{
  "errors": [],
  "generated_at": "2019-04-24T11:18:22Z",
  "metrics": {
    "_totals": {
      "CONFIDENCE.HIGH": 3,
      "CONFIDENCE.LOW": 0,
      "CONFIDENCE.MEDIUM": 1,
      "CONFIDENCE.UNDEFINED": 0,
      "SEVERITY.HIGH": 0,
      "SEVERITY.LOW": 1,
      "SEVERITY.MEDIUM": 3,
      "SEVERITY.UNDEFINED": 0,
      "loc": 278,
      "nosec": 0
    },
    "routes.py": {
      "CONFIDENCE.HIGH": 3,
      "CONFIDENCE.LOW": 0,
      "CONFIDENCE.MEDIUM": 1,
      "CONFIDENCE.UNDEFINED": 0,
      "SEVERITY.HIGH": 0,
      "SEVERITY.LOW": 1,
      "SEVERITY.MEDIUM": 3,
      "SEVERITY.UNDEFINED": 0,
      "loc": 278,
      "nosec": 0
    }
  },
  "results": [
    {
      "code": "4 from models import db, Message, ChallInfo, Flag, User2\n5 import xml.etree.ElementTree as ET\n6 from werkzeug.utils import secure_filename\n",
      "filename": "routes.py",
      "issue_confidence": "HIGH",
      "issue_severity": "LOW",
      "issue_text": "Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.",
      "line_number": 5,
      "line_range": [
        5
      ],
      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree",
      "test_id": "B405",
      "test_name": "blacklist"
    },
    {
      "code": "139 \t\t\t\tdata = request.data\n140 \t\t\t\ttree = ET.fromstring(data)\n141 \t\t\t\tdata1 = tree.find('.//{tns}username').text\n",
      "filename": "routes.py",
      "issue_confidence": "HIGH",
      "issue_severity": "MEDIUM",
      "issue_text": "Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called",
      "line_number": 140,
      "line_range": [
        140
      ],
      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree",
      "test_id": "B314",
      "test_name": "blacklist"
    },
    {
      "code": "226 \t\t\t\tdata = request.data\n227 \t\t\t\ttree = ET.fromstring(data)\n228 \t\t\t\tdata1 = tree.find('.//{tns}username').text\n",
      "filename": "routes.py",
      "issue_confidence": "HIGH",
      "issue_severity": "CRITICAL",
      "issue_text": "Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called",
      "line_number": 227,
      "line_range": [
        227
      ],
      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b313-b320-xml-bad-elementtree",
      "test_id": "B314",
      "test_name": "blacklist"
    },
    {
      "code": "226 \t\t\t\tdata = request.data\n227 \t\t\t\ttree = ET.fromstring(data)\n228 \t\t\t\tdata1 = tree.find('.//{tns}username').text\n",
      "filename": "routes.py",
      "issue_confidence": "HIGH",
      "issue_severity": "HIGH",
      "issue_text": "Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called",
      "line_number": 227,
      "line_range": [
        227
      ],
      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b313-b320-xml-bad-elementtree",
      "test_id": "B314",
      "test_name": "blacklist"
    },
    {
      "code": "226 \t\t\t\tdata = request.data\n227 \t\t\t\ttree = ET.fromstring(data)\n228 \t\t\t\tdata1 = tree.find('.//{tns}username').text\n",
      "filename": "routes.py",
      "issue_confidence": "HIGH",
      "issue_severity": "MEDIUM",
      "issue_text": "Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called",
      "line_number": 227,
      "line_range": [
        227
      ],
      "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b313-b320-xml-bad-elementtree",
      "test_id": "B314",
      "test_name": "blacklist"
    },
    {
      "code": "353 if __name__ == \"__main__\":\n354 \tapp.run(debug=False, threaded=True, host='0.0.0.0', port='80')\n355 \n",
      "filename": "routes.py",
      "issue_confidence": "MEDIUM",
      "issue_severity": "MEDIUM",
      "issue_text": "Possible binding to all interfaces.",
      "line_number": 354,
      "line_range": [
        354
      ],
      "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b104_hardcoded_bind_all_interfaces.html",
      "test_id": "B104",
      "test_name": "hardcoded_bind_all_interfaces"
    }
  ]
}