Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bandit 1.6.3 does not respect excluded paths from .bandit file #657

Open
budgester opened this issue Dec 7, 2020 · 16 comments · May be fixed by #689
Open

Bandit 1.6.3 does not respect excluded paths from .bandit file #657

budgester opened this issue Dec 7, 2020 · 16 comments · May be fixed by #689
Labels
bug Something isn't working
Milestone

Comments

@budgester
Copy link

budgester commented Dec 7, 2020

With a .bandit file with the contents

[bandit]
exclude: ./.tox,./tests

1.6.2 gives

$ bandit -r -ll -ii .
[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using ini file for excluded paths
[main]	INFO	Using command line arg for selected targets
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.5
114 [0.. 50.. 100.. ]

1.6.3 ignores the exluded paths

$ bandit -r -ll -ii .
[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using command line arg for selected targets
[main]	INFO	Using command line arg for recursive scan
[main]	INFO	Using command line arg for aggregate output type
[main]	INFO	Using command line arg for max code lines output for issue
[main]	INFO	Using command line arg for severity level
[main]	INFO	Using command line arg for confidence level
[main]	INFO	Using command line arg for output format
[main]	INFO	Using command line arg for output file
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.5
549 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. 450.. 500.. ]
kerin added a commit to uktrade/lite-api that referenced this issue Dec 7, 2020
Bandit 1.6.3 contains a bug with excluded paths: PyCQA/bandit#657
@rjb3977
Copy link

rjb3977 commented Dec 7, 2020

To perhaps save a maintainer a couple minutes of searching, it looks to me like this commit most likely causes the breaking behavior.

Edit:
Also, the documentation for that command line parameter appears to be wrong: it says it should act in addition to the setting in the config file, whereas it actually overrides the setting in the config file.

@ericwb ericwb added the bug Something isn't working label Dec 7, 2020
@xuhdev
Copy link
Contributor

xuhdev commented Dec 7, 2020

I can also reproduce this regression.

kevinoid added a commit to kevinoid/python-project-template that referenced this issue Dec 8, 2020
@ericwb ericwb added this to the Release 1.6.4 milestone Dec 9, 2020
@sirkonst
Copy link

Still broken in 1.7.0 :-(

@syphar
Copy link

syphar commented Dec 14, 2020

We also ran into this issue when upgrading from 1.6.2 to 1.7.0

what could be a proposed fix? I don't know the codebase (yet), but could help

@codingjoe
Copy link

I believe this commit has broken things:
ca6d283

What's interesting though, skips works just fine, thought it seems implemented the same way.

codingjoe added a commit to FussyFox/bandit that referenced this issue Dec 15, 2020
@rjb3977
Copy link

rjb3977 commented Dec 15, 2020

I believe this commit has broken things:
ca6d283

What's interesting though, skips works just fine, thought it seems implemented the same way.

I'm still pretty sure that 5ac8b8b is the culprit. It added a default value for the excluded paths command line argument. That argument overrides the configuration file's excluded paths, rather than merging with it, like the documentation / help message suggests. So now, the excluded paths in the configuration file are always overridden.

@codingjoe
Copy link

Yes, you are right, the default seems to be the problem. It needs to be added at a later point.

@rjb3977
Copy link

rjb3977 commented Dec 15, 2020

Yes, you are right, the default seems to be the problem. It needs to be added at a later point.

Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect.

@codingjoe
Copy link

Yes, you are right, the default seems to be the problem. It needs to be added at a later point.

Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect.

No, I wouldn't do that. That would be backwards incompatible, and we won't see a fix released until kingdom come.

maresmar added a commit to maresmar/bandit that referenced this issue Jan 13, 2021
AllenAnthes added a commit to OperationCode/back-end that referenced this issue Feb 1, 2021
r4vi added a commit to uktrade/lite-frontend that referenced this issue Feb 15, 2021
For the same reason we did it in: uktrade/lite-api#666
because of an upstream bug in 1.6.3: PyCQA/bandit#657
kevinoid added a commit to kevinoid/python-project-template that referenced this issue Mar 31, 2021
Until PyCQA/bandit#657 is fixed, specify --excludes when invoking
bandit.  Remove version exclusion for bandit 1.6.3 since 1.7.0 has the
same issue.

Signed-off-by: Kevin Locke <[email protected]>
@xuhdev
Copy link
Contributor

xuhdev commented Jun 16, 2021

Is there a conclusion to this issue?

@iflament
Copy link

iflament commented Feb 1, 2022

running into this issue as well - has there been a fix?

@ericwb ericwb modified the milestones: Release 1.7.3, Near Future Feb 27, 2022
@shtalinberg
Copy link

Release 1.7.4 - not resolved (

fmigneault added a commit to crim-ca/weaver that referenced this issue Oct 3, 2022
@oijkn
Copy link

oijkn commented Jan 2, 2023

I confirm, last version doesn't fix the problem, it still scans the .venv directory.

bandit -r -x "$(pwd)/.venv/" .

Edit:

With this command that works good :

bandit -r . -x */.venv/*

@shtalinberg
Copy link

Looks like Release 1.7.5 - resolved it!? works fine for me

@kevinoid
Copy link

If I run the following script:

echo 'assert 2 > 1' >assert.py
cat >.bandit <<BANDIT
[bandit]
exclude: assert.py
BANDIT
bandit -r .

The test fails with "Issue: [B101:assert_used]..." on 1.7.0 and passes with "No issues identified." in 1.7.1. Bisecting shows that this was fixed by #722.

@captaingabi
Copy link

Still an issue with 1.7.9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.