7.7 KiB
Bandit Test to CWE and OWASP Mapping
Complete mapping between Bandit test IDs, Common Weakness Enumeration (CWE), and OWASP Top 10 2021 categories.
Table of Contents
- Cryptographic Issues
- Injection Vulnerabilities
- Security Misconfiguration
- Insecure Deserialization
- Access Control Issues
Cryptographic Issues
OWASP A02:2021 - Cryptographic Failures
| Test ID | Description | CWE | Severity |
|---|---|---|---|
| B302 | Use of insecure MD2, MD4, MD5, or SHA1 hash function | CWE-327 | MEDIUM |
| B303 | Use of insecure MD2, MD4, or MD5 hash function | CWE-327 | MEDIUM |
| B304 | Use of insecure MD2, MD4, MD5, or SHA1 hash function | CWE-327 | MEDIUM |
| B305 | Use of insecure cipher mode | CWE-327 | MEDIUM |
| B306 | Use of insecure and deprecated function (mktemp) | CWE-377 | MEDIUM |
| B307 | Use of possibly insecure function (eval) | CWE-78 | MEDIUM |
| B311 | Standard pseudo-random generators are not suitable for security | CWE-330 | LOW |
| B323 | Unverified context with insecure default | CWE-327 | MEDIUM |
| B324 | Use of insecure hash functions in hashlib | CWE-327 | HIGH |
| B401 | Use of insecure telnet protocol | CWE-319 | HIGH |
| B402 | Use of insecure FTP protocol | CWE-319 | HIGH |
| B403 | Use of insecure pickle import | CWE-502 | LOW |
| B404 | Use of insecure subprocess import | CWE-78 | LOW |
| B413 | Use of pycrypto | CWE-327 | HIGH |
| B501 | Use of weak cryptographic key | CWE-326 | HIGH |
| B502 | Use of weak SSL/TLS protocol | CWE-327 | HIGH |
| B503 | Use of insecure SSL/TLS cipher | CWE-327 | MEDIUM |
| B504 | SSL with no version specified | CWE-327 | LOW |
| B505 | Use of weak cryptographic hash | CWE-327 | MEDIUM |
Remediation Strategy: Replace weak cryptographic algorithms with strong alternatives. Use SHA-256 or SHA-512 for hashing, AES-256 for encryption, and TLS 1.2+ for transport security. For password hashing, use bcrypt, scrypt, or Argon2.
Injection Vulnerabilities
OWASP A03:2021 - Injection
| Test ID | Description | CWE | Severity |
|---|---|---|---|
| B308 | Use of mark_safe | CWE-80 | MEDIUM |
| B313 | XML bad element tree | CWE-611 | MEDIUM |
| B314 | XML bad element tree (lxml) | CWE-611 | MEDIUM |
| B315 | XML bad element tree (expat) | CWE-611 | MEDIUM |
| B316 | XML bad element tree (sax) | CWE-611 | MEDIUM |
| B317 | XML bad element tree (expatreader) | CWE-611 | MEDIUM |
| B318 | XML bad element tree (expatbuilder) | CWE-611 | MEDIUM |
| B319 | XML bad element tree (xmlrpc) | CWE-611 | HIGH |
| B320 | XML bad element tree (pulldom) | CWE-611 | HIGH |
| B321 | FTP-related functions are being called | CWE-319 | HIGH |
| B405 | XML mini DOM import | CWE-611 | LOW |
| B406 | XML etree import | CWE-611 | LOW |
| B407 | XML expat import | CWE-611 | LOW |
| B408 | XML minidom import | CWE-611 | LOW |
| B410 | XML etree import (lxml) | CWE-611 | LOW |
| B411 | XML standard library imports | CWE-611 | LOW |
| B412 | Deprecated httpoxy vulnerability | CWE-807 | LOW |
| B601 | Paramiko call with shell=True | CWE-78 | HIGH |
| B602 | subprocess call with shell=True | CWE-78 | HIGH |
| B603 | subprocess without shell=True | CWE-78 | LOW |
| B604 | Function call with shell=True | CWE-78 | HIGH |
| B605 | Starting a process with a shell | CWE-78 | HIGH |
| B606 | Starting a process without shell | CWE-78 | LOW |
| B607 | Starting a process with a partial path | CWE-78 | LOW |
| B608 | Possible SQL injection vector through string formatting | CWE-89 | MEDIUM |
| B609 | Use of wildcard injection | CWE-78 | MEDIUM |
| B610 | Potential SQL injection via Django raw SQL | CWE-89 | MEDIUM |
| B611 | Potential SQL injection via Django extra | CWE-89 | MEDIUM |
Remediation Strategy: Never concatenate user input into commands, queries, or markup. Use parameterized queries for SQL, safe XML parsers with DTD processing disabled, and avoid shell=True in subprocess calls. Use shlex.split() for argument parsing.
