bandit
bandit copied to clipboard
PyCQA
Bandit 1.6.3 does not respect excluded paths from .bandit file
With a .bandit file with the contents
[bandit]
exclude: ./.tox,./tests
1.6.2 gives
$ bandit -r -ll -ii .
[main] INFO Found project level .bandit file: ./.bandit
[main] INFO Using ini file for excluded paths
[main] INFO Using command line arg for selected targets
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.5
114 [0.. 50.. 100.. ]
1.6.3 ignores the exluded paths
$ bandit -r -ll -ii .
[main] INFO Found project level .bandit file: ./.bandit
[main] INFO Using command line arg for excluded paths
[main] INFO Using command line arg for selected targets
[main] INFO Using command line arg for recursive scan
[main] INFO Using command line arg for aggregate output type
[main] INFO Using command line arg for max code lines output for issue
[main] INFO Using command line arg for severity level
[main] INFO Using command line arg for confidence level
[main] INFO Using command line arg for output format
[main] INFO Using command line arg for output file
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.5
549 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. 450.. 500.. ]
To perhaps save a maintainer a couple minutes of searching, it looks to me like this commit most likely causes the breaking behavior.
Edit: Also, the documentation for that command line parameter appears to be wrong: it says it should act in addition to the setting in the config file, whereas it actually overrides the setting in the config file.
We also ran into this issue when upgrading from 1.6.2 to 1.7.0
what could be a proposed fix? I don't know the codebase (yet), but could help
I believe this commit has broken things: https://github.com/PyCQA/bandit/commit/ca6d28356947d2c1ccb5eb92ec77fc8e3fcab515
What's interesting though, skips works just fine, thought it seems implemented the same way.
I believe this commit has broken things: ca6d283
What's interesting though,
skipsworks just fine, thought it seems implemented the same way.
I'm still pretty sure that 5ac8b8bf0a364a5222080db7c7e1951c0901e7a2 is the culprit. It added a default value for the excluded paths command line argument. That argument overrides the configuration file's excluded paths, rather than merging with it, like the documentation / help message suggests. So now, the excluded paths in the configuration file are always overridden.
Yes, you are right, the default seems to be the problem. It needs to be added at a later point.
Yes, you are right, the default seems to be the problem. It needs to be added at a later point.
Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect.
Yes, you are right, the default seems to be the problem. It needs to be added at a later point.
Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect.
No, I wouldn't do that. That would be backwards incompatible, and we won't see a fix released until kingdom come.
I confirm, last version doesn't fix the problem, it still scans the .venv directory.
bandit -r -x "$(pwd)/.venv/" .
Edit:
With this command that works good :
bandit -r . -x */.venv/*
If I run the following script:
echo 'assert 2 > 1' >assert.py
cat >.bandit <<BANDIT
[bandit]
exclude: assert.py
BANDIT
bandit -r .
The test fails with "Issue: [B101:assert_used]..." on 1.7.0 and passes with "No issues identified." in 1.7.1. Bisecting shows that this was fixed by #722.
