Make GitPython dependency optional? #976
Labels
bug
Something isn't working
Comments
|
Duplicate of #971 |
|
The baseline CLI requires GitPython. And even if that was changed to another library, it still fundamentally requires git to do its function. I don't think there is a solution other than removing the baseline CLI, but this CLI is useful and being used. So we don't want to break existing users. |
|
I don't see why a future major version of Bandit couldn't make |
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jan 20, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jan 20, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jan 20, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jan 20, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jan 20, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
to ericwb/bandit
that referenced
this issue
Jan 21, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb
added a commit
that referenced
this issue
Jan 21, 2024
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR #976. #976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
CVE-2022-24439landed today and is specifically related to GitPython. Per gitpython-developers/GitPython#1515, there isn't currently a fix planned. Since bandit requires this, the CVE extends to bandit, too.Is there a way that GitPython can be transitioned (either to a different lib or to a dev package, rather than one required by pip)?
Reproduction steps
Expected behavior
N/A
Bandit version
1.7.4 (Default)
Python version
3.11 (Default)
Additional context
No response
The text was updated successfully, but these errors were encountered: