bandit icon indicating copy to clipboard operation
bandit copied to clipboard

Published 20 hours ago verified publisher icon PyCQA

More control over exit code

Open kbasgall opened this issue 4 years ago • 4 comments

In Azure Pipelines, the exit code of a command determines the success or failure of a task. If any task in the pipeline fails, the entire pipeline run shows as a failure. We would like our Bandit task (and therefore the build) to fail if high severity and high confidence warnings are found, however we want the task (and the build) to succeed if there are low or medium severity warnings.

We would like a command line option or entry in the config file to allow users to choose exactly how Bandit will exit. This will allow users to much more easily integrate Bandit into their CI pipelines without the need for extra scripts. Since by default all warnings will cause Bandit to exit 1, we would like a command line option to specify which levels to exit 0 on. For example, --exit-zero-severity l would cause low severity warnings to exit zero, and --exit-zero-confidence mh would cause medium and high confidence warnings to exit zero.

We've considered only reporting high severity warnings using -lll, however we still want to see the low and medium warnings in the artifact and this flag would not display them. We could also force Bandit to always return 0, but then we lose the visibility of having high severity items fail in the pipeline.

kbasgall avatar Sep 17 '20 21:09 kbasgall

As the author of --exit-zero PR I can implement this enhancement fairly easy. I've few questions though.

  1. should this maybe be implemented in a way that choosing medium level is also choosing lower level results implicitly (--exit-zero-severity m would mean that both low and medium level results are considered)? or should this be explicit (to choose low and medium severity results --exit-zero-severity lm would have to be provided)?

  2. should using --exit-zero-severity require --exit-zero-confidence to be provided as well as a required field?

  3. should using --exit-zero-confidence be allowed as a standalone option?

  4. and last but not least should the values be lmh or be treated as severity_string and confidence_string (more verbose all, low, medium, high)

maciejstromich avatar Apr 10 '21 20:04 maciejstromich

Hello, thanks for the reply! To answer your questions:

  1. I really could go either way here. Choosing lower level results implicitly would be perfect for our use case. However, the extra level of customization might not be a bad thing.
  2. No. I want to be able to enter just --exit-zero-severity l and use default confidence exit behavior. I think --exit-zero-severity would be more used than --exit-zero-confidence so I'd rather not have to enter that option every time.
  3. Not for my use case specifically, but yes.
  4. I prefer lmh, because it makes it easier to select 2 levels, i.e. lm. How would that look for the severity_string option? lowmedium?

kbasgall avatar Apr 12 '21 22:04 kbasgall

https://github.com/PyCQA/bandit/pull/715

maciejstromich avatar Jun 12 '21 18:06 maciejstromich

Not sure if this is still an active issue. My current solution to reporting only on high severity using jq:

bandit -r . -f json | jq -e '.metrics._totals.["SEVERITY.HIGH"] == 0'

falnyr avatar Mar 06 '24 00:03 falnyr