CHANGES
=======

1.7.10
------

* Pytorch Load / Save Plugin (#1114)
* Use consistent file naming of docs (#1170)
* Bump docker/build-push-action from 6.6.1 to 6.7.0 (#1168)
* Bump sigstore/cosign-installer from 3.5.0 to 3.6.0 (#1165)
* Bump docker/build-push-action from 6.5.0 to 6.6.1 (#1166)
* Bump docker/setup-buildx-action from 3.5.0 to 3.6.1 (#1163)
* Bump docker/build-push-action from 6.3.0 to 6.5.0 (#1160)
* Bump docker/login-action from 3.2.0 to 3.3.0 (#1159)
* Bump docker/setup-buildx-action from 3.4.0 to 3.5.0 (#1158)
* Bump docker/setup-buildx-action from 3.3.0 to 3.4.0 (#1156)
* Bump docker/build-push-action from 6.2.0 to 6.3.0 (#1157)
* Bump docker/build-push-action from 6.1.0 to 6.2.0 (#1155)
* Add recent releases to version choice in bug report (#1151)
* Nit: remove unused variable (#1153)
* feat(plugins): add support for \`httpx\` in \`B113\` (#1060)
* Bump docker/build-push-action from 6.0.0 to 6.1.0 (#1152)
* New check: B113: TrojanSource - Bidirectional control characters (#757)
* Add test for usage of FTP\_TLS (#1149)
* Performance improvement in blacklist function (#1148)
* Suggested small refactors in assignments (#1150)
* Bump docker/build-push-action from 5.4.0 to 6.0.0 (#1147)

1.7.9
-----

* Support \`configfile\` in \`.bandit\` file (#1052)
* Bump docker/build-push-action from 5.3.0 to 5.4.0 (#1144)
* Guard against empty call argument list (#1146)
* [pre-commit.ci] pre-commit autoupdate (#1145)
* [pre-commit.ci] pre-commit autoupdate (#1143)
* Bump docker/login-action from 3.1.0 to 3.2.0 (#1142)
* Ensure sarif extra is included as part of doc build (#1139)
* Add a sponsor section to README (#1137)
* [pre-commit.ci] pre-commit autoupdate (#1135)
* Updates banner logo so it renders well in dark mode (#1134)
* [pre-commit.ci] pre-commit autoupdate (#1133)
* Bump sigstore/cosign-installer from 3.4.0 to 3.5.0 (#1132)
* [pre-commit.ci] pre-commit autoupdate (#1131)
* Bump docker/setup-buildx-action from 3.2.0 to 3.3.0 (#1130)
* [pre-commit.ci] pre-commit autoupdate (#1127)
* [pre-commit.ci] pre-commit autoupdate (#1126)
* Bump docker/login-action from 3.0.0 to 3.1.0 (#1125)
* Bump docker/setup-buildx-action from 3.1.0 to 3.2.0 (#1124)
* Bump docker/build-push-action from 5.2.0 to 5.3.0 (#1123)
* Start testing on Python 3.13 (#1122)
* New logo for Bandit based on raccoon (#1121)
* [pre-commit.ci] pre-commit autoupdate (#1119)
* Bump docker/build-push-action from 5.1.0 to 5.2.0 (#1117)

1.7.8
-----

* Add a SARIF output formatter (#1113)
* [B605] Add functions that are vulnerable to shell injection. (#1116)
* Bump docker/setup-buildx-action from 3.0.0 to 3.1.0 (#1115)
* filter data is safe for tarfile extractall (#1111)
* Use datetime to avoid updating copyright year (#1112)
* Add 1.7.7 to versions of bug template (#1110)
* Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#1109)
* Utilize PyPI's trusted publishing (#1107)
* Incorrect tag naming in readme (#1105)

1.7.7
-----

* Downsize the org:repo name (#1104)
* Remove markdown formatting in reStructuredText formatted README (#1103)
* Introduce Official Bandit Images (#1088)
* Bump actions/dependency-review-action from 3 to 4 (#1101)
* Rework GitPython dependency to be an extra for bandit-baseline (#1099)
* Prepend ./ for files specified as CLI args (#1094)
* Add random.randbytes to blacklist calls (#1096)
* Fix up issues found running Bandit on itself (#1093)
* Create a security policy (#1091)
* Add tidelift to the sponsor funding list (#1089)
* defusedxml: Show correct module name (#1081)
* Flag str.replace as possible sql injection (#1044)
* Handle variant in how policy is passed in paramiko (#1078)
* Bump actions/setup-python from 4 to 5 (#1076)
* Add the new release to bandit versions of bug template (#1075)

1.7.6
-----

* Fixes for sphinx build (#1063)
* refactor: remove \`importlib-metadata\` fallback (#1066)
* Fix crash on pyproject.toml without bandit config (#1073)
* Add official support of Python 3.12 (#1068)
* Use mirror repository for black pre-commit hook (#1070)
* fix(plugins/B507): also detect class instances (#1064)
* Fix for ReadtheDocs build (#1061)
* Bump actions/checkout from 3 to 4 (#1058)
* Fix dependabot to update github actions (#1057)
* Support ignoring blacklists by name (#1046)
* Update blacklist call documentation (#1045)
* Avoid gitpyhon CVE-2022-24439 (#1048)
* django\_rawsql\_used: support keyword arguments used in \`RawSQL\` (#765)
* Simplify \`wrap\_file\_object\` (#1037)
* Update asserts.py documentation (#1036)
* Remove support for Python 3.7 due to end-of-life (#1034)
* Make pre-commit run Bandit hook using a single process (#1029)
* Switch from open collective to PSF (#1031)
* Replace pbr in favor of importlib (#1016)
* Add a copy button to all code snippets in docs (#1030)
* Add \`random.Random\` to B311 checks (#940)
* Update pre-commit hooks (#1026)
* Update versions of used GitHub Actions (#1024)
* Skip unnecessary \`pip install\` commands in the pythonpackage.yml workflow (#1021)
* Switch to tox 4 (#1020)
* Adds check for crypt module usage as weak hash (#1018)
* language and linting updates (#1015)
* xmlrpclib replaced with xmlrpc in Python3 (#1012)
* Improper detection of non-requests module (#1011)
* Remove checks for Python2 urllib (#999)
* Render Python 3.10 in drop down correctly (#997)
* Update bug report to include version 1.7.5 (#993)

1.7.5
-----

* Added a bit more \`project\_urls\` (#985)
* Check for github action updates monthly (#989)
* Improve handling nosec for multi-line strings (#915)
* Improve detecting SQL injections in f-strings (#917)
* Correct build status badge in README (#980)
* Fix breaking build due to new tox (#983)
* DOC: Add explanation on how to use pre-commit with config file (#968)
* Add official Python 3.11 support (#964)
* remove py2 exec example in docs (#947)
* Typo fix (#945)
* [docs] Mention \`exclude\_dirs\` option available in TOML and YAML (#876)
* Fix AttributeError on detect of tuple assign condition (#931)
* Fix json and yaml formatters to respect num lines (#929)
* Fixup some invalid pickle testing (#924)
* Pass correct number of arguments to match the \`%s\` placeholders. (#934)
* Remove python 2 reference in docs (#933)
* Fix filename of B202 in docs (#932)
* weak\_cryptographic\_key assumes positional arg (#930)
* Check for deprecated TLS 1.1 (#928)
* Adding tarfile.extractall() plugin with examples (#549)
* Fix issue #453 jinja2 template select\_autoescape when using jinja2.select\_autoescape (#454)
* Fix a false positive condition yaml\_load (#927)
* Add case for global exec (#570)
* Docs for request without timeout has dead link (#925)
* Blacklist pandas read\_pickle and add functional test for it (#710)
* Enhancement Proposal: Plugin "assert\_used" config-skip snippet (#695)
* Add end\_col\_offset if available (#851)
* Fix reading the number argument from config file (#923)
* add jsonpickle deserialization blacklist (#707)
* Add some missing curve types (#920)
* Remove invalid checking on hashlib (#914)
* Avoid redundant message if debug on (#913)
* Update version of dependency-review-action (#911)
* Add releases link in "Version control integration" (#909)
* Add another bad example of yaml load (#905)
* Specify semver range for Python 3.11 (#901)
* Make small fixes in docs (#899)
* Test plugin listing incorrectly pointing b612 to plugin ref of b1022 (#897)
* Close the <b> tag in HTML formatter (#896)
* Add dependency review action (#891)
* Update action versions in Actions workflows (#890) (#893)
* Add Discord link to README (#875)
* Add myself to sponsor list (#885)
* Test against Python 3.11 (#887)
* Corrected documentation on configuration (#868)
* Remove redundant pip line (#884)
* Removal of ghugo (#881)
* Adding logging.config.listen() plugin with examples (#874)
* Add a Discord link to the docs (#870)
* Add request for feedback via 👍 (#871)
* Remove redundant word Bandit in titles of sections (#873)
* Add license and contributing links to docs (#867)
* Fix for build breaks in format job (#869)
* add check for "requests" calls without timeout (#743)
* Fix up B109 and B111 removed plugins docs (#864)
* Replace \`toml\` with \`tomli\` (#829)
* Make use of rich for the progress bar (#863)
* Add doc for hashlib plugin (#862)
* Add the httpx module check for verify (#861)
* Indiciate hash type in message (#860)
* Remove blacklist call check for os.tempnam (#859)
* Removal of blacklist call B309 httpsconnection (#858)
* Add classifier to indicate Py3 only (#853)
* Fix line range using Python 3.8 end\_lineno (#821)
* Group location line with code output (#822)
* Use a constant for weak hashes (#850)
* Bad link to screen shot (#848)
* Add an example screen shot of Bandit to README (#847)

1.7.4
-----

* Add 1.7.4 in issue template (#846)
* core/config: Fix ConfigError missing argument if toml is missing (#845)
* Add version 1.7.3 to dropdown (#833)
* Fix traceback in hashlib\_insecure\_functions (#834)

1.7.3
-----

* Build of artifact fails if raw directive used (#831)
* Center the bandit logo in readme (#823)
* Target Python >= 3.7 in pre-commit hooks (#830)
* Inaccurate message in hashlib check (#827)
* Improve performance of linerange (#629)
* Use CWE link in HTML formatter (#825)
* Use versioned links to docs (#819)
* Fix root doc for readthedocs (#818)
* Fix up some warnings and errors in docs (#817)
* Test on operating systems we can support (#804)
* Cannot seek stdin on pipe (#496)
* Respect color environment variables if set (#813)
* Show usage with no arguments (#814)
* Cleanup the README
* Fix references to the default branch name (#810)
* Better hashlib check for Python 3.9 (#805)
* Check for hardcoded passwords in class attributes (#766)
*  Add new plugin to check use of pyghmi (#803)
* Remove redundant Python 3.6 code (#802)
* Check value of usedforsecurity for hashlib (#798)
* Change up how CWE is formatted (#788)
* Suport disabling individual tests
* Add functional test of snmp\_security\_check (#791)
* Avoid printing metrics as float point numbers (#794)
* Fix up warnings in output of tox (#793)
* Removal of the CWEMAP dict (#789)
* Including CWE information (#613)
* Add Getting Started chapter (migrate from README) (#773)
* Delete releasenotes directory (more openstack leftovers) (#786)
* Update publish-to-pypi.yml (#785)
* Use released version of gh-action-pypi-publish (#784)
* Delete release-drafter.yml (#781)
* Update issue template with latest versions (#783)
* Rely on toml conditionally

