bandit
bandit copied to clipboard
PyCQA
Bandit is a tool designed to find common security issues in Python code.
**Describe the bug** Adding excluded files, output format or output file in `.bandit` is ignored. **To Reproduce** Steps to reproduce the behavior: 1. Create `.bandit` with: ``` [bandit] exclude: *.ipynb_checkpoints/*...
### Describe the bug None of the lines get reported, although each of the foo functions contains an SQL injection ```python3 from django.db import transaction, connections, connection def foo(booking_id: str):...
### Describe the bug Since the latest [1.7.5](https://github.com/PyCQA/bandit/releases/tag/1.7.5) release, code that used to **not** raise warnings is now detected as invalid by `bandit` ### Reproduction steps 1. Put the following...
**Is your feature request related to a problem? Please describe.** Specifically I'd like to be able to apply the `skips: [ ]` configuration to B105/6/7 but I imagine it would...
This makes it clearer that you don't need to use both virtualenv and venv at the same time
### Describe the bug An exclusion filter like `-x ./.tox` seems to work as desired, but `-x .tox` doesn't exclude the same directory. I couldn't find any docs on what...
### Describe the bug On my tests i found two files (ckeygen.py, ec_key.py) on which i receive error: IndexError: list index out of range ... [main] INFO running on Python...
**Is your feature request related to a problem? Please describe.** Consistent issues arise on false positives of "token"-matched variable names in tests [B105](https://bandit.readthedocs.io/en/latest/plugins/b105_hardcoded_password_string.html) and [B106](https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html). See: https://github.com/PyCQA/bandit/issues/498, https://github.com/PyCQA/bandit/issues/842, https://github.com/PyCQA/bandit/issues/843, https://github.com/PyCQA/bandit/issues/211...
It would be great if we could use the `test_name` field in the custom formatter (https://github.com/PyCQA/bandit/blob/main/bandit/formatters/custom.py). It is used in other formatter like the csv formatter (https://github.com/PyCQA/bandit/blob/main/bandit/formatters/csv.py#L58) I'd be happy...
This plugin checks for the use of `torch.load` and `torch.save`. Using `torch.load` with untrusted data can lead to arbitrary code execution, and improper use of `torch.save` might expose sensitive data...
