Remove --trim option and UImode Enum

Explicitly always make reassignment_nodes the vulnerability chain
Fix tests after removing UImode
Add comment to argparse hack
Update root README.rst

Author: KevinHock

README.rst

@@ -86,53 +86,56 @@ Usage
 .. code-block::
 
   usage: python -m pyt [-h] [-a ADAPTOR] [-pr PROJECT_ROOT]
-                   [-b BASELINE_JSON_FILE] [-j] [-m BLACKBOX_MAPPING_FILE]
-                   [-t TRIGGER_WORD_FILE] [-o OUTPUT_FILE] [--ignore-nosec]
-                   [-r] [-x EXCLUDED_PATHS] [-trim] [-i]
-                   targets [targets ...]
+                       [-b BASELINE_JSON_FILE] [-j] [-t TRIGGER_WORD_FILE]
+                       [-m BLACKBOX_MAPPING_FILE] [-i] [-o OUTPUT_FILE]
+                       [--ignore-nosec] [-r] [-x EXCLUDED_PATHS]
+                       [--dont-prepend-root] [--no-local-imports]
+                       targets [targets ...]
 
   required arguments:
-    targets               source file(s) or directory(s) to be tested
+    targets               source file(s) or directory(s) to be scanned
 
   important optional arguments:
     -a ADAPTOR, --adaptor ADAPTOR
-                        Choose a web framework adaptor: Flask(Default),
-                        Django, Every or Pylons
-			
+                          Choose a web framework adaptor: Flask(Default),
+                          Django, Every or Pylons
+
     -t TRIGGER_WORD_FILE, --trigger-word-file TRIGGER_WORD_FILE
-                        Input file with a list of sources and sinks
-			
+                          Input file with a list of sources and sinks
+
     -m BLACKBOX_MAPPING_FILE, --blackbox-mapping-file BLACKBOX_MAPPING_FILE
-                        Input blackbox mapping file
+                              Input blackbox mapping file
 
   optional arguments:
     -pr PROJECT_ROOT, --project-root PROJECT_ROOT
-                        Add project root, only important when the entry file
-                        is not at the root of the project
+                          Add project root, only important when the entry file
+                          is not at the root of the project.
 
     -b BASELINE_JSON_FILE, --baseline BASELINE_JSON_FILE
-                        Path of a baseline report to compare against (only
-                        JSON-formatted files are accepted)
+                          Path of a baseline report to compare against (only
+                          JSON-formatted files are accepted)
+
+    -j, --json            Prints JSON instead of report.
 
-    -j, --json            Prints JSON instead of report
+    -i, --interactive     Will ask you about each blackbox function call in
+                          vulnerability chains.
 
     -o OUTPUT_FILE, --output OUTPUT_FILE
-                        Write report to filename
+                          Write report to filename
 
-    --ignore-nosec      Do not skip lines with # nosec comments
+    --ignore-nosec        Do not skip lines with # nosec comments
 
-    -r, --recursive     Find and process files in subdirectories
+    -r, --recursive       Find and process files in subdirectories
 
     -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
-                        Separate files with commas
+                          Separate files with commas
 
+    --dont-prepend-root   In project root e.g. /app, imports are not prepended
+                          with app.*
 
-  print arguments:
-    -trim, --trim-reassigned-in
-                        Trims the reassigned list to just the vulnerability
-                        chain.
-    -i, --interactive   Will ask you about each blackbox function call in
-                        vulnerability chains.
+    --no-local-imports    If set, absolute imports must be relative to the
+                          project root. If not set, modules in the same
+                          directory can be imported just by their names.
 
 Usage from Source
 =================

pyt/__main__.py

@@ -19,8 +19,7 @@
 from .usage import parse_args
 from .vulnerabilities import (
     find_vulnerabilities,
-    get_vulnerabilities_not_in_baseline,
-    UImode
+    get_vulnerabilities_not_in_baseline
 )
 from .vulnerabilities.vulnerability_helper import SanitisedVulnerability
 from .web_frameworks import (
@@ -65,10 +64,6 @@ def retrieve_nosec_lines(
 def main(command_line_args=sys.argv[1:]):  # noqa: C901
     args = parse_args(command_line_args)
 
-    ui_mode = UImode.TRIM
-    if args.interactive:
-        ui_mode = UImode.INTERACTIVE
-
     files = discover_files(
         args.targets,
         args.excluded_paths,
@@ -122,9 +117,9 @@ def main(command_line_args=sys.argv[1:]):  # noqa: C901
     analyse(cfg_list)
     vulnerabilities = find_vulnerabilities(
         cfg_list,
-        ui_mode,
         args.blackbox_mapping_file,
         args.trigger_word_file,
+        args.interactive,
         nosec_lines
     )
 
