring who uses a Python package and on what platforms.
+* Health Checks: Remote updates and error monitoring.
+* Behavioral Tracking: Analysing UI/UX interactions (e.g., Google Analytics).
+* Vertical-Specific Monitoring: Patient data in healthcare or track-and-trace in logistics.
+
+
+**The Fallacy of "Anonymous" Collection**
+
+While many Python telemetry modules claim anonymity, **privacy risks** persist. If the backend systems are closed-source, they rely on **security by obscurity**, violating a core security principle. 
+
+:::{danger} 
+Telemetry and various Python analytics and remote monitoring modules often collect more metadata than documented, sending private data to unknown, potentially vulnerable services.
+:::
+
+### The "Shift-Left" Advantage
+Detecting exfiltration at the network level is reactive and expensive. It often fails when traffic is encrypted or blended with legitimate SaaS calls. Moving detection to the code level ([Shift-Left](https://nocomplexity.com/shift-left/)) is more cost-effective and provides:
+
+1. Supply Chain Integrity: Auditing third-party libraries before integration. If a library contains undocumented "phone home" logic, it can be blocked early.
+2. Defense in Depth: Perimeter tools (Firewalls, DLP, CASBs) are essential but not infallible. Source code detection adds a vital internal layer of defense.
+
+Security Mandate: From a **Zero Trust** standpoint, organisations must verify if telemetry is present in their Python code and ensure all associated risks are mitigated through code, systems, and management processes.
+
+## Assessing the Security Risks
+
+Telemetry represents a **deliberate hole** in your network perimeter. When Python applications implement advanced tracking without granular consent, they transition from a "utility" to a significant security liability.
+
+**Sensitive Data Leakage**: Telemetry and other forms of external service (SaaS) interaction often captures more than just "events." Without rigorous sanitization, these streams can include:
+
+- **PII (Personally Identifiable Information):** Usernames, IP addresses, and location data.
+- **Secrets in Logs:** Authentication tokens or database strings caught in stack traces.
+- **Business Logic:** Proprietary metadata revealing internal infrastructure.
+
+
+**Expanded Attack Surface:** Every external API endpoint is a potential point of failure.
+
+-  **Unauthenticated Endpoints:** Many telemetry "sinks" lack robust auth, making them easy targets for interception.
+-  **Library Vulnerabilities:** The telemetry module itself may contain vulnerabilities (e.g., RCE or path traversal) that grant attackers a foothold.
+
+**The "When, Not If" Data Breach:** Data sent to a third party is only as secure as their defenses.
+
+- Loss of Custody: Once data leaves your perimeter, you lose the ability to protect it.
+- **Transparency Gaps:** You are dependent on the provider to detect and report breaches—a process that often takes months.
+
+
+## How to Check for Data Exfiltration
+
+**Python Code Audit** includes functionality to detect potential data exfiltration risks. This feature is available through:
+
+- the [CLI interface](userguide), and
+
+- the [API](apidocs/modules).
+
+Using the Python Code Audit CLI interface:
+The egress detection function can be activated with the following command:
+
+```bash
+codeaudit filescan <pythonfile|package-name|directory> [OUTPUTFILE]
+```
+
+**Report Output**
+
+In the generated HTML report, each analysed file is evaluated for potential data exfiltration to external services.
+
+If a potential risk is detected, the report will display:
+> *&#9888;&#65039; External Egress Risk: Detected outbound connection logic or API keys that may facilitate data egress.*
+
+The report also highlights the exact lines of code that triggered the detection.
+
+:::{tip} 
+**Always review discovered modules carefully.**
+
+In the report, under the section:
+
+`> View used modules in this file.`
+
+the HTML report lists all modules detected per file. Understanding each module is critical—some are strong indicators of possible data exchange with external systems. Review them to assess potential security or privacy risks.
+:::
+
+If no external egress risks are identified, the report will display:
+> *&#x2705; No logic for connecting to remote services found. Risk of data exfiltration to external systems is low.*
+
+
+
+:::{important} 
+No tool can provide 100% guarantees. This applies to Python Code Audit as well as to any other security analysis tool.
+:::
+
+
+:::{admonition} Scope and Intent of **Python Code Audit Egress Scanning**
+:class: note
+
+It is critical to distinguish between Data Egress Detection and Secret Scanning. While both are vital components of a secure development lifecycle, they address entirely different threat vectors.
+
+The **Python Code Audit** egress detection functionality is **NOT** designed to identify secrets within your source code.
+
+Understanding the Difference:
+* Data Egress Detection: Focuses on the destination and mechanism of data leaving your environment (e.g., identifying telemetry hooks, hidden API calls, or SaaS integrations).
+
+* Secret Scanning: Focuses on the credentials themselves (e.g., hardcoded API keys, passwords, or certificates), whether they are plaintext or obfuscated.
+:::
+
+
+:::{admonition} High-risk integrations are a key focus for Python Code Audit egress detection!
+:class: danger, dropdown
+
+The following categories represent common classes of external service integrations that may introduce data egress or external communication risks in Python applications. 
+Python Code Audit’s data egress capability is designed to detect these flows.
+
+
+| Category | Risk Type | Typical Detection Indicators | Examples |
+|----------|-----------|-----------------------------|----------|
+| Telemetry & Observability | Data Leakage / Privacy | Telemetry SDK imports, metrics exporters, remote monitoring endpoints, automatic usage reporting | Datadog, New Relic, AppDynamics, Mixpanel, Segment |
+| Logging & Analytics | Metadata Exposure | Remote log ingestion endpoints, log shipping agents, API tokens for log platforms | Splunk, ELK (Elastic), Loggly |
+| Cloud Infrastructure | Lateral Movement | Cloud SDK usage, IAM credential usage, storage APIs, service account authentication | AWS (IAM/S3), Azure (Service Principals), GCP |
+| AI & LLM Pipelines | Resource Abuse / IP Leak | LLM API calls, prompt transmission to external APIs, model inference endpoints | OpenAI, Anthropic, LangChain |
+| Communication Gateways | Financial Risk / Phishing | Messaging APIs, webhook endpoints, outbound email/SMS integrations | Twilio, SendGrid, Slack Webhooks |
+
+:::
+

