bandit icon indicating copy to clipboard operation
bandit copied to clipboard

Published 20 hours ago verified publisher icon PyCQA

Ini file settings ignored

Open GLeurquin opened this issue 4 years ago • 3 comments

Describe the bug Adding excluded files, output format or output file in .bandit is ignored.

To Reproduce Steps to reproduce the behavior:

  1. Create .bandit with:
[bandit]
exclude: *.ipynb_checkpoints/*
recursive: true
targets: ./src
format: html
output: bandit.html
  1. Run bandit --ini .bandit
  2. See that it uses command line arg for exclude, output format and output file instead of the ini file.
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for selected targets
[main]	INFO	Using ini file for recursive scan
[main]	INFO	Using command line arg for aggregate output type
[main]	INFO	Using command line arg for max code lines output for issue
[main]	INFO	Using command line arg for severity level
[main]	INFO	Using command line arg for confidence level
[main]	INFO	Using command line arg for output format
[main]	INFO	Using command line arg for output file
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.6

Expected behavior I expected the format used to be the one from the .bandit ini file, instead of the default from the command line. Same goes for exclude and output.

Bandit version

bandit 1.6.3
  python version = 3.7.6 (default, Jan  8 2020, 19:59:22) [GCC 7.3.0]

Additional context I think what's happening in the code is the following: When checking if one should use the command line argument or the ini file, the code checks if the command line argument has a value. If not, it falls back to the ini file. However, arguments have defaults set in the parser, and thus some will always have a value set, and will always override the ini values. That's what I think is happening for exclude, format and output at least.

Solution is to check if the argument is passed, and if not, check for ini values, and if these are not set, fall back to a default.

GLeurquin avatar Mar 30 '20 13:03 GLeurquin

May be caused by https://github.com/PyCQA/bandit/pull/508.

andrey-semakin avatar Dec 07 '20 12:12 andrey-semakin

Seems to be duplicated by #657.

andrey-semakin avatar Dec 15 '20 18:12 andrey-semakin

It appears that this was fixed by #722 in version 1.7.1, which I can confirm based on the following test:

echo 'assert 2 > 1' >assert.py
cat >.bandit <<BANDIT
[bandit]
exclude: assert.py
BANDIT
bandit -r .

which fails with "Issue: [B101:assert_used]..." on 1.7.0 and passes with "No issues identified." in 1.7.1.

kevinoid avatar Mar 17 '23 20:03 kevinoid