Eric Brown

FYI, you won't see the "Working ..." part if you use the -o argument. For example: `bandit -r examples/ -f json -o test.json` You can also pass `-q` to use...

Not sure if there is a preferred way to fix this. Redirecting the progress to stderr doesn't necessarily make sense since I do think this is acceptable output for stdout....

Started getting a repo and org setup on dockerhub: https://hub.docker.com/repository/docker/pycqa/bandit/general

> ok to close now @ericwb ? No, it's still an issue. The example I gave, still shows the warning in the logs.

In the example I gave, it actually is functioning as you'd expect. The line: ```python return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]} # nosec: B108 ``` The plugin `hardcoded_tmp_directory` will be called...

Possibly. We do have the following that finds cases of ftplib calls, but it doesn't distinguish between FTP and FTP_TLS. https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b321-ftplib

Prototype: https://review.opendev.org/c/openstack/bandit/+/235491

Bandit uses stestr with tox to run unit tests. The issue is probably because you're attempting to run with pytest. Also note that with every PR we run the unit...

So after some digging on this topic. Seems Python has a vendored version of expat embedded. This is the default version (at least for macOS and Windows). However, it does...

To see the vendored version of expat embedded in Python you can browse to: https://github.com/python/cpython/blob/3.8/Modules/expat/expat.h#L1056C20-L1056C20 At the bottom of this header file you'll find the expat major, minor, and micro...