codeaudit-1.6.2/docs/examples/ca_api_example_overview.ipynb

@@ -0,0 +1,160 @@
+{
+ "cells": [
+  {
+   "cell_type": "markdown",
+   "id": "a7c7195e-93bf-40c3-88b1-61b7601fad2d",
+   "metadata": {},
+   "source": [
+    "# Example:Security Weaknesses Overview\n",
+    "\n",
+    "This notebook demonstrates how to use the Python Code Audit APIs to generate a visual overview of all detected weaknesses in a file or package.\n",
+    "\n",
+    "The identified security weaknesses are displayed using an [Altair](https://altair-viz.github.io/index.html) radial chart.\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 1,
+   "id": "09e351e8-5a8e-4365-b94a-8f61703ecd04",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "from codeaudit.api_interfaces import filescan , get_construct_counts\n",
+    "from codeaudit.altairplots import issue_plot"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 2,
+   "id": "b532b94a-c19c-4203-8eac-dfa04c0f52cf",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "demo_file = 'demofile.py'  #Instead of using a single file, you can also use a directory. The file or directory gets scanned on security weaknesses."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 3,
+   "id": "44016841-cf88-4e72-82ed-b57f4cc79a04",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "result = get_construct_counts(demo_file) #The `get_constructs_counts` API call, scans the file or directory and returns a Python dict."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": 4,
+   "id": "88bb7d58-b242-43a7-9e87-06d163302bee",
+   "metadata": {},
+   "outputs": [
+    {
+     "data": {
+      "text/html": [
+       "\n",
+       "<style>\n",
+       "  #altair-viz-557237fd1f17422c9869f5fab1267afa.vega-embed {\n",
+       "    width: 100%;\n",
+       "    display: flex;\n",
+       "  }\n",
+       "\n",
+       "  #altair-viz-557237fd1f17422c9869f5fab1267afa.vega-embed details,\n",
+       "  #altair-viz-557237fd1f17422c9869f5fab1267afa.vega-embed details summary {\n",
+       "    position: relative;\n",
+       "  }\n",
+       "</style>\n",
+       "<div id=\"altair-viz-557237fd1f17422c9869f5fab1267afa\"></div>\n",
+       "<script type=\"text/javascript\">\n",
+       "  var VEGA_DEBUG = (typeof VEGA_DEBUG == \"undefined\") ? {} : VEGA_DEBUG;\n",
+       "  (function(spec, embedOpt){\n",
+       "    let outputDiv = document.currentScript.previousElementSibling;\n",
+       "    if (outputDiv.id !== \"altair-viz-557237fd1f17422c9869f5fab1267afa\") {\n",
+       "      outputDiv = document.getElementById(\"altair-viz-557237fd1f17422c9869f5fab1267afa\");\n",
+       "    }\n",
+       "\n",
+       "    const paths = {\n",
+       "      \"vega\": \"https://cdn.jsdelivr.net/npm/vega@6?noext\",\n",
+       "      \"vega-lib\": \"https://cdn.jsdelivr.net/npm/vega-lib?noext\",\n",
+       "      \"vega-lite\": \"https://cdn.jsdelivr.net/npm/vega-lite@6.1.0?noext\",\n",
+       "      \"vega-embed\": \"https://cdn.jsdelivr.net/npm/vega-embed@7?noext\",\n",
+       "    };\n",
+       "\n",
+       "    function maybeLoadScript(lib, version) {\n",
+       "      var key = `${lib.replace(\"-\", \"\")}_version`;\n",
+       "      return (VEGA_DEBUG[key] == version) ?\n",
+       "        Promise.resolve(paths[lib]) :\n",
+       "        new Promise(function(resolve, reject) {\n",
+       "          var s = document.createElement('script');\n",
+       "          document.getElementsByTagName(\"head\")[0].appendChild(s);\n",
+       "          s.async = true;\n",
+       "          s.onload = () => {\n",
+       "            VEGA_DEBUG[key] = version;\n",
+       "            return resolve(paths[lib]);\n",
