CHANGES
=======

0.17.2
------

* Allow certain command line arguments to be passed from file
* Update .gitreview for stable/0.17.0

0.17.0
------

* Use sphinx autodoc to generate docs from docstring
* Move status counter to stderr
* Tweaking logger
* Adding bandit-baseline tool
* Fix multiline string with missing space
* Update README with recent changes
* Config generator: fix a typo

0.16.2
------

* Updated from global requirements
* bandit-config-generator: Add documentation
* Lowering confidence of "any_other_function_with_shell_equals_true"
* Simpler baseline matching
* Cleaning up node visitor
* Removing unused code
* Improving node visitor
* Add a configuration generator for bandit
* Add functional runtime tests

0.16.1
------

* Fixing a simple issue in results count to fix exit code

0.16.0
------

* Adding baseline capabilities to HTML formatter and update report
* Adding Baseline Capability to the Text Formatter
* Changing the way baseline formatters are indicated
* Changing issue candidates in baseline to ordered dict
* os.system et al. all spawn a shell so we should use the same logic
* Fixing bug when encountering tuple params
* Fix simple bug in text formatter excluded files list
* Improving Bandit Baseline Reporting
* blacklist_calls: add Python3 and six versions of some functions
* Test for bug 1513091

0.15.2
------

* Fixing bug in injection test

0.15.1
------

* Fixing Baseline when a filter is used
* Fixing Traceback with Bad File
* Making score sum totals more sane
* Added missing HTTP verbs to the requests checks
* Remove coverage files after run

0.15.0
------

* Adding missing docs
* Fixing some docs formatting
* Distinguish between formatted and simple commands
* Changing the confidence in the oslo secret plugin
* Adding plugin to output in text formatter
* Adding the plugin name to the HTML report
* Adding metrics and CSS styling to HTML formatter
* This adds baseline filtering to bandit
* Ensure each plugin is linked to appropriate sec guidance doc
* Add missing documentation for start_process_with_a_shell
* Collecting metrics code in one place
* Don't create files if we did not ask for them
* Add check for weak elliptic curve keys
* Add doc for weak_cryptographic_key plugin

0.14.1
------

* Adding command line option to exclude paths
* Tweaks to #nosec (+ ignore flag, - dead constant)
* Add check for Flask app debug=True usage
* Add metrics to text and JSON output formatters
* Add basic metric generation and associated tests
* Include context in debug output
* Tidy up plugin list in 'bandit -h' output

0.14.0
------

* Adding docs for Jinja2 autoescape
* Adding mako template docs
* Check for insecure cipher modes
* Adding docs for subprocess tests
* Adding docs for paramiko calls test
* Adding Linux wildcard docs
* Bad file permission docs
* Python 3 compatibility fix
* Making the /tmp file test more accurate
* Enabling new hardcoded password tests in the config
* Fixing -n behaviour
* Improved tests for hardcoded passwords
* Updated from global requirements
* Adding docs for SSL/TLS version tests
* Adding docs for try, except, pass
* Adding start_process_with_partial_path docs
* Adding docs for blacklist_imports test
* Increasing coverage of try-except-pass to 100%
* Fixing bug introduced by manager refactor
* Adding documentation for blacklist calls
* Adding "exec_used" documentation
* Removing argument printing
* Cleanup the blacklist plugin
* Cache blacklisted functions -> 5% faster
* Test coverage of manager now at 100%
* Fixing swapped parameters for issue severity and confidence
* Fix running when empty config file
* Remove tox envirnoment for pypy
* Add unit tests for bandit.core.issue
* Adding HTML formatter
* Split each formatter into separate modules
* Update .gitignore to exclude docs output
* Ignore vim swap files
* Simplifying Result Store
* Enabling coverage reporting in tox
* Dont read the wordlist file in on every test call, cache it
* Unit testing of meta_ast.py
* bad_file_permissions check: Use correct filename
* Skip '/tests/' by default
* Add known weak ciphers to blacklisted calls
* Adding "hardcoded_sql_expressions" documentation
* Adding "hardcoded_tmp_directory" documentation
* Adding "hardcoded_password" documentation
* Adding assert_used documentation
* Fix manager having no attribute '_init_logger'
* Generate module docs
* Add unit tests for the formatters
* Raise exceptions from BanditConfig rather than exit
* Removing class level variables
* Introduce wildcards to blacklist_calls plugin
* Adding unit tests for bandit.core.context.Context
* Remove redundant quotes in bandit.yaml
* meta-ast is only needed if we are in debug mode
* Adding any_other_function_with_shell_equals_true documentation
* Adding "execute_with_run_as_root_equals_true" documentation
* Adding "hardcoded_bind_all_interfaces" documentation
* Add a new check for weak RSA and DSA key sizes
* Update .gitignore for docs
* Use addCleanup rather than tearDown
* Use testtools rather than unittest
* Adding documentation for test plugins
* Adding documentation for configuration
* Additional unit test coverage for core/utils.py
* Fix typos in bandit.yaml
* Replace incorrect safe_str
* Trivial fix to beautify bandit.yaml
* Add Bytes AST support
* Variable file not defined in error path
* Adding test tool for check OpenStack projects' Bandit job
* Remove unreachable code in config.py
* Unit tests for bandit.core.config
* Adding a check for key in get_call_arg_at_position
* Py3 compatibility fix in lines_with_context() util
* Remove unused safe_unicode() utility function
* Adding check for node key in Context
* Remove unused describe_symbol() utility function
* Better function to count lines in a file
* Adding the key lookup to Context.call_args_string
* Remove unused test_basic.py
* Rename core.test_config to test_bandit
* Adding a check for call in call_args_count
* Refactoring Unit Test Directories
* Update gitignore for coverage
* Update git clone repo
* Eliminate dir(node) -> 10% faster