Security Misconfiguration
OWASP A05:2021 - Security Misconfiguration
| Test ID | Description | CWE | Severity |
|---|---|---|---|
| B201 | Flask app run with debug=True | CWE-489 | HIGH |
| B310 | Audit URL open for permitted schemes | CWE-939 | MEDIUM |
| B506 | Test for use of yaml load | CWE-20 | MEDIUM |
| B507 | SSH with no host key verification | CWE-295 | MEDIUM |
| B701 | jinja2 autoescape false | CWE-94 | HIGH |
| B702 | Test for use of mako templates | CWE-94 | MEDIUM |
| B703 | Django autoescape false | CWE-94 | MEDIUM |
Remediation Strategy: Disable debug mode in production, validate and sanitize all inputs, enable autoescape in template engines, use safe YAML loaders (yaml.safe_load()), and enforce strict host key verification for SSH connections.
Insecure Deserialization
OWASP A08:2021 - Software and Data Integrity Failures
| Test ID | Description | CWE | Severity |
|---|---|---|---|
| B301 | Pickle and modules that wrap it can be unsafe | CWE-502 | MEDIUM |
Remediation Strategy: Avoid using pickle for untrusted data. Use JSON, MessagePack, or Protocol Buffers with strict schema validation. If pickle is necessary, implement cryptographic signing and validation of serialized data.
Access Control Issues
OWASP A01:2021 - Broken Access Control
| Test ID | Description | CWE | Severity |
|---|---|---|---|
| B506 | Test for use of yaml load (arbitrary code execution) | CWE-20 | MEDIUM |
Remediation Strategy: Use yaml.safe_load() instead of yaml.load() to prevent arbitrary code execution. Implement proper access controls and input validation for all YAML processing.
Hardcoded Credentials
OWASP A02:2021 - Cryptographic Failures
| Test ID | Description | CWE | Severity |
|---|---|---|---|
| B105 | Possible hardcoded password string | CWE-259 | LOW |
| B106 | Possible hardcoded password function argument | CWE-259 | LOW |
| B107 | Possible hardcoded password default argument | CWE-259 | LOW |
Remediation Strategy: Never hardcode credentials. Use environment variables, secret management services (HashiCorp Vault, AWS Secrets Manager), or encrypted configuration files with proper key management.
Priority Matrix
Use this matrix to prioritize remediation efforts:
| Priority | Criteria | Action |
|---|---|---|
| CRITICAL | HIGH Severity + HIGH Confidence | Immediate remediation required |
| HIGH | HIGH Severity OR MEDIUM Severity + HIGH Confidence | Remediate within 1 sprint |
| MEDIUM | MEDIUM Severity + MEDIUM Confidence | Remediate within 2 sprints |
| LOW | LOW Severity OR LOW Confidence | Address during refactoring |
| INFORMATIONAL | Review only | Document and monitor |
OWASP Top 10 2021 Coverage
| OWASP Category | Bandit Coverage | Notes |
|---|---|---|
| A01:2021 Broken Access Control | Partial | Covers YAML deserialization |
| A02:2021 Cryptographic Failures | Excellent | Comprehensive crypto checks |
| A03:2021 Injection | Excellent | SQL, command, XML injection |
| A04:2021 Insecure Design | None | Requires manual review |
| A05:2021 Security Misconfiguration | Good | Debug mode, templating |
| A06:2021 Vulnerable Components | None | Use Safety or pip-audit |
| A07:2021 Authentication Failures | Partial | Hardcoded credentials only |
| A08:2021 Data Integrity Failures | Good | Deserialization issues |
| A09:2021 Security Logging Failures | None | Requires manual review |
| A10:2021 SSRF | Partial | URL scheme validation |