+       "          };\n",
+       "          s.onerror = () => reject(`Error loading script: ${paths[lib]}`);\n",
+       "          s.src = paths[lib];\n",
+       "        });\n",
+       "    }\n",
+       "\n",
+       "    function showError(err) {\n",
+       "      outputDiv.innerHTML = `<div class=\"error\" style=\"color:red;\">${err}</div>`;\n",
+       "      throw err;\n",
+       "    }\n",
+       "\n",
+       "    function displayChart(vegaEmbed) {\n",
+       "      vegaEmbed(outputDiv, spec, embedOpt)\n",
+       "        .catch(err => showError(`Javascript Error: ${err.message}<br>This usually means there's a typo in your chart specification. See the javascript console for the full traceback.`));\n",
+       "    }\n",
+       "\n",
+       "    if(typeof define === \"function\" && define.amd) {\n",
+       "      requirejs.config({paths});\n",
+       "      let deps = [\"vega-embed\"];\n",
+       "      require(deps, displayChart, err => showError(`Error loading script: ${err.message}`));\n",
+       "    } else {\n",
+       "      maybeLoadScript(\"vega\", \"6\")\n",
+       "        .then(() => maybeLoadScript(\"vega-lite\", \"6.1.0\"))\n",
+       "        .then(() => maybeLoadScript(\"vega-embed\", \"7\"))\n",
+       "        .catch(showError)\n",
+       "        .then(() => displayChart(vegaEmbed));\n",
+       "    }\n",
+       "  })({\"config\": {\"view\": {\"continuousWidth\": 300, \"continuousHeight\": 300}}, \"data\": {\"name\": \"data-4b0e95bbc5603fd13e7b50f912f80d74\"}, \"mark\": {\"type\": \"arc\", \"innerRadius\": 20}, \"encoding\": {\"color\": {\"field\": \"legend_label\", \"legend\": {\"title\": \"Weaknesses (Count)\"}, \"scale\": {\"scheme\": \"category20\"}, \"type\": \"nominal\"}, \"radius\": {\"field\": \"count\", \"scale\": {\"type\": \"sqrt\"}, \"type\": \"quantitative\"}, \"theta\": {\"field\": \"theta1\", \"stack\": null, \"title\": null, \"type\": \"quantitative\"}, \"theta2\": {\"field\": \"theta0\"}, \"tooltip\": [{\"field\": \"construct\", \"type\": \"nominal\"}, {\"field\": \"count\", \"type\": \"quantitative\"}]}, \"height\": 600, \"title\": \"Overview of Security Weaknesses\", \"width\": 600, \"$schema\": \"https://vega.github.io/schema/vega-lite/v6.1.0.json\", \"datasets\": {\"data-4b0e95bbc5603fd13e7b50f912f80d74\": [{\"construct\": \"assert\", \"count\": 2, \"legend_label\": \"assert (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.0, \"theta1\": 0.03076923076923077}, {\"construct\": \"base64\", \"count\": 2, \"legend_label\": \"base64 (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.03076923076923077, \"theta1\": 0.06153846153846154}, {\"construct\": \"bz2.BZ2File\", \"count\": 1, \"legend_label\": \"bz2.BZ2File (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.06153846153846154, \"theta1\": 0.07692307692307693}, {\"construct\": \"bz2.open\", \"count\": 1, \"legend_label\": \"bz2.open (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.07692307692307693, \"theta1\": 0.09230769230769231}, {\"construct\": \"compile\", \"count\": 1, \"legend_label\": \"compile (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.09230769230769231, \"theta1\": 0.1076923076923077}, {\"construct\": \"connection.recv\", \"count\": 1, \"legend_label\": \"connection.recv (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.1076923076923077, \"theta1\": 0.12307692307692308}, {\"construct\": \"continue\", \"count\": 1, \"legend_label\": \"continue (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.12307692307692308, \"theta1\": 0.13846153846153847}, {\"construct\": \"eval\", \"count\": 1, \"legend_label\": \"eval (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.13846153846153847, \"theta1\": 