codemodder-python
bandit
codemodder-python | bandit | |
---|---|---|
2 | 21 | |
32 | 6,047 | |
- | 2.2% | |
9.8 | 8.2 | |
5 days ago | 18 days ago | |
Python | Python | |
GNU Affero General Public License v3.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
codemodder-python
-
Show HN: Codemodder – A new codemod library for Java and Python
Hi! Great questions. I'm the lead maintainer of the Python version of the Codemodder framework so I'll do my best to answer.
> How does libCST compare to e.g. pyCQA/redbaron?
LibCST is similar to redbaron in the sense that it does preserve comments and whitespace. The "CST" in LibCST refers to "concrete syntax tree", which preserves comments and whitespace, as opposed to an "abstract syntax tree" or "AST", which does not. Our goal is to make the absolute minimal changes required to harden and improve code, and messing with whitespace would be counter to that goal. It's worth noting that redbaron no longer appears to be maintained and the most recent version of Python that it supported was 3.7 which is now itself EOL.
> What about for EA Evolutionary Algorithms
Can you elaborate? I am familiar with the concept of evolutionary algorithms but I'm not sure I understand what you mean in this context.
> does it preserve comments, or update docstrings and type annotations in mutating the code under test?
Codemodder does preserve comments. Currently none of our codemods update docstrings; I'm not sure we currently have any cases where that would make sense. We do make an effort to update type annotations where appropriate.
> Is it necessary to run `black` (and `precommit run --all-files`) to format the code after mutating it?
Yes, it is currently necessary to run `black` and `precommit` if you're using it on your project. While `black` is incredibly popular, we also can't assume that it's being used on any given project. Running `black` would cause each updated file to be completely reformatted which would lead to very noisy and difficult-to-review changes. I would like to explore better solutions to this issue going forward.
I am familiar with `bandit`. It's a fairly simple security linter and is useful for finding some common issues. It's also pretty prone to false positives and noisy findings. Not every problem identified by `bandit` is something that can be automatically fixed; for example I can't replace a hard-coded password without making a lot of (breaking) assumptions about the structure of your application and the manner in which it is deployed.
I'd love to get your feedback on Python Codemods! Give us a star on GitHub and feel free to open an issue or PR: https://github.com/pixee/codemodder-python
Hi HN, I’m here to show you a new codemod library. In case you’re not familiar with the term "codemod", here’s how it was originally defined AFAICT:
> Codemod is a tool/library to assist you with large-scale codebase refactors
Codemods are awesome, but I felt they were far from their potential, and so I’m very proud to show you all an early version of a codemod library we’ve built called Codemodder (https://codemodder.io) that we think moves the "field" forward. Codemodder supports both Python and Java (https://github.com/pixee/codemodder-python and https://github.com/pixee/codemodder-java). The license is AGPL, please don’t kill me.
Primarily, what makes Codemodder different is our design philosophy. Instead of trying to write a new library for both finding code and changing code, which is what traditional codemod libraries do, we aim to provide an easy-to-use orchestration library that helps connect idiomatic tools for querying source code and idiomatic tools for mutating source code.
So, if you love your current linter, Semgrep, Sonar, or PMD, CodeQL or whatever for querying source code – use them! If you love JavaParser or libCST for changing source code – use them! We’ll provide you with all the glue and make building, testing, packaging and orchestrating them easy.
Here are the problems with existing codemod libraries as they exist today, and how Codemodder solves them.
1. They’re not expressive enough. They tend to offer barebones APIs for querying code. There’s simply no way for these libraries to compete with purpose-built static analysis tools for querying code, so we should use them instead.
2. They produce changes without any context. Understanding why a code change is made is important. If the change was obvious to the developer receiving the code change, they probably wouldn’t have made the mistake in the first place! Storytelling is everything, and so we guide you towards making changes that are more likely to be merged.
3. They don’t handle injecting dependencies well. I have to say we’re not great at this yet either, but we have some of the basics and will invest more.
4. Most apps involve multiple languages, but all of today’s codemod libraries are for one language, so they are hard to orchestrate for a single project. We’ve put a lot of work into making sure these libraries are aligned with open source API contracts and formats (https://github.com/pixee/codemodder-specs) so they can be orchestrated similarly by downstream automation.
The idea is "don’t write another PR comment saying the same thing, write a codemod to just make the change automatically for you every time". We hope you like it, and are excited to get any feedback you might have!
bandit
-
Enhance Your Project Quality with These Top Python Libraries
Bandit is a tool designed to find common security issues in Python code. It was developed by the OpenStack Security Project and is a great addition to any serious Python project.
-
Creating a DevSecOps pipeline with Jenkins — Part 1
For the SAST stage, I used SonarQube tool. SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs and code smells on more than 30 programming languages. I preferred SonarQube instead of other SAST tools because it has a detailed documentation and plugins about integration with Jenkins and SonarQube works with Java projects pretty well. Of course you can similar multi-language-supported tools such as Semgrep or language-specific tools such as Bandit.
-
Enhance your python code security using bandit
repos: - repo: https://github.com/PyCQA/bandit rev: 1.7.7 hooks: - id: bandit args: ["-c", "pyproject.toml", "-r", "."] additional_dependencies: ["bandit[toml]"]
- Show HN: Codemodder – A new codemod library for Java and Python
-
A Tale of Two Kitchens - Hypermodernizing Your Python Code Base
On the other hand, Bandit is a dedicated security scanner designed to target critical security concerns such as SQL injection and cross-site scripting exploits. It meticulously scrutinizes the codebase to identify and alert developers about possible security breaches or vulnerabilities, thus fortifying the code against potential exploitation.
-
The Uncreative Software Engineer's Compendium to Testing
Bandit: is a tool designed for Python applications to analyse your code for potential security issues like insecure use of functions, hardcoded password and much more.
-
The 36 tools that SaaS can use to keep their product and data safe from criminal hackers (manual research)
Bandit (for Python, open-source and free)
-
Which CI/CD learn first?
Add security checks (Bandit) and dependency checks (safety)
-
Why are python coding standards such a mess, what is everything and where do I start?
bandit
-
Python toolkits
flake8-bandit which uses bandit for security linting.
What are some alternatives?
Flake8 - flake8 is a python tool that glues together pycodestyle, pyflakes, mccabe, and third-party plugins to check the style and quality of some python code.
pre-commit-hooks - Some out-of-the-box hooks for pre-commit
safety - Safety checks Python dependencies for known security vulnerabilities and suggests the proper remediations for vulnerabilities detected.
flake8-bandit - Automated security testing using bandit and flake8.
black - The uncompromising Python code formatter
mypy - Optional static typing for Python
ale - Check syntax in Vim/Neovim asynchronously and fix files, with Language Server Protocol (LSP) support
pre-commit-hooks - git pre-commit hooks that work with http://pre-commit.com/
lxml - The lxml XML toolkit for Python
gitleaks - Protect and discover secrets using Gitleaks 🔑
pre-commit - A framework for managing and maintaining multi-language pre-commit hooks.
black - The uncompromising Python code formatter [Moved to: https://github.com/psf/black]