1.7.2
-----

* Correctly define extras in \`setup.cfg\` (#755)
* Remove leftover openstack code (#778)
* Added snmp\_security check plugin for various SNMP checks (#403)
* Fix README.rst (#365)
* Fixup typo (#769)
* Drop end-of-life Python 3.6 (#777)
* Drop end-of-life Python 3.5 (#746)
* Start using auto-formatters (#754)
* Create FUNDING.yml (#774)
* test\_help\_arg: remove assert on 'optional arguments' (#752)
* Fix broken reported URL link for B107 (#751)

1.7.1
-----

* fix reading initial values from .bandit (#722)
* Always use a Loader in yaml.load (#745)
* PEP-518 support: configure bandit via pyproject.toml (#401)
* document that random.choices() isn't secure either (#728)
* Fix syntax errors in bug report (#720)
* Update bug\_report.yaml (#719)
* Fix syntax error in bug report (#718)
* Use new issue template format (#717)
* Update README.rst (#713)
* Mock part of python 3.x (#685)
* Add license to package installation metadata (#705)
* #694 Bandit fails when using importlib with named arguments (#701)
* Add string options for severity and confidence (#702)
* Add support for Python 3.9 (#650)
* This commit is to include the line number of a given occurrence when using HTML output format. (#683)
* Update config.yml
* Update config.yml
* Create config.yml (#682)
* Add default labels to issues (#681)
* Replace http with https URLs (#680)
* More cleanup of license headers (#679)
* Updates to address docstring code scan issues, add flake8 configuration (#671)
* Small syntax and formatting cleanup (#676)
* More complete removal of Python2 code (#674)
* Show column offset on all formatters (#673)
* Add the column offset to the issue model (#618)
* Clearer message for subprocess module use (#667)
* Specify language\_version in .pre-commit-hooks.yaml
* Specify output\_file encoding as utf-8 (#364)

1.7.0
-----

* Create CODEOWNERS (#661)
* Remove blacklist call to input() (#662)
* Give some tips on how to resolve B101 in the doc (#616)
* Remove universal support on the wheel (#655)
* Update pythonpackage.yml

1.6.3
-----

* Add workflow to publish to PyPI
* Add newlines after bullet lists
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* Update publish-to-test-pypi.yml
* GitHub Action to publish to Test PyPI
* Use GitHub Action badge for build
* Add skip configuration to assert\_used (#633)
* Don't show progress information on --quiet (#641)
* Fix # noqa rendering in docs
* Drop Python2 build, test, and install
* Add release notes project URL
* [FIX] blacklist: fix typo in import\_ftplib
* Fix issue #574
* Update CODE\_OF\_CONDUCT.md
* Bump pyyaml (#588)
* Fix typo for activating venv
* Fix colorama not being disabled after being used
* Cleanup some typos in recent contributor guide
* [DOC] Support python3 venv creation
* Fix contributing typo. Resolves: #576
* Add contributing.md file
* Add push and pull request to GH Action trigger
* Use GitHub Actions to run CI (#565)
* Add sha1 to the list of insecure hashes
* replace 'then' with 'than'
* Add a section explaining "nosec" (#554)
* Use SPDX license identifier instead of bulky headers (#530)
* Fix docs for B610,B611,B703 (#555)
* update README to add info about badge (#482)
* Add official support of Python 3.8
* Ignore common directories by default
* Fix readme file on Extending Bandit on list things (#534)
* Add shelve to the pickle blacklists
* Add more missing ini options
* add type checking (#516)
* Add several ini options for .bandit file (#508)
* Revert "Revert "Update python documentation links for version 3 counterparts"" (#540)
* Remove unused bindep.txt file
* Remove obsolete "sudo" keyword
* Update test requirements to latest versions
* Cleanup comments after #510
* fix the documentation file README.rst on Vulnerability Tests and Extending Bandit
* --exit-zero option (#510)
* fix B603 docstring
* get\_url returns different urls calling twice (bug #506) (#507)
* Fix 3.8 errors (#509)
* Replace setattr (#493)

1.6.2
-----

* Performance fix (#502)

1.6.1
-----

* add test for regression and fix directory exclusion without wildcards (#489)
* add namespaces for parent attributes (#492)

