Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ini file settings ignored #595

Open
GLeurquin opened this issue Mar 30, 2020 · 3 comments
Open

Ini file settings ignored #595

GLeurquin opened this issue Mar 30, 2020 · 3 comments
Labels
bug Something isn't working

Comments

@GLeurquin
Copy link

Describe the bug
Adding excluded files, output format or output file in .bandit is ignored.

To Reproduce
Steps to reproduce the behavior:

  1. Create .bandit with:
[bandit]
exclude: *.ipynb_checkpoints/*
recursive: true
targets: ./src
format: html
output: bandit.html
  1. Run bandit --ini .bandit
  2. See that it uses command line arg for exclude, output format and output file instead of the ini file.
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for selected targets
[main]	INFO	Using ini file for recursive scan
[main]	INFO	Using command line arg for aggregate output type
[main]	INFO	Using command line arg for max code lines output for issue
[main]	INFO	Using command line arg for severity level
[main]	INFO	Using command line arg for confidence level
[main]	INFO	Using command line arg for output format
[main]	INFO	Using command line arg for output file
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.6

Expected behavior
I expected the format used to be the one from the .bandit ini file, instead of the default from the command line. Same goes for exclude and output.

Bandit version

bandit 1.6.3
  python version = 3.7.6 (default, Jan  8 2020, 19:59:22) [GCC 7.3.0]

Additional context
I think what's happening in the code is the following:
When checking if one should use the command line argument or the ini file, the code checks if the command line argument has a value. If not, it falls back to the ini file. However, arguments have defaults set in the parser, and thus some will always have a value set, and will always override the ini values. That's what I think is happening for exclude, format and output at least.

Solution is to check if the argument is passed, and if not, check for ini values, and if these are not set, fall back to a default.
@ericwb ericwb added the bug Something isn't working label Mar 30, 2020
@bittner bittner mentioned this issue Apr 22, 2020
Closed
@andrey-semakin
Copy link

May be caused by #508.

ehooo added a commit to ehooo/bandit that referenced this issue Dec 14, 2020
@ehooo
Fix issue PyCQA#595
329e969
ehooo added a commit to ehooo/bandit that referenced this issue Dec 14, 2020
@ehooo
squash! Fix issue PyCQA#595
2f50dad
ehooo added a commit to ehooo/bandit that referenced this issue Dec 14, 2020
@ehooo
squash! Fix issue PyCQA#595
fdfc1a0
@andrey-semakin
Copy link

Seems to be duplicated by #657.

ehooo added a commit to ehooo/bandit that referenced this issue Dec 21, 2020
@ehooo
Fix issue PyCQA#595
92a63b8
@bsolomon1124 bsolomon1124 mentioned this issue Mar 1, 2021
Open
@devNan0 devNan0 mentioned this issue Mar 19, 2021
Closed
@alipqb alipqb mentioned this issue Jul 10, 2021
Merged
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
bbab906 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
- Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
a361ac9 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
@bittner bittner mentioned this issue Jan 10, 2022
Merged
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
93f1146 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
@kevinoid
Copy link

It appears that this was fixed by #722 in version 1.7.1, which I can confirm based on the following test:

echo 'assert 2 > 1' >assert.py
cat >.bandit <<BANDIT
[bandit]
exclude: assert.py
BANDIT
bandit -r .

which fails with "Issue: [B101:assert_used]..." on 1.7.0 and passes with "No issues identified." in 1.7.1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kevinoid @ericwb @GLeurquin @andrey-semakin