@@ -139,7 +134,10 @@ def main(command_line_args=sys.argv[1:]):  # noqa: C901
     else:
         text.report(vulnerabilities, args.output_file)
 
-    has_unsanitized_vulnerabilities = any(not isinstance(v, SanitisedVulnerability) for v in vulnerabilities)
+    has_unsanitized_vulnerabilities = any(
+        not isinstance(v, SanitisedVulnerability)
+        for v in vulnerabilities
+    )
     if has_unsanitized_vulnerabilities:
         sys.exit(1)
 

pyt/cfg/stmt_visitor.py

@@ -665,6 +665,7 @@ def add_blackbox_or_builtin_call(self, node, blackbox):  # noqa: C901
         call_node.label = LHS + " = " + RHS
 
         call_node.right_hand_side_variables = rhs_vars
+        # Used in get_sink_args
         rhs_visitor = RHSVisitor()
         rhs_visitor.visit(node)
         call_node.args = rhs_visitor.result

pyt/usage.py

@@ -20,8 +20,9 @@
 def _add_required_group(parser):
     required_group = parser.add_argument_group('required arguments')
     required_group.add_argument(
-        'targets', metavar='targets', type=str, nargs='+',
-        help='source file(s) or directory(s) to be tested'
+        'targets', metavar='targets', nargs='+',
+        help='source file(s) or directory(s) to be scanned',
+        type=str
     )
 
 
@@ -54,21 +55,27 @@ def _add_optional_group(parser):
         action='store_true',
         default=False
     )
+    optional_group.add_argument(
+        '-t', '--trigger-word-file',
+        help='Input file with a list of sources and sinks',
+        type=str,
+        default=default_trigger_word_file
+    )
     optional_group.add_argument(
         '-m', '--blackbox-mapping-file',
         help='Input blackbox mapping file.',
         type=str,
         default=default_blackbox_mapping_file
     )
     optional_group.add_argument(
-        '-t', '--trigger-word-file',
-        help='Input file with a list of sources and sinks',
-        type=str,
-        default=default_trigger_word_file
+        '-i', '--interactive',
+        help='Will ask you about each blackbox function call in vulnerability chains.',
+        action='store_true',
+        default=False
     )
     optional_group.add_argument(
         '-o', '--output',
-        help='write report to filename',
+        help='Write report to filename',
         dest='output_file',
         action='store',
         type=argparse.FileType('w'),
@@ -78,11 +85,13 @@ def _add_optional_group(parser):
         '--ignore-nosec',
         dest='ignore_nosec',
         action='store_true',
-        help='do not skip lines with # nosec comments'
+        help='Do not skip lines with # nosec comments'
     )
     optional_group.add_argument(
-        '-r', '--recursive', dest='recursive',
-        action='store_true', help='find and process files in subdirectories'
+        '-r', '--recursive',
+        dest='recursive',
+        action='store_true',
+        help='Find and process files in subdirectories'
     )
     optional_group.add_argument(
         '-x', '--exclude',
@@ -108,39 +117,18 @@ def _add_optional_group(parser):
     )
 
 
-def _add_print_group(parser):
-    print_group = parser.add_argument_group('print arguments')
-    print_group.add_argument(
-        '-trim', '--trim-reassigned-in',
-        help='Trims the reassigned list to just the vulnerability chain.',
-        action='store_true',
-        default=True
-    )
-    print_group.add_argument(
-        '-i', '--interactive',
-        help='Will ask you about each blackbox function call in vulnerability chains.',
-        action='store_true',
-        default=False
-    )
-
-
-def _check_required_and_mutually_exclusive_args(parser, args):
-    if args.targets is None:
-        parser.error('The targets argument is required')
-
-
 def parse_args(args):
     if len(args) == 0:
         args.append('-h')
     parser = argparse.ArgumentParser(prog='python -m pyt')
+
+    # Hack to in order to list required args above optional
     parser._action_groups.pop()
+
     _add_required_group(parser)
     _add_optional_group(parser)
-    _add_print_group(parser)
 
     args = parser.parse_args(args)
-    _check_required_and_mutually_exclusive_args(
-        parser,
-        args
-    )
+    if args.targets is None:
+        parser.error('The targets argument is required')
     return args

pyt/vulnerabilities/__init__.py

@@ -1,12 +1,8 @@
 from .vulnerabilities import find_vulnerabilities
-from .vulnerability_helper import (
-    get_vulnerabilities_not_in_baseline,
-    UImode
-)
+from .vulnerability_helper import get_vulnerabilities_not_in_baseline
 
 
 __all__ = [
     'find_vulnerabilities',
-    'get_vulnerabilities_not_in_baseline',
-    'UImode'
+    'get_vulnerabilities_not_in_baseline'
 ]