1.6.0
-----

* Remove pycryptodome blacklist (#470)
* updated readme links for debugger
* Interpret wildcards in the file exclusion list (#450)
* Redo logo on the README
* Revert "Update python documentation links for version 3 counterparts"
* Update python documentation links for version 3 counterparts
* Fix context class (#449)
* Fix typo in README
* check if ast.JoinedStr exists before using it
* Fix ResourceWarning: unclosed file
* Fix DeprecationWarning: invalid escape sequence
* Add a readthedocs build status badge
* Supporting CSafeLoader in yaml.load plugin (#436)
* Remove paramiko invoke\_shell and fix example (#377)
* Bump PyYAML minimum version to 3.13 (#432)
* Fix sql injection check for f-strings
* Fix terminal colors not displaying properly on Windows
* Add missing custom formatter doc (#406) (#421)
* Fix pep8
* Fix ast.arg check on python2
* Add passphrase as password detection
* Fix more info line to be in color also (#408)
* Remove unneeded trailing paren in link
* 394 Describe baseline and it's usage in README
* Fix B611 doc title
* Add pre-commit config
* Fix Pylint warning W0612: use of unused variables (#389)
* Allow failures on dev branch of Python 3.8
* No need to skip R0204: redefined-variable-type
* fix pep8
* fix comments on #387
* Properly handle nosec strings in code
* Fix line max chars
* Fix pep8 Issue #386
* Proposed solution for #386
* Add option -q, --quiet, --silent to hide output
* Add release drafter template (#382)
* Fix custom format argument handling (#380)

1.5.1
-----

* Adding test case for traversal crash
* New plugin to check for ignoring host keys
* Fixed crash on dynamic import traversal (#369)

1.5.0
-----

* Change ver 1.4.1 references to 1.5.0
* Add external documentation references (#368)
* Add more\_info URL to csv formatter (#361)
* Add support to run bandit as python -m bandit
* Add more\_info URL to screen formatter (#360)
* Add more\_info URL to text output (#359)
* Update Feature\_request.md
* Update Feature\_request.md
* Update Bug\_report.md
* Add experimental Python 3.8-dev to test with (#337)
* Report dill usage (#347)
* Add more\_info URL to XML output (#354)
* Re-eanble functional tests as part of CI (#348)
* Use html.escape() instead of cgi.escape()
* Repair some broken see also links in the doc
* Add subprocess.run to B602
* Add Python 3.7 support (#327)
* fix pep8 line length issues
* add os.tempnam() / os.tmpnam() to blacklist
* Remove openstack specific utils.exec checks
* Add development status classifier
* Enable travis to run pylint and pep8 tox env
* Fix doc #310
* Add doc and version
* Fix code review
* Fast fix for #286
* Remove issue comment
* Improve add shell=True detecction
* Example for shell kwarg
* Fix wording (deprecated -> removed)
* Leave a message explaining that these plugins have been deprecated
* Remove OpenStack-specific plugins
* Add missing documentation link for B703
* Use bandit.readthedocs.io in setup.cfg
* Add PyCryptodome to import blacklists
* Add missing B413 import\_pycrypto in README
* Update the doc links, remove openstack
* Add a smaller logo that works with the README rst
* Delete license
* added apache license
* Delete license
* Added logo design
* added logo license
* Delete issue\_template.md
* Update issue templates to new GitHub format
* Add detection for Django XSS
* Fix pep8
* Add Django SQL injection
* Remove integration test playbooks
* Show support for Python 3.6
* Add a build status badge to the README
* Create an issue template for the project
* Remove the unused integration tests
* Create a code of conduct
* Align with tox.ini python versions
* Remove nightly and others for now
* Adds basic .travis.yaml
* Changing Copyright to Bandit, Developers
* Correcting copyright change
* Migrate to new PyPI website
* Changes OpenStack specifics to PyCQA
* Stop using slave\_scripts/install-distro-packages.sh
* Add bindep.txt file
* Add bandit ID to prefix of more\_info link
* add lower-constraints job
* Updated from global requirements
* Typo in the name of the YAML formatter test
* Updated from global requirements
* Updated from global requirements
* Updated from global requirements
* Fix false positives for pyCrypto
* Add pycrypto to blacklist
* Zuul: Remove project name
* Add more\_info URL to the YAML output
* Sort the complete plugin list
* Fix infinite loop issue
* Update docs links
* Updated from global requirements
* Updated from global requirements
* Updated from global requirements
* Update hacking requirement
* Update documentation
* Add more\_info URL to the JSON output
* Add module loaded through importlib
* Create doc/requirements.txt
* Avoid tox\_install.sh for constraints support
* Migrate to zuul V3
* Remove extra section from README.rst
* Updated from global requirements
* Remove setting of version/release from releasenotes
* Migrate to stestr
* Custom formatter
* Allow specifying targets in ini file
* Plugin to flag insecure hash functions created using hashlib.new()
* Cleanup test-requirements
* [Trivialfix]Fix typos
* Remove unused None from dict.get()
* Add .idea to .gitignore
* Incorrect Test ID in docstring
* Adds simple handler to provide failed line numbers
* Updated from global requirements
* Do not flag new way of escaping in jinja2 plugin
* Fixed order of arguments in assertEqual
* Updated from global requirements
* Add Apache License Content in index.rst
* Updated from global requirements
* Enable some off-by-default checks
* Updated from global requirements
* Updated from global requirements
* Updated from global requirements
* Optimize the link address
* Replace six.iteritems() with .items()
* Blacklist call of ssl.\_create\_unverified\_context
* Correct the yaml doc example to be actually yaml
* Enable coverage report in console output
* Updated from global requirements
* Updated from global requirements
* Yet Another Formatter (yaml)
* Repair the more info links for two blacklist calls
* Docs for B319 listed twice
* Add sha-1 to list of insecure hashes
* Refactor check\_example to be clearer on error
* Dump bandit config file lists vertically
* Allow config for high and medium severity key sizes
* HTTPSConnection is secure in newer Python
* Updated from global requirements
* Typo fix: targetting => targeting
* Use https for references to openstack.org
* Alter SQL injection plugin to consider .format strings
* Add Cryptodome to blacklist and weak ciphers/hash
* Alter SQL Injection plugin SQL check

