pants
pants copied to clipboard
pantsbuild
Bandit plugin used by flake8 can't read the config from the bandit's config
Describe the bug
flake8-bandit isn't able to read the config used by bandit itself. I suppose this is just not about this particular plugin but any such plugin which flake8 uses.
Pants version 2.10.0
OS macOS
Additional info https://pantsbuild.slack.com/archives/C046T6T9U/p1650639627749519
So the issue is that flake8 has plugins, and those plugins could be expecting config files Pants doesn't know to grab. There's really two solutions here (and maybe we should split into two issues):
- (Generic) Allow people to specify more than one config for
[flake8](in this case, the flake8 and the bandit configs) - (This issue) Add
bandtias a first-class tool in Python
How do you normally specify the config file for flake8-bandit? Is it auto-discovered? The issue with making [flake8].config a list is that we not only make sure to include the file in the sandbox, but also explicitly said argv for you.
The most specific yet awkward way to solve this would be something like:
[flake8]
plugin_config = [["bandit.yaml", "--bandit-config=bandit.yaml"]]
or
[flake8]
argv.add = ["--bandit-config=bandit.yaml"]
plugin_config = ["bandit.yaml"]
They say that using .bandit should work. This is how my .bandit looks like
skips: ["B101"]
try_except_continue:
check_typed_exception: false
try_except_pass:
check_typed_exception: false
Cool. So then in your case, this would look like:
[flake8]
plugin_config = [[".bandit", ""]] # i.e. no args
or
[flake8]
plugin_config = [".bandit"]
That second one is much clearer in my opinion. And maybe we make this even more generic? That option tells pants to find that file on your local file system and include it in the sandbox.
[flake8]
extra_files = [".bandit"]
Wdyt?
Cool, I like the extra_files approach. Given that pants already supports bandit as a dedicated integration, is this a blocker for you or only a nice to have?
Sounds good. Any interest in contributing this change? I don't think it would be super hard to pull off, and I'm happy to give some thoughts on how to do it
Hey @Eric-Arellano I would like to tackle this now. Could you give me some pointers on how should I go about it?
Hey @ShantanuKumar sorry for the delay! Was moving apartments and OOO.
- Add a new option
extra_filestobandit/subsystem.py, which will beadvanced=Trueand typeFileListOption - Add
Get(Digest, PathGlobs())here for theextra_files. Error if the globs are not matched, similar to second snippet. Include the digest in theMergeDigests
https://github.com/pantsbuild/pants/blob/40e17902092a9b7414473f99bf32e3f3c84e5921/src/python/pants/backend/python/lint/bandit/rules.py#L52-L68
https://github.com/pantsbuild/pants/blob/40e17902092a9b7414473f99bf32e3f3c84e5921/src/python/pants/core/util_rules/config_files.py#L64-L71
I think we likely want to add a test to bandit/rules_integration_test.py, although tests do have a downside with slower CI and more code, so it's a tradeoff. I wonder if you can modify a current test like test_3rdparty_plugin to test both things in the same test. Otherwise, a dedicated test is probably worth it.
If I understand it correctly shouldn't these changes be made to flake8? The plugin flake8-bandit is for flake8 to use bandit.
Hey @Eric-Arellano For the 2nd step
Add Get(Digest, PathGlobs()) here for the extra_files
What value should I pass for the argument globs of PathGlobs ?
flake8_subsystem.extra_files, assuming you used FileListOption in step 1. That will be a list[str], which we want.
~~Yeah but I feel like based on different plugins, this can be quite varied. E.g. if it's flake8-bandit, the glob could be [".bandit"]. If it's flake8-pydocstyle, it could be [".pydocstyle"]. I don't see a clear glob pattern here.~~
EDIT: Sorry, I understand now you mean flake8_subsystem.extra_files