Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

INI file format is not obviously documented anywhere #396

Open
darakian opened this issue Oct 2, 2018 · 12 comments
Open

INI file format is not obviously documented anywhere #396

darakian opened this issue Oct 2, 2018 · 12 comments
Labels
bug Something isn't working
Milestone
Near Future

Comments

@darakian
Copy link

darakian commented Oct 2, 2018
edited

The docs mention exclude flags, but where can I find a complete list of the available flags?

targets: comma separated list of target dirs/files to run bandit on
exclude: comma separated list of excluded paths
skips: comma separated list of tests to skip
tests: comma separated list of tests to run
@darakian darakian closed this as completed Oct 2, 2018
@bittner
Copy link
Contributor

bittner commented Mar 14, 2019

Why did you close this issue, @darakian?

The documentation for configuring the execution of Bandit is indeed sparse.

Can we reopen the issue?

@bittner bittner mentioned this issue Mar 14, 2019
Open
@darakian
Copy link
Author

You're welcome to reopen the issue, but solved my issue by using some bash to replace the include/exclude logic.

@bittner
Copy link
Contributor

bittner commented Mar 14, 2019

I can't reopen it. Only you and project maintainers can. Thanks in advance! 👍

@darakian darakian reopened this Mar 14, 2019
@darakian
Copy link
Author

@bittner Whoops. Reopened for ya. If it helps the conversation here's the bash/git logic I ended up with

bandit -iii -lll $(git diff --name-only $(git log remotes/origin/master..HEAD --oneline | tail -1 | awk '{print $1}') HEAD) static_file.py

or in English

run bandit w/ high confidence on high severity issues on the list of files which have been changed on my local branch as compared to master plus one static file

It's a bit of a hack, but it's been solid for build system. The static file is used to prevent bandit from failing in the event that the branch has no files which differ.

@bittner
Copy link
Contributor

bittner commented Mar 14, 2019

Awesome hack! Yeah, it's reeeeaally a hack! The -iii and -lll looks funny. 😆 OMG, glad it works for you in production.

I have also solved "my" problem, which was finding out how to tell the bandit to steal all options from my tox.ini file -- and what to put in the mighty [bandit] section. Looks like this:

[tox]
envlist = bandit

[testenv:bandit]
deps = bandit
commands = bandit --ini tox.ini

[bandit]
exclude = .tox,build,dist,tests
recursive = true
targets = .

... which allows me to run simply tox -e bandit.

But that was all guesswork and reading from the source code (bandit.cli and bandit.core.utils). For the recursive option, for example, I don't even see why this works. There should be really some documentation on the options developers can use in an INI file.

@bittner
Copy link
Contributor

bittner commented Mar 21, 2019

Looks like I overlooked the WARNING: Running Bandit with just the --ini option doesn't actually do what I want:

$ bandit --ini tox.ini 
[main]  INFO    Using ini file for excluded paths
[main]  INFO    Using ini file for selected targets
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.6.6
[manager]       WARNING Skipping directory (behave_django), use -r flag to scan contents
Run started:2019-03-21 08:48:49.567794
...

At least the recursive option is not recognized (as in: read from the configuration file), so the -r option must be provided from the command line. Which is a shame. 😟

A successful call must look like this:

$ bandit -r --ini tox.ini
[main]  INFO    Using ini file for excluded paths
[main]  INFO    Using ini file for selected targets
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.6.6
Run started:2019-03-21 08:54:10.220742
...

... or with a .bandit file in the local directory:

$ bandit -r .
[main]  INFO    Found project level .bandit file: ./.bandit
[main]  INFO    Using ini file for excluded paths
[main]  INFO    Using command line arg for selected targets
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.6.6
Run started:2019-03-21 08:53:40.683285
...

bittner added a commit to behave/behave-django that referenced this issue Mar 21, 2019
@bittner
Bandit requires the -r option
ce18a1e 
See PyCQA/bandit#396
@bittner bittner mentioned this issue Mar 21, 2019
Closed
@bittner bittner mentioned this issue May 3, 2019
Merged
@ericwb ericwb added the bug Something isn't working label May 9, 2019
@ericwb ericwb added this to the Near Future milestone May 9, 2019
@captain-kark captain-kark mentioned this issue Aug 5, 2019
Open
@bittner bittner mentioned this issue Apr 22, 2020
Closed
rlconsult added a commit to rlconsult/behave-django that referenced this issue May 12, 2021
@rlconsult
Bandit requires the -r option
7d01a1e 
See PyCQA/bandit#396
@Stannislav Stannislav mentioned this issue May 26, 2021
Closed
@diegovalenzuelaiturra
Copy link

Hi, the following may be helpful to configure bandit, for example, to avoid raising B101 assert_used warnings on python tests

bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
bbab906 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
- Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
a361ac9 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
@bittner bittner mentioned this issue Jan 10, 2022
Merged
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
93f1146 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
@xilopaint
Copy link

Hey, I have the same question of @bittner. Why are there two different configuration files?

@bittner
Copy link
Contributor

bittner commented Apr 25, 2022

True, it might make sense to consolidate configuration settings in a single place. Whatever file format is used, users should be able to configure everything there, not one thing here and other things in a second place. The current state is confusing.

The INI file format and options are now explained in the documentation along with YAML and TOML.

We can probably close this issue now.

@xilopaint
Copy link

xilopaint commented Apr 25, 2022
edited

We can probably close this issue now.

Why closing the issue before a decision about it? There's still an undocumented INI file. It should be documented somewhere or explicitly deprecated in favor of YALM.

@CTimmerman
Copy link

CTimmerman commented Aug 20, 2022
edited

INI is also used by Python's setup.cfg which isn't quite replaced by pyproject.toml yet. TOML sits between INI and YAML in complexity. Bandit supports TOML and YAML via --config, but INI only works with --ini for no apparent reason.

#317 (comment)

@ssbarnea
Copy link
Member

PEP-621 obliterates the setup.py/setup.py and I very happy about it. It is true that INI files have no standard at all, they should be avoided like plague.

Based on this, I would say that the only think needed be done is to add a statement to the docs that this format is deprecated/discouraged in favour of either YAML or TOML, or both.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
Near Future
Development

No branches or pull requests
7 participants
@ssbarnea @bittner @darakian @ericwb @CTimmerman @xilopaint @diegovalenzuelaiturra