1.4.0
-----

* Fixing some UTF8 encoding issues in file names
* Fix up nits in the README and other files
* Drop redundant dict call
* Removing 'stats' from JSON output formatter
* Fixing partial path detection for Windows
* Add Constraints support
* Make Bandit's HTML report pass markup validation
* Remove checking for special characters in shells
* Add functional tests for B308, B321, and B402
* Handle curve keyword arg weak\_cryptographic\_key
* Typo in calls doc for input call
* Fix LOG marker to follow the Python 3 guideline
* Fix pylint too-many-return-statements errors

1.3.0
-----

* Fixing B502 and B503 developer docs
* Fix pylint old-style-class errors
* Add capability to pipe a file into bandit
* Fix for pylint no-self-use error
* Show team and repo badges on README
* Detect binary output file (txt/html)
* Replace 'assertFalse(a in b)' with 'assertNotIn(a, b)'
* Don't include openstack/common in flake8 exclude list
* Trivial fixes based on pylint scan
* Fix typo in test\_set.py
* Replace 'assertTrue(a in b)' with 'assertIn(a, b)'

1.2.0
-----

* Updated from global requirements
* Updated from global requirements
* Fix unit tests for newest GitPython
* Fix blacklist filtering
* Replace 'MagicMock' with 'Mock'
* Use qualname list to avoid false positive on load()
* Enable release notes translation
* Updated from global requirements
* Updated from global requirements
* Updated from global requirements
* Updated from global requirements
* Fix a typo in test\_set.py
* Update flake8 ignore list
* Fix typos in config.py & utils.py
* Adding "input()" to the blacklist calls list
* Small typo fix 'balcklist' in docstring
* Enforce no star-imports since code complies
* Fix remaining object imports and enforce the rule
* Clean imports in code
* Fix order of arguments in assertEqual
* Update defusedxml notification
* Skip key checks where size is not constant
* Show help when arguments are missing

1.1.0
-----

* Fix html escaping
* Fix some errors in utils.py & calls.py
* Fix some typos in the files
* Some spelling error need to be fixed
* Remove white space between print and ()
* Add check for httpoxy vulnerability
* Fixing jenkins failing on coverage reporting
* Fix the typo in the files
* Updated from global requirements
* Remove discover from test-requirements
* Adding more plugin config docs
* Adding missing section to documentation about gen\_config
* Add missing Python 3.5 classifier
* Add a py35 tox venv for upcoming py35 support
* Add reno for release notes management
* Updated from global requirements
* Allow output to default to stdout using argparse
* Updated from global requirements
* Add man page for bandit command line
* Updated from global requirements
* Updated from global requirements
* [Trivial] Remove unnecessary executable privilege
* Updated from global requirements
* Catch general exception on per-file basis
* Updated from global requirements

1.0.1
-----

* Adding accurate docs for new bandit config
* Fixing a bug exposed with try, except, ... tests
* Ensure error exit codes fail integrations
* Calm down try,except,pass and try,except,continue
* Normalizing & editing command-line help text
* Added try\_except\_continue plugin
* Adding test IDs to test doc titles
* Fixing documentation for hardcoded password tests
* Delete the config, we dont need it now and its also invalid
* Improving config handling
* Blacklists now check node types are valid
* Fix OpenStack coverage tool
* Moving test summary to end of screen results
* Adding debug tox testenv for bandit
* Improving config generator script
* Breaking up blacklist import IDs
* The source of include/exclude conditions was incorrectly reported
* Update command line help baseline report
* Fix typos in CLI output
* Trimming Blacklists
* Updated legacy profile support
* Take2: Only use screen when terminal is tty
* Only use screen when terminal is tty
* Fixed missing new lines from Skipped file report
* Adding link to hosted docs in HTML output
* Fixing an encoding error while writing HTML
* Fixing bug when filtering blacklists
* Pass environment variables of proxy to tox
* Adding profile generation to config generator
* Additional baseline candidate test coverage
* Use bdist\_wheel instead of wheel
* Legacy blacklist data is missing some expected fields
* Fixed typo in  bandit/formatters/xml.py
* Missing letter in blacklist calls doc
* Removing duplicate Test ID in HTML report
* Making config optional
* Ignore all .coverage files and extensions
* Functional tests for baseline comparisons
* (re)Fixing output of bytes
* Adding docs for new style blacklist imports
* Add bandit to pep8 dependencies
* Adding JSON output for baseline results
* Fixing bug with output chars in formatters
* old blacklist imports refered to 'qualnames' as 'imports'
* Add test to compare help output with readme
* Make pep8 \*the\* linting interface
* Adding docs for new style blacklist calls
* Add blacklist plugins to help output
* Test names are converted to IDs before ever getting this far
* Remove ignore of F403
* Added bandit.core.manager unit tests
* Added config\_generator unit tests
* Added cli.main unit tests
* Moving bandit baseline unit tests
* Old config compatibility
* Add version parameter to the command line
* Improved unit test coverage for bandit.cli.main
* Add PyPi badges
* This permits blacklist data to be filtered by ID
* Additional CLI main module unit tests
* Fixing hang in get\_module\_qualname\_from\_path
* Added unit tests for CLI main module
* Allow certain command line arguments to be passed from file
* Broken link in file jinja2\_templates.py
* Misspelling in file plugins/index.rst
* This fixes the blacklist to look like a plugin so we can filter it
* Misspelling in main developers doc title
* Broken link in file mako\_templates.py
* Fixing a bug and cleaning up in blacklisting code
* Cleaning code
* Adding some test coverage for config\_generator
* Only decode output of subprocess
* Broken link to plugin list in file config.rst
* Support hacking H104
* Misspelling in error message in file screen.py
* Breaking out blacklists
* Bandit baseline unit tests
* Change into the project directory
* Small typo fix on the tests include/exclude
* Pretty up the formatter docs
* Updated from global requirements
* Add test ID to the output
* Add script to test bandit against projects at gate
* Update docs to include references to EC keys
* Add ftplib as a insecure protocol to use
* Added more unit tests for bandit baseline
* Update readme with latest changes
* Add missing automodule doc for yaml\_load
* Allow list of tests to skip to be specified on command line
* Split yaml blacklist check into its own file
* Enable pep8 testing on tests
* Remove unnecessary absolute\_import logic from modules
* Improved unit test coverage for baseline module
* Move cli modules into their own submodule
* Adding a test for test id on test plugins
* Pretty up the plugin documentation
* Changing config generator to display options
* Proper B5xx test numbering
* Remove old docs
* Allow list of tests specified on command line
* Fixed a misspelling of the word "referred"
* Allow precise #nosec placement
* Fix db error when running python34 unit tests
* Putting plugin config in code
* Split lines only once per file
* Faster loc
* Use binary mode when reading files
* use six.moves.builtins in python3
* Replace logger.warn with logger.warning
* Use == for str comparison
* Fix comment about value returned
* Correct code output on python3
* Display nice error when profile is not found
* Fix output encoding in baseline
* Fix detached head baseline
* Ensure XML goes to binary file on py3
* Fix text and html output whitespace
* Changing severity on Bandit Baseline tox target
* Adding linters target to tox.ini
* Adding new screen formatter
* Adding test IDs
* Fix codesec tox env
* Adding Bandit Baseline Tox Target
* Remove show\_progress\_every from Bandit config file
* Add docs for formatters

