doc update

Author: nocomplexity

docs/_toc.yml

@@ -10,7 +10,9 @@ parts:
   - file: whatissast
   - file: whysast
   - url: https://securitytesting.nocomplexity.com/ 
-    title: Mastering Security Testing for Python
+    title: Security Testing for Python
+  - url: http://securitybydesign.nocomplexity.com/
+    title: Security By Design
 
 
 

docs/codeauditcommands.md

@@ -1,6 +1,6 @@
 % THIS FILE IS GENERATED! - Use CLIcommands.ipynb to make it better!
 # Commands Overview
-Python Code Audit commands for: version: 1.6.5
+Python Code Audit commands for: version: 1.6.6
 ```
 ----------------------------------------------------
  _                    __             _             

docs/examples/codeauditchecks.html

@@ -252,10 +252,28 @@
       <td>Assertions are for debugging and development. Assertions can be disabled during runtime. Use in production can introduce vulnerabilities.</td>
     </tr>
     <tr>
-      <td>Base64 Encoding</td>
-      <td>base64</td>
+      <td>Base64 Decoding</td>
+      <td>base64.b64decode</td>
+      <td>Medium</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+    </tr>
+    <tr>
+      <td>Base64 Decoding</td>
+      <td>base64.b64encode</td>
       <td>Low</td>
-      <td>Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+    </tr>
+    <tr>
+      <td>Base64 Decoding</td>
+      <td>base64.b85encode</td>
+      <td>Low</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
+    </tr>
+    <tr>
+      <td>Base64 Decoding</td>
+      <td>base64.z85decode</td>
+      <td>Medium</td>
+      <td>Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.</td>
     </tr>
     <tr>
       <td>BZ2 File Handling</td>
@@ -744,4 +762,4 @@
       <td>Vulnerable to path traversal attacks if used with untrusted archives.</td>
     </tr>
   </tbody>
-</table><br><p>Number of implemented security validations:<b>84</b></p><p>Version of codeaudit: <b>1.6.5</b><p>Because Python and cybersecurity are constantly changing, issue reports <b>SHOULD</b> specify the codeaudit version used.</p><p><b>Disclaimer:</b> <i>This SAST tool <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p><p>This Python security report was created on: <b>2026-05-11 16:42</b> with <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> version <b>1.6.5</b></p><hr><footer><div class="footer-links">Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" target="_blank">documentation</a> for help on found issues.<br>Codeaudit is made with <span class="heart">&#10084;</span> by cyber security professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br><a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!</div></footer></div></body></html>
+</table><br><p>Number of implemented security validations:<b>87</b></p><p>Version of codeaudit: <b>1.6.6</b><p>Because Python and cybersecurity are constantly changing, issue reports <b>SHOULD</b> specify the codeaudit version used.</p><p><b>Disclaimer:</b> <i>This SAST tool <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> provides a powerful, automatic security analysis for Python source code. However, it's not a substitute for human review in combination with business knowledge. Undetected vulnerabilities may still exist.</i></p><p>This Python security report was created on: <b>2026-05-19 16:06</b> with <a href="https://github.com/nocomplexity/codeaudit" target="_blank"><b>Python Code Audit</b></a> version <b>1.6.6</b></p><hr><footer><div class="footer-links">Check the <a href="https://nocomplexity.com/documents/codeaudit/intro.html" target="_blank">documentation</a> for help on found issues.<br>Codeaudit is made with <span class="heart">&#10084;</span> by cyber security professionals who advocate for <a href="https://nocomplexity.com/simplify-security/" target="_blank">open simple security solutions</a>.<br><a href="https://nocomplexity.com/documents/codeaudit/CONTRIBUTE.html" target="_blank">Join the community</a> and contribute to make this tool better!</div></footer></div></body></html>

docs/examples/demoscan.json

@@ -1,7 +1,7 @@
 {
   "name": "Python_Code_Audit",
-  "version": "1.6.5",
-  "generated_on": "2026-05-11 16:42",
+  "version": "1.6.6",
+  "generated_on": "2026-05-19 16:06",
   "file_security_info": {
     "0": {
       "FileName": "demofile.py",
@@ -212,6 +212,20 @@
           "info": "This function can be used to execute arbitrary code or crash the Python interpreter.",
