bandit
bandit copied to clipboard
PyCQA
ini "exclude" config is ignored
Describe the bug exclude configuration inside .bandit ini file is always ignored due to default cli argument.
To Reproduce Steps to reproduce the behavior:
- Create . bandit file with the following.
[bandit]
targets: .
exclude: ./tests
- Run CLI with
bandit --ini .bandit -rin a directory with .bandit file. - You should now see that Bandit is prefer CLI argument for exclude over ini.
[main] INFO Using command line arg for excluded paths
[main] INFO Using ini file for selected targets
Expected behavior
Bandit should use .bandit configuration as there's no CLI argument supplied then append default value to it as specified in argparse.
-x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
comma-separated list of paths (glob patterns supported) to exclude
from scan (note that these are in addition to the excluded paths
provided in the config file) (default:
.svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
Bandit version
bandit 1.7.0
python version = 3.8.0 (default, Sep 3 2020, 18:08:13) [Clang 11.0.3 (clang-1103.0.32.62)]
Additional context
I believe this happens due to the default value for -x given to argparse. This means the ini configuration is always ignored as the code take default value as supplied CLI.
Workaround
Supplied exclude via CLI when running Bandit regardless of your ini. bandit -x ./tests --ini .bandit -r .
Yep, _log_option_source() is broken. It will early-return if it gets a "truthy" arg_val. A command line default satisfies that.
https://github.com/PyCQA/bandit/blob/6765a57254a6563a26c946e94321d8d447c094fe/bandit/cli/main.py#L83
Coupled with https://github.com/PyCQA/bandit/issues/595, https://github.com/PyCQA/bandit/issues/657, and https://github.com/PyCQA/bandit/issues/488 (unceremoniously closed for no reason), I'd venture to say 'exclude' is pretty much nonfunctional at this point.
https://github.com/PyCQA/bandit/commit/5ac8b8bf0a364a5222080db7c7e1951c0901e7a2 is the commit that introduced this. (Looks like Bandit 1.6.3 + 1.7.0.) Though arguably it's _log_option_source() that is the issue; adding CLI defaults just exposed the issue with it.
From what I can understand, _log_option_source early return is because it finds the default value supplied via CLI instead of the ini configuration. I'm not sure what should take precedent between CLI and ini. I felt like allowing CLI to override the ini rule. can be useful but I digress. If the CLI should take precedent over CLI then _log_option_source is working as intended. Without early return then we must know which configuration to choose from or merge them together. Merging configuration would allow default value to works accordingly.
I'm willing to work on this but I'm also new to contribution as well so please guide me on what action I should take here.
@RobGThai in case it helps to get started: Bandit has pretty good contribution guidelines, which might help you to get started:
https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md#your-first-code-contribution
I'm not a bandit dev, but I have made some opensource contributions over the years, and CONTRIBUTING.md is usually where I start.
Any easy workaround instead of passing all excludes as a CLI argument? This issue broke several of my CIs.
And moreover, it seems that it's not possible to use exclude in pre-commit because there is no straightforward way to set CLI arguments in pre-commit-config.yaml :disappointed:
As a workaoround I call bandit -x "" So that _log_option_source doesn't get the defaults. Or for .pre-commit-config.yaml:
- repo: https://github.com/PyCQA/bandit
rev: 1.7.0
hooks:
- id: bandit
args: ['--ini', '.bandit', '-x', '']
This workaround appears to have been broken by https://github.com/PyCQA/bandit/issues/753 . Using 1.7.1, you need to remove the -x "" options
Is there any work around for this issue? I tried using ini, yaml etc.. but the exclude settings (also exclude_dirs in yaml) seems not to work.