0.17.0
------

* Use sphinx autodoc to generate docs from docstring
* Move status counter to stderr
* Tweaking logger
* Adding bandit-baseline tool
* Fix multiline string with missing space
* Update README with recent changes
* Config generator: fix a typo

0.16.2
------

* Updated from global requirements
* bandit-config-generator: Add documentation
* Lowering confidence of "any\_other\_function\_with\_shell\_equals\_true"
* Simpler baseline matching
* Cleaning up node visitor
* Removing unused code
* Improving node visitor
* Add a configuration generator for bandit
* Add functional runtime tests

0.16.1
------

* Fixing a simple issue in results count to fix exit code

0.16.0
------

* Adding baseline capabilities to HTML formatter and update report
* Adding Baseline Capability to the Text Formatter
* Changing the way baseline formatters are indicated
* Changing issue candidates in baseline to ordered dict
* os.system et al. all spawn a shell so we should use the same logic
* Fixing bug when encountering tuple params
* Fix simple bug in text formatter excluded files list
* Improving Bandit Baseline Reporting
* blacklist\_calls: add Python3 and six versions of some functions
* Test for bug 1513091

0.15.2
------

* Fixing bug in injection test

0.15.1
------

* Fixing Baseline when a filter is used
* Fixing Traceback with Bad File
* Making score sum totals more sane
* Added missing HTTP verbs to the requests checks
* Remove coverage files after run

0.15.0
------

* Adding missing docs
* Fixing some docs formatting
* Distinguish between formatted and simple commands
* Changing the confidence in the oslo secret plugin
* Adding plugin to output in text formatter
* Adding the plugin name to the HTML report
* Adding metrics and CSS styling to HTML formatter
* This adds baseline filtering to bandit
* Ensure each plugin is linked to appropriate sec guidance doc
* Add missing documentation for start\_process\_with\_a\_shell
* Collecting metrics code in one place
* Don't create files if we did not ask for them
* Add check for weak elliptic curve keys
* Add doc for weak\_cryptographic\_key plugin

0.14.1
------

* Adding command line option to exclude paths
* Tweaks to #nosec (+ ignore flag, - dead constant)
* Add check for Flask app debug=True usage
* Add metrics to text and JSON output formatters
* Add basic metric generation and associated tests
* Include context in debug output
* Tidy up plugin list in 'bandit -h' output