           "code": "<pre><code class='language-python'>compile(&#x27;nasty-string&#x27; ,&#x27;malware.bin&#x27;,mode=single, flags=0, dont_inherit=False, optimize=-1)</code></pre>"
         },
+        "238": {
+          "line": 238,
+          "validation": "base64.b64encode",
+          "severity": "Low",
+          "info": "Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
+          "code": "<pre><code class='language-python'>import base64\nencoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
+        },
+        "239": {
+          "line": 239,
+          "validation": "base64.b64decode",
+          "severity": "Medium",
+          "info": "Base64 encoding/decoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
+          "code": "<pre><code class='language-python'>encoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
+        },
         "244": {
           "line": 244,
           "validation": "http.server.BaseHTTPRequestHandler",
@@ -459,20 +473,6 @@
           "info": "Parsing untrusted logging configurations can lead to vulnerabilities if not handled correctly.",
           "code": "<pre><code class='language-python'>logging.config.fileConfig(fname, defaults=None, disable_existing_loggers=True, encoding=None)\n#&lt;END LOGGING checks&gt;</code></pre>"
         },
-        "238": {
-          "line": 238,
-          "validation": "base64",
-          "severity": "Low",
-          "info": "Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
-          "code": "<pre><code class='language-python'>import base64\nencoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
-        },
-        "239": {
-          "line": 239,
-          "validation": "base64",
-          "severity": "Low",
-          "info": "Base64 encoding is not for security. It only visually hides data and provides no confidentiality. Often used to obfuscate malware in code.",
-          "code": "<pre><code class='language-python'>encoded = base64.b64encode(b&#x27;data to be encoded&#x27;)\ndata = base64.b64decode(encoded)</code></pre>"
-        },
         "316": {
           "line": 316,
           "validation": "pickle.load",

src/dashboard/module_load_validation.html

@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Pyodide - Test codeaudit (WASM dashboard)</title>
+    <script src="https://cdn.jsdelivr.net/pyodide/v0.29.4/full/pyodide.js"></script>
+    <style>
+        body { font-family: Arial, sans-serif; padding: 20px; }
+        pre { background: #f4f4f4; padding: 10px; border-radius: 5px; }
+        button { padding: 10px 16px; font-size: 16px; }
+    </style>
+</head>
+<body>
+    <h1>Testing your <code>codeaudit</code> package in Pyodide</h1>
+    <button onclick="runTest()">Install & Test codeaudit</button>
+    <pre id="output"></pre>
+
+    <script>
+        async function runTest() {
+            const output = document.getElementById("output");
+            output.textContent = "Loading Pyodide...\n";
+
+            try {
+                // Load Pyodide
+                let pyodide = await loadPyodide({
+                    indexURL: "https://cdn.jsdelivr.net/pyodide/v0.29.4/full/"
+                });
+
+                output.textContent += "Pyodide loaded successfully.\n";
+                output.textContent += "Loading micropip...\n";
+
+                await pyodide.loadPackage("micropip");
+                const micropip = pyodide.pyimport("micropip");
+
+                output.textContent += "Installing codeaudit from PyPI...\n";
+
+                // Install your package
+                await micropip.install("codeaudit");
+
+                output.textContent += "✅ codeaudit installed successfully!\n\n";
+
+                // Run Python code to test it
+                await pyodide.runPythonAsync(`
+                    import codeaudit
+                    print("Package imported successfully!")
+                    print("Version:", codeaudit.__version__ if hasattr(codeaudit, "__version__") else "Unknown")
+                    
+                    # Add any basic test calls here
+                    # Example:
+                    # result = codeaudit.scan("example")
+                    # print(result)
+                `);
+
+                output.textContent += "All tests passed! 🎉\n";
+
+            } catch (err) {
+                output.textContent += "❌ Error: " + err.message + "\n";
+                console.error(err);
+            }
+        }
+    </script>
+</body>
+</html>

src/dashboard/module_load_validation2.html

@@ -0,0 +1,112 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Pyodide - Test codeaudit</title>
+    <script src="https://cdn.jsdelivr.net/pyodide/v0.29.4/full/pyodide.js"></script>
+    <style>
+        body { font-family: Arial, sans-serif; padding: 20px; line-height: 1.6; }
+        pre { background: #f4f4f4; padding: 12px; border-radius: 6px; overflow-x: auto; max-height: 500px; }
+        button { padding: 10px 18px; font-size: 16px; margin: 5px; cursor: pointer; }
+        h1 { color: #333; }
+        .success { color: green; }
+        .error { color: red; }
+    </style>
+</head>
+<body>
+    <h1>Pyodide Test Environment — <code>codeaudit</code></h1>
+    
+    <button onclick="installAndTest()">1. Install & Test codeaudit</button>
+    <button onclick="listPackages()">2. List All Installed Packages</button>
+    <button onclick="clearOutput()">Clear Output</button>
+
+    <pre id="output">Click a button to start...</pre>
+
+    <script>
+        let pyodideInstance = null;
+
+        async function getPyodide() {
+            const output = document.getElementById("output");
+            if (!pyodideInstance) {
+                output.textContent = "Loading Pyodide (first time can take 10–20 seconds)...\n";
+                
+                pyodideInstance = await loadPyodide({
+                    indexURL: "https://cdn.jsdelivr.net/pyodide/v0.29.4/full/"
+                });
+
+                await pyodideInstance.loadPackage("micropip");
+                output.textContent += "✅ Pyodide + micropip ready.\n";
+            }
+            return pyodideInstance;
+        }
+
+        async function installAndTest() {
+            const output = document.getElementById("output");
+            try {
+                const pyodide = await getPyodide();
+                const micropip = pyodide.pyimport("micropip");
+
+                output.textContent += "\nInstalling codeaudit...\n";
+                await micropip.install("codeaudit");
+
+                output.textContent += "✅ codeaudit installed successfully!\n\n";
+
+                await pyodide.runPythonAsync(`
+                    import codeaudit
+                    print("Package imported successfully!")
+                    print("Version :", getattr(codeaudit, "__version__", "Unknown"))
+                `);
+
+                output.textContent += "🎉 Test completed!\n";
+
+            } catch (err) {
+                output.textContent += "❌ Error: " + err.message + "\n";
+                console.error(err);
+            }
+        }
+
+        async function listPackages() {
+            const output = document.getElementById("output");
+            try {
+                const pyodide = await getPyodide();
+
+                output.textContent += "\nFetching list of installed packages...\n";
+
+                const pkgList = await pyodide.runPythonAsync(`
+                    import micropip
+                    import sys
+                    from io import StringIO
+
+                    # Capture output properly
+                    old_stdout = sys.stdout
+                    sys.stdout = mystdout = StringIO()
+
+                    packages = micropip.list()
+                    print("=== INSTALLED PACKAGES IN PYODIDE ===")
+                    print(f"Total packages: {len(packages)}")
+                    print("-" * 60)
+                    
+                    for name in sorted(packages.keys()):
+                        pkg = packages[name]
+                        print(f"{name:25} {pkg.version:15} {pkg.source}")
+                    
+                    sys.stdout = old_stdout
+                    mystdout.getvalue()
+                `);
+
+                output.textContent += pkgList || "No output returned.";
+                output.textContent += "\n✅ Package list retrieved.\n";
+
+            } catch (err) {
+                output.textContent += "❌ Error listing packages: " + err.message + "\n";
+                console.error(err);
+            }
+        }
+
+        function clearOutput() {
+            document.getElementById("output").textContent = "";
+        }
+    </script>
+</body>
+</html>