Metrics:
Total lines of code: 2284
Total lines skipped (#nosec): 0

Skipped files:

badapp/Djangoat/app/articles/views.py reason: syntax error while parsing AST from file
badapp/Djangoat/app/feeds/views.py reason: syntax error while parsing AST from file

blacklist: Use of insecure MD2, MD4, MD5, or SHA1 hash function.
Test ID: B303
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-327
File: badapp/Djangoat/app/authentication/models.py
Line number: 47
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b303-md5
46	                gravatar_url = 'http://www.gravatar.com/avatar/{0}?{1}'.format(
47	                    hashlib.md5(self.user.email.lower()).hexdigest(),
48	                    urllib.urlencode({'d': no_picture, 's': '256'})
blacklist: Consider possible security implications associated with pickle module.
Test ID: B403
Severity: LOW
Confidence: HIGH
CWE: CWE-502
File: badapp/Djangoat/app/authentication/views.py
Line number: 3
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b403-import-pickle
2	import datetime
3	import pickle
4	
5	from binascii import hexlify, unhexlify
hardcoded_password_string: Possible hardcoded password: 'cbb0a3d727b802ef86d173c411df1285'
Test ID: B105
Severity: LOW
Confidence: MEDIUM
CWE: CWE-259
File: badapp/Djangoat/app/authentication/views.py
Line number: 23
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html
22	
23	token_key = "cbb0a3d727b802ef86d173c411df1285"
24	
25	
26	def token_blob(id, email):
blacklist: Pickle and modules that wrap it can be unsafe when used to deserialize untrusted data, possible security issue.
Test ID: B301
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-502
File: badapp/Djangoat/app/authentication/views.py
Line number: 55
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b301-pickle
54	
55	    return pickle.loads(d.update(ct) + d.finalize())
56	
try_except_pass: Try, Except, Pass detected.
Test ID: B110
Severity: LOW
Confidence: HIGH
CWE: CWE-703
File: badapp/Djangoat/app/core/views.py
Line number: 88
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
87	
88	    except Exception:
89	        pass
try_except_pass: Try, Except, Pass detected.
Test ID: B110
Severity: LOW
Confidence: HIGH
CWE: CWE-703
File: badapp/Djangoat/app/core/views.py
Line number: 159
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
158	
159	    except Exception:
160	        pass
try_except_pass: Try, Except, Pass detected.
Test ID: B110
Severity: LOW
Confidence: HIGH
CWE: CWE-703
File: badapp/Djangoat/app/questions/views.py
Line number: 118
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
117	
118	    except Exception:
119	        pass
django_extra_used: Use of extra potential SQL attack vector.
Test ID: B610
Severity: MEDIUM
Confidence: MEDIUM
CWE: CWE-89
File: badapp/Djangoat/app/search/views.py
Line number: 45
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b610_django_extra_used.html
44	                bucket = kind.__name__.lower() + "s"
45	            results[bucket] = kind.objects.extra(where=[clause])
46	            
hardcoded_password_string: Possible hardcoded password: 'b3fd8e309ff18c83f7264720ed2f2056e64f1693'
Test ID: B105
Severity: LOW
Confidence: MEDIUM
CWE: CWE-259
File: badapp/Djangoat/app/settings.py
Line number: 12
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b105_hardcoded_password_string.html
11	
12	SECRET_KEY = 'b3fd8e309ff18c83f7264720ed2f2056e64f1693'
13	
14	# SECURITY WARNING: don't run with debug turned on in production!
15	DEBUG = True
hardcoded_tmp_directory: Probable insecure usage of temp file/directory.
Test ID: B108
Severity: MEDIUM
Confidence: MEDIUM
CWE: CWE-377
File: badapp/Djangoat/app/settings.py
Line number: 138
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b108_hardcoded_tmp_directory.html
137	
138	FILE_UPLOAD_TEMP_DIR = '/tmp/'
139	FILE_UPLOAD_PERMISSIONS = 0o644
blacklist: Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
Test ID: B410
Severity: LOW
Confidence: HIGH
CWE: CWE-20
File: badapp/Djangoat/app/util.py
Line number: 1
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b410-import-lxml
1	from lxml import etree
2	from StringIO import StringIO
3	from django.utils.html import escape
blacklist: Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Test ID: B320
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-20
File: badapp/Djangoat/app/util.py
Line number: 11
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b313-b320-xml-bad-etree
10	    try:
11	        tree = etree.parse(StringIO(str), etree.HTMLParser())
12	        root = tree.getroot()
django_mark_safe: Potential XSS on mark_safe function.
Test ID: B703
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-80
File: badapp/Djangoat/app/util.py
Line number: 25
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b703_django_mark_safe.html
24	
25	        return mark_safe(etree.tostring(root))
26	    except:
blacklist: Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
Test ID: B308
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-79
File: badapp/Djangoat/app/util.py
Line number: 25
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b308-mark-safe
24	
25	        return mark_safe(etree.tostring(root))
26	    except:
django_mark_safe: Potential XSS on mark_safe function.
Test ID: B703
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-80
File: badapp/Djangoat/app/util.py
Line number: 27
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b703_django_mark_safe.html
26	    except:
27	        return mark_safe(escape(str))
blacklist: Use of mark_safe() may expose cross-site scripting vulnerabilities and should be reviewed.
Test ID: B308
Severity: MEDIUM
Confidence: HIGH
CWE: CWE-79
File: badapp/Djangoat/app/util.py
Line number: 27
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b308-mark-safe
26	    except:
27	        return mark_safe(escape(str))
blacklist: Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Test ID: B311
Severity: LOW
Confidence: HIGH
CWE: CWE-330
File: badapp/Djangoat/scripts/seed.py
Line number: 51
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
50	def sel(seq):
51	    return seq[randint(0, len(seq) - 1)]
52	
try_except_pass: Try, Except, Pass detected.
Test ID: B110
Severity: LOW
Confidence: HIGH
CWE: CWE-703
File: badapp/Djangoat/scripts/seed.py
Line number: 133
More info: https://bandit.readthedocs.io/en/1.7.4/plugins/b110_try_except_pass.html
132	                lk.profile.notify_liked(post)
133	            except:
134	                pass
blacklist: Standard pseudo-random generators are not suitable for security/cryptographic purposes.
Test ID: B311
Severity: LOW
Confidence: HIGH
CWE: CWE-330
File: badapp/Djangoat/scripts/seed.py
Line number: 137
More info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_calls.html#b311-random
136	        for i in range(3):
137	            if randint(0, 1) == 1:
138	                post.comment(user=sel(erbody), post=body.split(".")[1])