Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an auto-fix or auto-correct feature #439

Open
ericwb opened this issue Dec 19, 2018 · 5 comments · May be fixed by #1001
Open

Add an auto-fix or auto-correct feature #439

ericwb opened this issue Dec 19, 2018 · 5 comments · May be fixed by #1001
Labels
enhancement New feature or request
Milestone

Comments

@ericwb
Copy link
Member

ericwb commented Dec 19, 2018

Is your feature request related to a problem? Please describe.
It's nice that Bandit flags lines of code that require attention, but it would be even more valuable to suggest fixes for problem lines. Other linters such as ESLint provide a --fix command line option to automatically fix problems it finds.

See https://eslint.org/docs/user-guide/command-line-interface#options

Describe the solution you'd like
A start might be that Bandit includes another field in the output data called suggested fix or something. It would include the modified line of code it found to be wrong with the proposed solution.

For example, if the yaml_load plugin found a case of yaml.load(), it would replace with yaml.load(Loader=yaml.SafeLoader).

Each plugin would need to handle fixes it could address.

Describe alternatives you've considered
n/a

Additional context
https://developer.ibm.com/articles/auto-fix-and-format-your-javascript-with-eslint/

@ericwb ericwb added the enhancement New feature or request label Dec 19, 2018
@lukehinds
Copy link
Member

Nice idea. Would it give a generic example, or try to amend and suggest the flagged line of code from the project being scanned?

@ericwb
Copy link
Member Author

ericwb commented Dec 19, 2018

@lukehinds Yeah, I was thinking Bandit would output a new field of the suggested fix. But it could also have a command line option to actually make the changes in the file automatically. Similar to what ESLint offers.

@ehooo
Copy link
Contributor

ehooo commented Mar 14, 2019

I think this is a great idea.
Maybe could be added on the Issue class a new optional field.

@ericwb ericwb added this to the Near Future milestone May 9, 2019
@ericwb
Copy link
Member Author

ericwb commented Feb 13, 2022

I investigated this some. The ast includes a NodeTransformer that enables rewriting the tree. And in Python 3.9 and later, ast can do an unparse in addition to parse. So in effect, you can create a suggested fix and even automatically fix the code.

However, Python's ast is not a CST (comcrete syntax tree) and therefore doesn't include things like trailing comments. The undesirable effect is that suggested code wouldn't retain these elements.

We could look at switching Bandit to use something like libcst. But this would be a major change to the base parsing mechanism of Bandit and adds another dependency.

@ericwb
Copy link
Member Author

ericwb commented Feb 13, 2022

Here's a short example using libcst to auto-correct a problem in code, all while preserving the comments.

import libcst as cst

code = '''
from paramiko import client

class foo:
    def test(self):
        if True:
            ssh_client = client.SSHClient()
            # test test test
            ssh_client.set_missing_host_key_policy(client.AutoAddPolicy) # comment test
'''

class PolicyFix(cst.CSTTransformer):
    def leave_Call(self, original_node: cst.Call, updated_node: cst.Call) -> cst.Call:
        if (cst.ensure_type(original_node.func, cst.Attribute)
            and original_node.func.attr.value == "set_missing_host_key_policy"
            and original_node.args[0].value.attr.value == "AutoAddPolicy"
        ):
            return updated_node.with_deep_changes(
                old_node=updated_node.args[0].value,
                attr=cst.Name("RejectPolicy")
            )
        else:
            return original_node


tree = cst.parse_module(code)
new_tree = tree.visit(PolicyFix())
print(new_tree.code)

@ericwb ericwb closed this as completed Feb 13, 2022
@ericwb ericwb reopened this Feb 14, 2022
@ericwb ericwb modified the milestones: Near Future, Release 1.8.0 Mar 8, 2022
@ericwb ericwb modified the milestones: Release 1.7.5, Release 1.8.0 Apr 5, 2022
ericwb added a commit to ericwb/bandit that referenced this issue Mar 19, 2023
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Mar 19, 2023
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Mar 19, 2023
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
Signed-off-by: Eric Brown <[email protected]>
@ericwb ericwb linked a pull request Mar 19, 2023 that will close this issue
ericwb added a commit to ericwb/bandit that referenced this issue Oct 1, 2024
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Oct 1, 2024
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Oct 1, 2024
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Oct 1, 2024
This change introduces a new feature that will suggest a fix in
the form of a line of code as replacement for the line range of
the issue.

This is the first step to have the ability to auto-correct problems
detected. Later more changes can be merged to modify the file with
the suggested fix.

The Issue class has a new fix string attribute that denotes how
the lines of affected code can be replaced. This suggested fix
will not preserve code comments and possibly other optimizations
the AST does not capture.

Closes PyCQA#439

Signed-off-by: Eric Brown <[email protected]>
Signed-off-by: Eric Brown <[email protected]>
@ericwb ericwb modified the milestones: Release 1.8.0, Release 2.0.0 Oct 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants