Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bandit 1.6.3 does not respect excluded paths from .bandit file #657

Open
budgester opened this issue Dec 7, 2020 · 15 comments · May be fixed by #689
Open

Bandit 1.6.3 does not respect excluded paths from .bandit file #657

budgester opened this issue Dec 7, 2020 · 15 comments · May be fixed by #689
Labels
bug Something isn't working
Milestone
Near Future

Comments

@budgester
Copy link

budgester commented Dec 7, 2020
edited

With a .bandit file with the contents

[bandit]
exclude: ./.tox,./tests

1.6.2 gives

$ bandit -r -ll -ii .
[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using ini file for excluded paths
[main]	INFO	Using command line arg for selected targets
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.5
114 [0.. 50.. 100.. ]

1.6.3 ignores the exluded paths

$ bandit -r -ll -ii .
[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using command line arg for selected targets
[main]	INFO	Using command line arg for recursive scan
[main]	INFO	Using command line arg for aggregate output type
[main]	INFO	Using command line arg for max code lines output for issue
[main]	INFO	Using command line arg for severity level
[main]	INFO	Using command line arg for confidence level
[main]	INFO	Using command line arg for output format
[main]	INFO	Using command line arg for output file
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.7.5
549 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. 450.. 500.. ]
kerin added a commit to uktrade/lite-api that referenced this issue Dec 7, 2020
@kerin
Pin bandit to v1.6.2
b3ca6a5 
Bandit 1.6.3 contains a bug with excluded paths: PyCQA/bandit#657
@kerin kerin mentioned this issue Dec 7, 2020
Merged
@rjb3977
Copy link

rjb3977 commented Dec 7, 2020
edited

To perhaps save a maintainer a couple minutes of searching, it looks to me like this commit most likely causes the breaking behavior.

Edit:
Also, the documentation for that command line parameter appears to be wrong: it says it should act in addition to the setting in the config file, whereas it actually overrides the setting in the config file.

@ericwb ericwb added the bug Something isn't working label Dec 7, 2020
@xuhdev
Copy link
Contributor

xuhdev commented Dec 7, 2020
edited

I can also reproduce this regression.

kevinoid added a commit to kevinoid/python-project-template that referenced this issue Dec 8, 2020
@kevinoid
Exclude bandit 1.6.3 in requirements
f6cad22 
Due to PyCQA/bandit#657

Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
@ericwb ericwb added this to the Release 1.6.4 milestone Dec 9, 2020
@xuhdev xuhdev mentioned this issue Dec 11, 2020
Closed
@xuhdev xuhdev mentioned this issue Dec 14, 2020
Closed
@sirkonst
Copy link

Still broken in 1.7.0 :-(

@syphar
Copy link

syphar commented Dec 14, 2020

We also ran into this issue when upgrading from 1.6.2 to 1.7.0

what could be a proposed fix? I don't know the codebase (yet), but could help

@codingjoe
Copy link

I believe this commit has broken things:
ca6d283

What's interesting though, skips works just fine, thought it seems implemented the same way.

codingjoe added a commit to FussyFox/bandit that referenced this issue Dec 15, 2020
@codingjoe
Freeze bandit to 1.6.2 because of PyCQA/bandit#657
6675c83
@rjb3977
Copy link

rjb3977 commented Dec 15, 2020

I believe this commit has broken things:
ca6d283

What's interesting though, skips works just fine, thought it seems implemented the same way.

I'm still pretty sure that 5ac8b8b is the culprit. It added a default value for the excluded paths command line argument. That argument overrides the configuration file's excluded paths, rather than merging with it, like the documentation / help message suggests. So now, the excluded paths in the configuration file are always overridden.

@codingjoe
Copy link

Yes, you are right, the default seems to be the problem. It needs to be added at a later point.

@rjb3977
Copy link

rjb3977 commented Dec 15, 2020

Yes, you are right, the default seems to be the problem. It needs to be added at a later point.

Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect.

@andrey-semakin andrey-semakin mentioned this issue Dec 15, 2020
Open
@codingjoe
Copy link

Yes, you are right, the default seems to be the problem. It needs to be added at a later point.

Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect.

No, I wouldn't do that. That would be backwards incompatible, and we won't see a fix released until kingdom come.

maresmar added a commit to maresmar/bandit that referenced this issue Jan 13, 2021
@maresmar
Fix ini configuration was overriden by default values
2560176 
Fix PyCQA#657
@maresmar maresmar linked a pull request Jan 13, 2021 that will close this issue
Open
fmigneault added a commit to Ouranosinc/Magpie that referenced this issue Jan 14, 2021
@fmigneault
pin bandit==1.6.2, above version exclude paths broken (PyCQA/bandit#657)
3cbbe03
AllenAnthes added a commit to OperationCode/back-end that referenced this issue Feb 1, 2021
@AllenAnthes
lock bandit version - see: PyCQA/bandit#657
40b62bf
r4vi added a commit to uktrade/lite-frontend that referenced this issue Feb 15, 2021
@r4vi
Pin bandit version to 1.6.2
78028c9 
For the same reason we did it in: uktrade/lite-api#666
because of an upstream bug in 1.6.3: PyCQA/bandit#657
@bsolomon1124 bsolomon1124 mentioned this issue Mar 1, 2021
Open
@devNan0 devNan0 mentioned this issue Mar 19, 2021
Closed
kevinoid added a commit to kevinoid/python-project-template that referenced this issue Mar 31, 2021
@kevinoid
fix: pass --excludes to bandit
11affe1 
Until PyCQA/bandit#657 is fixed, specify --excludes when invoking
bandit.  Remove version exclusion for bandit 1.6.3 since 1.7.0 has the
same issue.

Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
@xuhdev
Copy link
Contributor

xuhdev commented Jun 16, 2021

Is there a conclusion to this issue?

@iflament
Copy link

iflament commented Feb 1, 2022

running into this issue as well - has there been a fix?

@ericwb ericwb modified the milestones: Release 1.7.3, Near Future Feb 27, 2022
@shtalinberg
Copy link

Release 1.7.4 - not resolved (

fmigneault added a commit to crim-ca/weaver that referenced this issue Oct 3, 2022
@fmigneault
security check workaround to ignore misbehaving bandit excludes not c…
4be442e 
…onsidered (relates to PyCQA/bandit#657)
@oijkn
Copy link

oijkn commented Jan 2, 2023
edited

I confirm, last version doesn't fix the problem, it still scans the .venv directory.

bandit -r -x "$(pwd)/.venv/" .

Edit:

With this command that works good :

bandit -r . -x */.venv/*

@shtalinberg
Copy link

Looks like Release 1.7.5 - resolved it!? works fine for me

@kevinoid
Copy link

If I run the following script:

echo 'assert 2 > 1' >assert.py
cat >.bandit <<BANDIT
[bandit]
exclude: assert.py
BANDIT
bandit -r .

The test fails with "Issue: [B101:assert_used]..." on 1.7.0 and passes with "No issues identified." in 1.7.1. Bisecting shows that this was fixed by #722.

@wooch82 wooch82 mentioned this issue Apr 14, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
Near Future
Development

Successfully merging a pull request may close this issue.

Fix settings from INI file are overriden by default values maresmar/bandit