0.13.2
------

* Find bandit.yaml when in virtualenv

0.13.1
------

* Add other known weak MD hash modules
* Capture warnings for missing plugins or config in normal logging
* Skip a test if it requires config but none is found
* Clean up test_config
* Add info: License, Source, Bugs and Docs to README

0.13.0
------

* Actually default to /etc/ rather than just claim
* Build universal wheels for PyPI
* Update README with latest changes
* Convert README to rst
* NIT: Fix missing python 3 in classifier
* Add a confidence filter
* Rewording subprocess without shell finding
* Fixes exit code for filtered results
* Adding report timestamp
* Bug fix for SQL tests
* Adding a more informative help message for "-l"
* Activate pep8 check that _ is imported
* Add all available plugins to an example profile
* Revised XML tests
* Adding documentation framework
* Register plugins included as entry-points
* Improving SQL Injection detection
* Fixing up random to be less noisy
* Bring the logger up as soon as possible
* Bug fix in secret_config_option plugin
* Consider other hardcoded tmp paths
* Install word_list, raise exception if cannot find
* Modifying Paramiko Injection plugin
* Adding test for Try, Except, Pass
* Add tool for reporting Bandit OpenStack coverage
* Update .gitreview file for project rename
* Don't run with no tests
* Faster Bandit
* Removing statement buffer
* Adding a test for partial paths in exec functions

0.12.0
------

* Address multiline node lineno inaccuracies
* Actually rely on entry-points for formatters
* Add extension entry-points and loading
* Adding paramiko injections check to blacklist functions
* Fix config option fallback if "include" missing
* Update README with missing usage changes
* Adding verbose flag
* Log the version of Python bandit is running under
* Add notes to the README about Bandit on Python 3.4
* Clean up tests and examples for Python 3.4
* Update example files to work on Python 2 & 3
* Add Python 3.4 compatibility to bandit
* Adding documentation for SSL/TLS tests
* Adding docs for temp issues
* Use best logging practices
* Smooth over some differences with six
* Handle exception when invalid config file is specified
* Update bandit to use absolute imports
* Refactor BanditResultStore.report
* Add XML output format support

0.11.0
------

* Update the README file
* Changing config file search paths
* Adding a check for the use of Assert
* Add XML vulnerability checking
* Shift in result types & ranking scales
* Added csv output format
* Update README.rst
* Fixed issue processing files containing invalid python
* Update email to openstack-dev
* Refactored/optimized reporting code

0.10.1
------

* Fixing info output that was breaking JSON format
* fixing bandits config settings

0.10.0
------

* Fixing a bug with files listing when a file was skipped
* Fixed -n flag processing
* Fix a couple of issues with handling multi-line strings
* Fixed severity level filtering
* Fix new output file checking functionality
* Adding util methods to help handle the mix of unicode and string
* Add error checks/handing around output file case
* Fix vulnerability aggregation bug
* Fixed nosec flagging
* Moving lineno into generic visitor
* Make subprocess without `shell=True` into a plugin
* Tweaking severity for a few plugins
* Remove Python 2.6 from setup.cfg
* Correct supported Python versions in setup.cfg
* Update the config file, and use yaml.safe_load()
* Wildcard injection requires a shell
* Fixing uncaught 'InvalidModulePath' exception
* Fix a leftover tuple unpacking in reporting code
* Add tests for subprocesses and deserialization
* Fixes for node_visitor, sql and hardcoded password tests
* Add mako templating plugin and XSS profile
* Refactored AST processing
* Refactor functional tests to clarify scoring
* Clean up test property decorators after refactor
* Return the full name used in calls
* Add mock to test-requirements
* Add ceilometer to rootwrap check
* Minor cleanup for _matches_glob_list function
* Add check for secret=True on oslo password options
* assertEqual should be (expected, actual)
* Adds line ranges, DRYs code, fixes #nosec
* Add documentation for exec, yaml, jinja2 plugins
* Add list of Python values considered False
* Update jinja2 plugin to be more accurate
* Adding file discovery and directory exclusion
* Adds jinja2 autocomplete=false test
* Adds JSON output functionality
* Add rootwrap checks for neutron and cinder
* Add INFO check for any use of rootwrap
* Further decorator changes and plugin migration
* Removing un-reachable code
* Adds decorator methods for tests
* Removing warning about modules not installed in sys.path
* New constants to support updated results structure
* Adding meaningful exit codes to support use in gate
* Rename README.md to README.rst
* Update test-requirements.txt to match global requirements
* Add __repr__ to the context object
* Minor changes to profile-related debug output

