Handle variant in how policy is passed in paramiko

Paramiko permits various ways of importing the missing host key
policy. It allows paramiko.client.AutoAddPolicy or paramiko.AutoAddPolicy.
The later isn't being handled in Bandit.

This change adds news tests and modifies the plugin to inspect the
AST to determine whether the argument is an Attribute, Name, or
Call.

Fixes #1077

Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>

bandit/plugins/ssh_no_host_key_verification.py

@@ -55,8 +55,13 @@ def ssh_no_host_key_verification(context):
         policy_argument_value = None
         if isinstance(policy_argument, ast.Attribute):
             policy_argument_value = policy_argument.attr
+        elif isinstance(policy_argument, ast.Name):
+            policy_argument_value = policy_argument.id
         elif isinstance(policy_argument, ast.Call):
-            policy_argument_value = policy_argument.func.attr
+            if isinstance(policy_argument.func, ast.Attribute):
+                policy_argument_value = policy_argument.func.attr
+            elif isinstance(policy_argument.func, ast.Name):
+                policy_argument_value = policy_argument.func.id
 
         if policy_argument_value in ["AutoAddPolicy", "WarningPolicy"]:
             return bandit.Issue(

examples/no_host_key_verification.py

@@ -1,7 +1,14 @@
 from paramiko import client
+from paramiko import AutoAddPolicy
+from paramiko import WarningPolicy
 
 ssh_client = client.SSHClient()
 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy)
 ssh_client.set_missing_host_key_policy(client.WarningPolicy)
 ssh_client.set_missing_host_key_policy(client.AutoAddPolicy())
 ssh_client.set_missing_host_key_policy(client.WarningPolicy())
+
+ssh_client.set_missing_host_key_policy(AutoAddPolicy)
+ssh_client.set_missing_host_key_policy(WarningPolicy)
+ssh_client.set_missing_host_key_policy(AutoAddPolicy())
+ssh_client.set_missing_host_key_policy(WarningPolicy())