with "pip install bandit", toml is missing if we want use a configfil…

[nicolasmonfort]

Hello,

We use bandit in a stage pipeline git and we have an issue when we use a configfile pyproject.toml :

$ pip install bandit
$ bandit --verbose --recursive . --configfile pyproject.toml
Traceback (most recent call last):
  File "C:\Program Files\Python39\lib\runpy.py", line 197, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "C:\Program Files\Python39\lib\runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "C:\Program Files\Python39\Scripts\bandit.exe\__main__.py", line 7, in <module>
  File "C:\Program Files\Python39\lib\site-packages\bandit\cli\main.py", line 355, in main
    b_conf = b_config.BanditConfig(config_file=args.config_file)
  File "C:\Program Files\Python39\lib\site-packages\bandit\core\config.py", line 40, in __init__
    import toml
ModuleNotFoundError: No module named 'toml'

$ poetry show bandit
name         : bandit
version      : 1.7.1
description  : Security oriented static analyser for python code.

dependencies
 - colorama >=0.3.9
 - GitPython >=1.0.1
 - PyYAML >=5.3.1
 - stevedore >=1.20.0

It seems the dependency toml is missing.
Could you accept to add it in requirements.txt ?

Thanks for your feedbacks.

See you
Nicolas Monfort

[ericwb]

This looks much like #755

[ericwb]

Fixed with #755

[nicolasmonfort]

Hello,

For me it's not fixed with your suggestion.
In a normal way to install bandit, in the doc it is pip install bandit
https://github.com/PyCQA/bandit

and we can use a pyproject.toml
https://bandit.readthedocs.io/en/latest/config.html
#550

It's not a normal way to use
pip install git+https://github.com/mkniewallner/bandit.git@fix-extras-setup-cfg#egg=bandit[toml]

We use a pip cacher and it's not possible to use pip from git

by the way i have error if i test your suggestion !

Collecting bandit[toml]
  Cloning https://github.com/mkniewallner/bandit.git (to revision fix-extras-setup-cfg) to /tmp/pip-install-j03q7sm7/bandit_2560cab6d4df4310aa2df4a031979ba3
  Running command git clone --filter=blob:none -q https://github.com/mkniewallner/bandit.git /tmp/pip-install-j03q7sm7/bandit_2560cab6d4df4310aa2df4a031979ba3
  WARNING: Did not find branch or tag 'fix-extras-setup-cfg', assuming revision or ref.
  Running command git checkout -q fix-extras-setup-cfg
  error: pathspec 'fix-extras-setup-cfg' did not match any file(s) known to git
WARNING: Discarding git+https://github.com/mkniewallner/bandit.git@fix-extras-setup-cfg#egg=bandit[toml]. Command errored out with exit status 1: git checkout -q fix-extras-setup-cfg Check the logs for full command output.
ERROR: Could not find a version that satisfies the requirement bandit (unavailable) (from versions: 0.10.0, 0.10.1, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.13.2, 0.14.0, 0.14.1, 0.15.0, 0.15.1, 0.15.2, 0.16.0, 0.16.1, 0.16.2, 0.17.0, 0.17.2, 0.17.3, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.7.0, 1.7.1, 1.7.2)
ERROR: No matching distribution found for bandit (unavailable)

The import toml is really use in your project is not an extra
https://github.com/PyCQA/bandit/blob/master/bandit/core/config.py#L39

Could you review your position ?

[sigmavirus24]

I think we need to fix the code importing toml, not make this a hard requirement

[ericwb]

To install toml as an optional feature of Bandit, use pip install bandit[toml]

That being said, the import line you found should be more robust with something like a try-exception block.

[nicolasmonfort]

Yes, eventually if we have an exception on import toml.
It should be great to have an advice to install bandit with pip install bandit[toml]

Thanks for your feedback. It's works on my side with this tips.

[sigmavirus24]

See #780