0.15384615384615385}, {\"construct\": \"exec\", \"count\": 2, \"legend_label\": \"exec (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.15384615384615385, \"theta1\": 0.18461538461538463}, {\"construct\": \"gzip.open\", \"count\": 1, \"legend_label\": \"gzip.open (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.18461538461538463, \"theta1\": 0.2}, {\"construct\": \"hashlib.md5\", \"count\": 1, \"legend_label\": \"hashlib.md5 (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.2, \"theta1\": 0.2153846153846154}, {\"construct\": \"hashlib.sha1\", \"count\": 2, \"legend_label\": \"hashlib.sha1 (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.2153846153846154, \"theta1\": 0.24615384615384617}, {\"construct\": \"http.server.BaseHTTPRequestHandler\", \"count\": 2, \"legend_label\": \"http.server.BaseHTTPRequestHandler (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.24615384615384617, \"theta1\": 0.27692307692307694}, {\"construct\": \"http.server.HTTPServer\", \"count\": 1, \"legend_label\": \"http.server.HTTPServer (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.27692307692307694, \"theta1\": 0.2923076923076923}, {\"construct\": \"logging.config\", \"count\": 2, \"legend_label\": \"logging.config (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.2923076923076923, \"theta1\": 0.3230769230769231}, {\"construct\": \"lzma.LZMAFile\", \"count\": 1, \"legend_label\": \"lzma.LZMAFile (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.3230769230769231, \"theta1\": 0.3384615384615385}, {\"construct\": \"lzma.open\", \"count\": 2, \"legend_label\": \"lzma.open (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.3384615384615385, \"theta1\": 0.36923076923076925}, {\"construct\": \"marshal.load\", \"count\": 1, \"legend_label\": \"marshal.load (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.36923076923076925, \"theta1\": 0.38461538461538464}, {\"construct\": \"marshal.loads\", \"count\": 1, \"legend_label\": \"marshal.loads (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.38461538461538464, \"theta1\": 0.4}, {\"construct\": \"os.access\", \"count\": 2, \"legend_label\": \"os.access (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.4, \"theta1\": 0.4307692307692308}, {\"construct\": \"os.chmod\", \"count\": 1, \"legend_label\": \"os.chmod (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.4307692307692308, \"theta1\": 0.4461538461538462}, {\"construct\": \"os.fork\", \"count\": 3, \"legend_label\": \"os.fork (3)\", \"fraction\": 0.046153846153846156, \"theta0\": 0.4461538461538462, \"theta1\": 0.49230769230769234}, {\"construct\": \"os.forkpty\", \"count\": 1, \"legend_label\": \"os.forkpty (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.4923076923076923, \"theta1\": 0.5076923076923077}, {\"construct\": \"os.makedirs\", \"count\": 1, \"legend_label\": \"os.makedirs (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.5076923076923077, \"theta1\": 0.523076923076923}, {\"construct\": \"os.popen\", \"count\": 1, \"legend_label\": \"os.popen (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.523076923076923, \"theta1\": 0.5384615384615383}, {\"construct\": \"os.system\", \"count\": 1, \"legend_label\": \"os.system (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.5384615384615383, \"theta1\": 0.5538461538461537}, {\"construct\": \"os.write\", \"count\": 1, \"legend_label\": \"os.write (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.5538461538461537, \"theta1\": 0.569230769230769}, {\"construct\": \"os.writev\", \"count\": 1, \"legend_label\": \"os.writev (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.569230769230769, \"theta1\": 0.5846153846153843}, {\"construct\": \"pass\", \"count\": 2, \"legend_label\": \"pass (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.5846153846153843, \"theta1\": 0.6153846153846151}, {\"construct\": \"pickle.load\", \"count\": 1, \"legend_label\": \"pickle.load (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.6153846153846152, \"theta1\": 0.6307692307692305}, {\"construct\": \"pickle.loads\", \"count\": 2, \"legend_label\": \"pickle.loads (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.6307692307692305, \"theta1\": 0.6615384615384613}, {\"construct\": \"random.random\", \"count\": 1, \"legend_label\": \"random.random (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.6615384615384614, \"theta1\": 0.6769230769230767}, {\"construct\": \"random.seed\", \"count\": 1, \"legend_label\": \"random.seed (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.6769230769230767, \"theta1\": 0.6923076923076921}, {\"construct\": \"s.bind\", \"count\": 2, \"legend_label\": \"s.bind (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.6923076923076921, \"theta1\": 0.7230769230769228}, {\"construct\": \"shelve.open\", \"count\": 1, \"legend_label\": \"shelve.open (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.723076923076923, \"theta1\": 0.7384615384615383}, {\"construct\": \"shutil.copy\", \"count\": 1, \"legend_label\": \"shutil.copy (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.7384615384615383, \"theta1\": 0.7538461538461536}, {\"construct\": \"shutil.rmtree\", \"count\": 1, \"legend_label\": \"shutil.rmtree (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.7538461538461536, \"theta1\": 0.7692307692307689}, {\"construct\": \"shutil.unpack_archive\", \"count\": 1, \"legend_label\": \"shutil.unpack_archive (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.7692307692307689, \"theta1\": 0.7846153846153843}, {\"construct\": \"sys.setprofile\", \"count\": 2, \"legend_label\": \"sys.setprofile (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.7846153846153843, \"theta1\": 0.815384615384615}, {\"construct\": \"sys.settrace\", \"count\": 2, \"legend_label\": \"sys.settrace (2)\", \"fraction\": 0.03076923076923077, \"theta0\": 0.815384615384615, \"theta1\": 0.8461538461538458}, {\"construct\": \"tarfile.TarFile\", \"count\": 6, \"legend_label\": \"tarfile.TarFile (6)\", \"fraction\": 0.09230769230769231, \"theta0\": 0.8461538461538458, \"theta1\": 0.9384615384615381}, {\"construct\": \"tempfile.mktemp\", \"count\": 1, \"legend_label\": \"tempfile.mktemp (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.9384615384615382, \"theta1\": 0.9538461538461536}, {\"construct\": \"xmlrpc.client\", \"count\": 1, \"legend_label\": \"xmlrpc.client (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.9538461538461536, \"theta1\": 0.9692307692307689}, {\"construct\": \"xmlrpc.server.SimpleXMLRPCServer\", \"count\": 1, \"legend_label\": \"xmlrpc.server.SimpleXMLRPCServer (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.9692307692307689, \"theta1\": 0.9846153846153842}, {\"construct\": \"zipfile.ZipFile\", \"count\": 1, \"legend_label\": \"zipfile.ZipFile (1)\", \"fraction\": 0.015384615384615385, \"theta0\": 0.9846153846153842, \"theta1\": 0.9999999999999996}]}}, {\"mode\": \"vega-lite\"});\n",
+       "</script>"
+      ],
+      "text/plain": [
+       "alt.Chart(...)"
+      ]
+     },
+     "execution_count": 4,
+     "metadata": {},
+     "output_type": "execute_result"
+    }
+   ],
+   "source": [
+    "chart = issue_plot(result) \n",
+    "chart"
+   ]
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.13.11"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}

{codeaudit-1.6.0 → codeaudit-1.6.2}/docs/examples/codeauditchecks.html

@@ -738,4 +738,4 @@ footer {
       <td>Vulnerable to path traversal attacks if used with untrusted archives.</td>
     </tr>
   </tbody>
-</table><br><p>Number of implemented security validations:<b>83</b></p><p>Version of codeaudit: <b>1.5.0</b><p>Because Python and cybersecurity are constantly changing, issue reports <b>SHOULD</b> specify the codeaudit version used.</p><p><b>Disclaimer:</b> <i>This SAST tool <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p><p>This Python security report was created on: <b>2026-02-06 15:52</b> with <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> version <b>1.5.0</b></p><hr><footer><div class="footer-links">Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" target="_blank">documentation</a> for help on found issues.<br>Codeaudit is made with <span class="heart">&#10084;</span> by cyber security professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br><a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!</div></footer></div></body></html>
+</table><br><p>Number of implemented security validations:<b>83</b></p><p>Version of codeaudit: <b>1.6.2</b><p>Because Python and cybersecurity are constantly changing, issue reports <b>SHOULD</b> specify the codeaudit version used.</p><p><b>Disclaimer:</b> <i>This SAST tool <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p><p>This Python security report was created on: <b>2026-04-08 10:10</b> with <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> version <b>1.6.2</b></p><hr><footer><div class="footer-links">Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" target="_blank">documentation</a> for help on found issues.<br>Codeaudit is made with <span class="heart">&#10084;</span> by cyber security professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br><a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!</div></footer></div></body></html>

{codeaudit-1.6.0 → codeaudit-1.6.2}/docs/examples/demoscan.json

@@ -1,7 +1,7 @@
 {
   "name": "Python_Code_Audit",
-  "version": "1.5.0",
-  "generated_on": "2026-02-06 15:52",
+  "version": "1.6.2",
+  "generated_on": "2026-04-08 10:09",
   "file_security_info": {
     "0": {
       "FileName": "demofile.py",

{codeaudit-1.6.0 → codeaudit-1.6.2}/docs/filescan.md

@@ -1,9 +1,10 @@
 # Command `codeaudit filescan`
 
-The **Python Code Audit** `filescan` command efficiently scans Python files or directories (packages) to identify and report potential security weaknesses.
-
-It produces a report detailing the potential security issues discovered.
+The **Python Code Audit** `filescan` command efficiently scans Python files or directories (packages) to:
+1. Identify and report potential security weaknesses and
+2. [Detect Data Exfiltration](data_exfiltration_detection)
 
+The tool generates a report detailing discovered security issues and flagging any External Egress Risks identified within the Python code.
 
 See section [validations](checksinformation) for all security checks implemented!