0.9.0
-----

* Remove the check for PROTOCOL_SSLv23
* Make func, class name definitions fully qualified
* Add unaliased mod name to import_aliases; Fix tests
* Blacklist urlopen-like functions in urllib, urllib2
* Add yaml.load to blacklist with yaml example file
* Fix a reported bug when bandit encounters "__import__()"
* Hardening bandit in the face of buggy plugins or odd ASTs
* Graceful degradation when failing to full qualify an attr node
* Fixing an oversight when processing none-attr nodes
* Refactoring "checks_functions" to check function definitions
* Removing TODO (to be tracked in Bandit wiki)
* Updated README file
* Adding a set of functional tests based on the examples folder
* Quantifying bandit test results
* Removing Py26 from the test env list, it's being deprecated
* Adding a basic test for the gate (need at least one to pass)
* Enabling PEP8 tests in tox and re-working source to comply
* Making Bandit into an installable package and adding tox tests
* Removing default '' return for ast_args_to_str()
* Adding a test for use of HTTPSConnection
* Adding a check to bandit for use of 'exec'
* Better checks against blacklisted modules, catch __import__
* Adding SSL/TLS protocol version checks
* Temporarily commenting out hardcoded password test, it's broken
* Add .gitreview file
* Bug fix for hardcoded passwords test
* Updated configuration file
* Adding option to aggregate by vulnerability type and a test for hardcoded /tmp usage
* Adding a test for hardcoded passwords
* PEP 8 fixes
* Renaming plugins, creating import blacklist section, adding check for dup function names
* Updating the random test to include all usages of the random lib
* Updated README
* Updated AUTHORS file
* Adding a test for random.random, use will return an INFO level message
* Adding SQL Injection test, examples, and profile
* Adding capability to check if certain modules have been imported during function calls
* Minor PEP 8 fixes
* Added AUTHORS file
* Updated README file
* Updating command line switches
* Updated TODO file
* Updating the README file to keep parity with recent changes
* Fix bug with permissions matching
* Moving bad names definition to config file; fixed bug with qualname
* Create settings system, moved more fixed values to config, improved readability
* First pass at moving some things to config, begin cleaning up code
* Separate each test into its own file
* Fixed a bug with handling _ast.Tuple
* Allow creation of test profiles and switch config to yaml
* Test type marked using decorators and tests now automatically discovered from plugins directory
* Test type marked using decorators and tests now automatically discovered from plugins directory
* Adding a property to access the raw AST node from context instance
* Changed to pass Context instance to tests, rather than raw context
* Refactoring to move the AST implementation details out of tests
* Adding example file for utils.execute* shell=True tests
* Adding more unsafe shell=True usage checks for OS utils library
* Wildcard injection tests crash on non-string args
* Updated README
* Updated README
* Updated TODO
* Test for mark_safe() calls
* Updated README
* Broader test for calls with shell=True parameter
* Updated README
* First test targeting Str nodes (binding to all interfaces)
* Minor PEP8 fixes
* Add support for Str node types
* Allow individual lines of code to be flagged for exclusion
* Updated TODO
* Updated README
* Rework case where no findings are found
* Modify call_bad_names test to use regex and add to blacklist
* Introduce and utilize module-level constants
* Specify UTF-8 coding
* Updated TODO
* Addition of Apache License 2.0
* pep8 fix
* Remove debug prints
* Updated wildcards test to catch Popen(['','','']) case
* Updated README
* Tidy up output format
* Optionally write output to file specified
* pep8 fixes
* pep8 fixes
* pep8 fixes
* Adding wildcard injection test
* pep8 fixes
* pep8 fixes
* Modify manager to only display progress where needed
* Remove unnecessary logger.error call from manager
* Fix 'self' reference in manager
* Add support for skipping files
* Fix relative imports and error handling
* Reposition setting of lineno in visit_Import and visit_ImportFrom
* Support dynamic loading of tests
* Refactor the call tests to use the new test context
* Remove unused ast_args_to_str method
* refactor to extract imports tests and build context
* new bad imports example
* starting refactor to extract tests from core
* Move existing call tests into separate methods
* updated readme
* updated readme
* initial commit
* Initial commit