0.14.0
------

* Adding docs for Jinja2 autoescape
* Adding mako template docs
* Check for insecure cipher modes
* Adding docs for subprocess tests
* Adding docs for paramiko calls test
* Adding Linux wildcard docs
* Bad file permission docs
* Python 3 compatibility fix
* Making the /tmp file test more accurate
* Enabling new hardcoded password tests in the config
* Fixing -n behaviour
* Improved tests for hardcoded passwords
* Updated from global requirements
* Adding docs for SSL/TLS version tests
* Adding docs for try, except, pass
* Adding start\_process\_with\_partial\_path docs
* Adding docs for blacklist\_imports test
* Increasing coverage of try-except-pass to 100%
* Fixing bug introduced by manager refactor
* Adding documentation for blacklist calls
* Adding "exec\_used" documentation
* Removing argument printing
* Cleanup the blacklist plugin
* Cache blacklisted functions -> 5% faster
* Test coverage of manager now at 100%
* Fixing swapped parameters for issue severity and confidence
* Fix running when empty config file
* Remove tox envirnoment for pypy
* Add unit tests for bandit.core.issue
* Adding HTML formatter
* Split each formatter into separate modules
* Update .gitignore to exclude docs output
* Ignore vim swap files
* Simplifying Result Store
* Enabling coverage reporting in tox
* Dont read the wordlist file in on every test call, cache it
* Unit testing of meta\_ast.py
* bad\_file\_permissions check: Use correct filename
* Skip '/tests/' by default
* Add known weak ciphers to blacklisted calls
* Adding "hardcoded\_sql\_expressions" documentation
* Adding "hardcoded\_tmp\_directory" documentation
* Adding "hardcoded\_password" documentation
* Adding assert\_used documentation
* Fix manager having no attribute '\_init\_logger'
* Generate module docs
* Add unit tests for the formatters
* Raise exceptions from BanditConfig rather than exit
* Removing class level variables
* Introduce wildcards to blacklist\_calls plugin
* Adding unit tests for bandit.core.context.Context
* Remove redundant quotes in bandit.yaml
* meta-ast is only needed if we are in debug mode
* Adding any\_other\_function\_with\_shell\_equals\_true documentation
* Adding "execute\_with\_run\_as\_root\_equals\_true" documentation
* Adding "hardcoded\_bind\_all\_interfaces" documentation
* Add a new check for weak RSA and DSA key sizes
* Update .gitignore for docs
* Use addCleanup rather than tearDown
* Use testtools rather than unittest
* Adding documentation for test plugins
* Adding documentation for configuration
* Additional unit test coverage for core/utils.py
* Fix typos in bandit.yaml
* Replace incorrect safe\_str
* Trivial fix to beautify bandit.yaml
* Add Bytes AST support
* Variable file not defined in error path
* Adding test tool for check OpenStack projects' Bandit job
* Remove unreachable code in config.py
* Unit tests for bandit.core.config
* Adding a check for key in get\_call\_arg\_at\_position
* Py3 compatibility fix in lines\_with\_context() util
* Remove unused safe\_unicode() utility function
* Adding check for node key in Context
* Remove unused describe\_symbol() utility function
* Better function to count lines in a file
* Adding the key lookup to Context.call\_args\_string
* Remove unused test\_basic.py
* Rename core.test\_config to test\_bandit
* Adding a check for call in call\_args\_count
* Refactoring Unit Test Directories
* Update gitignore for coverage
* Update git clone repo
* Eliminate dir(node) -> 10% faster

0.13.2
------

* Find bandit.yaml when in virtualenv

0.13.1
------

* Add other known weak MD hash modules
* Capture warnings for missing plugins or config in normal logging
* Skip a test if it requires config but none is found
* Clean up test\_config
* Add info: License, Source, Bugs and Docs to README

0.13.0
------

* Actually default to /etc/ rather than just claim
* Build universal wheels for PyPI
* Update README with latest changes
* Convert README to rst
* NIT: Fix missing python 3 in classifier
* Add a confidence filter
* Rewording subprocess without shell finding
* Fixes exit code for filtered results
* Adding report timestamp
* Bug fix for SQL tests
* Adding a more informative help message for "-l"
* Activate pep8 check that \_ is imported
* Add all available plugins to an example profile
* Revised XML tests
* Adding documentation framework
* Register plugins included as entry-points
* Improving SQL Injection detection
* Fixing up random to be less noisy
* Bring the logger up as soon as possible
* Bug fix in secret\_config\_option plugin
* Consider other hardcoded tmp paths
* Install word\_list, raise exception if cannot find
* Modifying Paramiko Injection plugin
* Adding test for Try, Except, Pass
* Add tool for reporting Bandit OpenStack coverage
* Update .gitreview file for project rename
* Don't run with no tests
* Faster Bandit
* Removing statement buffer
* Adding a test for partial paths in exec functions

0.12.0
------

* Address multiline node lineno inaccuracies
* Actually rely on entry-points for formatters
* Add extension entry-points and loading
* Adding paramiko injections check to blacklist functions
* Fix config option fallback if "include" missing
* Update README with missing usage changes
* Adding verbose flag
* Log the version of Python bandit is running under
* Add notes to the README about Bandit on Python 3.4
* Clean up tests and examples for Python 3.4
* Update example files to work on Python 2 & 3
* Add Python 3.4 compatibility to bandit
* Adding documentation for SSL/TLS tests
* Adding docs for temp issues
* Use best logging practices
* Smooth over some differences with six
* Handle exception when invalid config file is specified
* Update bandit to use absolute imports
* Refactor BanditResultStore.report
* Add XML output format support

0.11.0
------

* Update the README file
* Changing config file search paths
* Adding a check for the use of Assert
* Add XML vulnerability checking
* Shift in result types & ranking scales
* Added csv output format
* Update README.rst
* Fixed issue processing files containing invalid python
* Update email to openstack-dev
* Refactored/optimized reporting code

0.10.1
------

* Fixing info output that was breaking JSON format
* fixing bandits config settings

0.10.0
------

* Fixing a bug with files listing when a file was skipped
* Fixed -n flag processing
* Fix a couple of issues with handling multi-line strings
* Fixed severity level filtering
* Fix new output file checking functionality
* Adding util methods to help handle the mix of unicode and string
* Add error checks/handing around output file case
* Fix vulnerability aggregation bug
* Fixed nosec flagging
* Moving lineno into generic visitor
* Make subprocess without \`shell=True\` into a plugin
* Tweaking severity for a few plugins
* Remove Python 2.6 from setup.cfg
* Correct supported Python versions in setup.cfg
* Update the config file, and use yaml.safe\_load()
* Wildcard injection requires a shell
* Fixing uncaught 'InvalidModulePath' exception
* Fix a leftover tuple unpacking in reporting code
* Add tests for subprocesses and deserialization
* Fixes for node\_visitor, sql and hardcoded password tests
* Add mako templating plugin and XSS profile
* Refactored AST processing
* Refactor functional tests to clarify scoring
* Clean up test property decorators after refactor
* Return the full name used in calls
* Add mock to test-requirements
* Add ceilometer to rootwrap check
* Minor cleanup for \_matches\_glob\_list function
* Add check for secret=True on oslo password options
* assertEqual should be (expected, actual)
* Adds line ranges, DRYs code, fixes #nosec
* Add documentation for exec, yaml, jinja2 plugins
* Add list of Python values considered False
* Update jinja2 plugin to be more accurate
* Adding file discovery and directory exclusion
* Adds jinja2 autocomplete=false test
* Adds JSON output functionality
* Add rootwrap checks for neutron and cinder
* Add INFO check for any use of rootwrap
* Further decorator changes and plugin migration
* Removing un-reachable code
* Adds decorator methods for tests
* Removing warning about modules not installed in sys.path
* New constants to support updated results structure
* Adding meaningful exit codes to support use in gate
* Rename README.md to README.rst
* Update test-requirements.txt to match global requirements
* Add \_\_repr\_\_ to the context object
* Minor changes to profile-related debug output

0.9.0
-----

* Remove the check for PROTOCOL\_SSLv23
* Make func, class name definitions fully qualified
* Add unaliased mod name to import\_aliases; Fix tests
* Blacklist urlopen-like functions in urllib, urllib2
* Add yaml.load to blacklist with yaml example file
* Fix a reported bug when bandit encounters "\_\_import\_\_()"
* Hardening bandit in the face of buggy plugins or odd ASTs
* Graceful degradation when failing to full qualify an attr node
* Fixing an oversight when processing none-attr nodes
* Refactoring "checks\_functions" to check function definitions
* Removing TODO (to be tracked in Bandit wiki)
* Updated README file
* Adding a set of functional tests based on the examples folder
* Quantifying bandit test results
* Removing Py26 from the test env list, it's being deprecated
* Adding a basic test for the gate (need at least one to pass)
* Enabling PEP8 tests in tox and re-working source to comply
* Making Bandit into an installable package and adding tox tests
* Removing default '' return for ast\_args\_to\_str()
* Adding a test for use of HTTPSConnection
* Adding a check to bandit for use of 'exec'
* Better checks against blacklisted modules, catch \_\_import\_\_
* Adding SSL/TLS protocol version checks
* Temporarily commenting out hardcoded password test, it's broken
* Add .gitreview file
* Bug fix for hardcoded passwords test
* Updated configuration file
* Adding option to aggregate by vulnerability type and a test for hardcoded /tmp usage
* Adding a test for hardcoded passwords
* PEP 8 fixes
* Renaming plugins, creating import blacklist section, adding check for dup function names
* Updating the random test to include all usages of the random lib
* Updated README
* Updated AUTHORS file
* Adding a test for random.random, use will return an INFO level message
* Adding SQL Injection test, examples, and profile
* Adding capability to check if certain modules have been imported during function calls
* Minor PEP 8 fixes
* Added AUTHORS file
* Updated README file
* Updating command line switches
* Updated TODO file
* Updating the README file to keep parity with recent changes
* Fix bug with permissions matching
* Moving bad names definition to config file; fixed bug with qualname
* Create settings system, moved more fixed values to config, improved readability
* First pass at moving some things to config, begin cleaning up code
* Separate each test into its own file
* Fixed a bug with handling \_ast.Tuple
* Allow creation of test profiles and switch config to yaml
* Test type marked using decorators and tests now automatically discovered from plugins directory
* Test type marked using decorators and tests now automatically discovered from plugins directory
* Adding a property to access the raw AST node from context instance
* Changed to pass Context instance to tests, rather than raw context
* Refactoring to move the AST implementation details out of tests
* Adding example file for utils.execute\* shell=True tests
* Adding more unsafe shell=True usage checks for OS utils library
* Wildcard injection tests crash on non-string args
* Updated README
* Updated README
* Updated TODO
* Test for mark\_safe() calls
* Updated README
* Broader test for calls with shell=True parameter
* Updated README
* First test targeting Str nodes (binding to all interfaces)
* Minor PEP8 fixes
* Add support for Str node types
* Allow individual lines of code to be flagged for exclusion
* Updated TODO
* Updated README
* Rework case where no findings are found
* Modify call\_bad\_names test to use regex and add to blacklist
* Introduce and utilize module-level constants
* Specify UTF-8 coding
* Updated TODO
* Addition of Apache License 2.0
* pep8 fix
* Remove debug prints
* Updated wildcards test to catch Popen(['','','']) case
* Updated README
* Tidy up output format
* Optionally write output to file specified
* pep8 fixes
* pep8 fixes
* pep8 fixes
* Adding wildcard injection test
* pep8 fixes
* pep8 fixes
* Modify manager to only display progress where needed
* Remove unnecessary logger.error call from manager
* Fix 'self' reference in manager
* Add support for skipping files
* Fix relative imports and error handling
* Reposition setting of lineno in visit\_Import and visit\_ImportFrom
* Support dynamic loading of tests
* Refactor the call tests to use the new test context
* Remove unused ast\_args\_to\_str method
* refactor to extract imports tests and build context
* new bad imports example
* starting refactor to extract tests from core
* Move existing call tests into separate methods
* updated readme
* updated readme
* initial commit
* Initial commit
