-
-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
B314 since Python 3.6 is not valid #1074
Comments
So after some digging on this topic. Seems Python has a vendored version of expat embedded. This is the default version (at least for macOS and Windows). However, it does seem permitted |
To see the vendored version of expat embedded in Python you can browse to: At the bottom of this header file you'll find the expat major, minor, and micro version. |
However, I also found that the oldest version of Python 3.8, 3.8.0, which Bandit officially still supports does include an older, vulnerable version of expat 2.2.8: The same can be found for Python 3.9.0: Python 3.10.0 is the first minor version to have the fixed expat 2.4.1: As such, we should leave this plugin check for xml.etree.ElementTree at least until 3.9.0 |
Expat 2.4.1 wasn't added to Python 3.8 till 3.8.12. Similar for 3.9, not until 3.9.7. |
I also checked the latest patch for python 3.6 (3.6.15) and 3.7 (3.7.17), both are safe. only from (3.5 <=) latest patch didn't include the fix. I couldn't find their repo branches that I can refer to, but I just tested by running all possible 5 possible xml vulns. |
Describe the bug
I checked the python module xml processing and the vulns that bandit report is no longer there. maybe you should remove it:
https://docs.python.org/3/library/xml.html#xml-vulnerabilities
I also checked billion laughs and quadratic blowup no longer there even the doc above said so.
Reproduction steps
output:
Expected behavior
Maybe remove [B314] or explain your concern there.
Bandit version
1.7.5 (Default)
Python version
3.11
Additional context
No response
The text was updated successfully, but these errors were encountered: