Add the column offset to the issue model (#618)

* Add the column offset to the issue model and expose via the custom formatter
* Fix import order and update auto-help
* Fetch property from dict but default to 0 for backward compatibility. Update the test as well
* Update test_custom.py

Co-authored-by: Eric Brown <ericwb@users.noreply.github.com>

README.rst

@@ -166,7 +166,7 @@ Usage::
 
     Available tags:
 
-        {abspath}, {relpath}, {line},  {test_id},
+        {abspath}, {relpath}, {line}, {col}, {test_id},
         {severity}, {msg}, {confidence}, {range}
 
     Example usage:

bandit/cli/main.py

@@ -268,7 +268,7 @@ def main():
 
     Available tags:
 
-        {abspath}, {relpath}, {line},  {test_id},
+        {abspath}, {relpath}, {line}, {col}, {test_id},
         {severity}, {msg}, {confidence}, {range}
 
     Example usage:

bandit/core/issue.py

@@ -16,7 +16,7 @@
 
 class Issue(object):
     def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
-                 text="", ident=None, lineno=None, test_id=""):
+                 text="", ident=None, lineno=None, test_id="", col_offset=0):
         self.severity = severity
         self.confidence = confidence
         if isinstance(text, bytes):
@@ -27,6 +27,7 @@ def __init__(self, severity, confidence=constants.CONFIDENCE_DEFAULT,
         self.test = ""
         self.test_id = test_id
         self.lineno = lineno
+        self.col_offset = col_offset
         self.linerange = []
 
     def __str__(self):
@@ -105,6 +106,7 @@ def as_dict(self, with_code=True):
             'issue_text': self.text.encode('utf-8').decode('utf-8'),
             'line_number': self.lineno,
             'line_range': self.linerange,
+            'col_offset': self.col_offset
             }
 
         if with_code:
@@ -121,6 +123,7 @@ def from_dict(self, data, with_code=True):
         self.test_id = data["test_id"]
         self.lineno = data["line_number"]
         self.linerange = data["line_range"]
+        self.col_offset = data.get("col_offset", 0)
 
 
 def issue_from_dict(data):

bandit/core/node_visitor.py

@@ -205,6 +205,8 @@ def pre_visit(self, node):
                 LOG.debug("skipped, nosec")
                 self.metrics.note_nosec()
                 return False
+        if hasattr(node, 'col_offset'):
+            self.context['col_offset'] = node.col_offset
 
         self.context['node'] = node
         self.context['linerange'] = b_utils.linerange_fix(node)

bandit/core/tester.py

@@ -66,6 +66,7 @@ def run_tests(self, raw_context, checktype):
                     if result.lineno is None:
                         result.lineno = temp_context['lineno']
                     result.linerange = temp_context['linerange']
+                    result.col_offset = temp_context['col_offset']
                     result.test = name
                     if result.test_id == "":
                         result.test_id = test._test_id

bandit/formatters/custom.py

@@ -74,6 +74,7 @@ def report(manager, fileobj, sev_level, conf_level, template=None):
         'abspath': lambda issue: os.path.abspath(issue.fname),
         'relpath': lambda issue: os.path.relpath(issue.fname),
         'line': lambda issue: issue.lineno,
+        'col': lambda issue: issue.col_offset,
         'test_id': lambda issue: issue.test_id,
         'severity': lambda issue: issue.severity,
         'msg': lambda issue: issue.text,

tests/functional/test_functional.py

@@ -757,6 +757,7 @@ def test_baseline_filter(self):
               "issue_severity": "HIGH",
               "issue_text": "%s",
               "line_number": 10,
+              "col_offset": 0,
               "line_range": [
                 10
               ],

tests/unit/formatters/test_custom.py

@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: Apache-2.0
+
+import csv
+import tempfile
+
+import six
+import testtools
+
+import bandit
+from bandit.core import config
+from bandit.core import issue
+from bandit.core import manager
+from bandit.formatters import custom
+
+
+class CustomFormatterTests(testtools.TestCase):
+
+    def setUp(self):
+        super(CustomFormatterTests, self).setUp()
+        conf = config.BanditConfig()
+        self.manager = manager.BanditManager(conf, 'custom')
+        (tmp_fd, self.tmp_fname) = tempfile.mkstemp()
+        self.context = {'filename': self.tmp_fname,
+                        'lineno': 4,
+                        'linerange': [4],
+                        'col_offset': 30}
+        self.check_name = 'hardcoded_bind_all_interfaces'
+        self.issue = issue.Issue(bandit.MEDIUM, bandit.MEDIUM,
+                                 'Possible binding to all interfaces.')
+        self.manager.out_file = self.tmp_fname
+
+        self.issue.fname = self.context['filename']
+        self.issue.lineno = self.context['lineno']
+        self.issue.linerange = self.context['linerange']
+        self.issue.col_offset = self.context['col_offset']
+        self.issue.test = self.check_name
+
+        self.manager.results.append(self.issue)
+
+    def test_report(self):
+        with open(self.tmp_fname, 'w') as tmp_file:
+            custom.report(
+                self.manager, tmp_file, self.issue.severity,
+                self.issue.confidence,
+                template="{line},{col},{severity},{msg}")
+
+        with open(self.tmp_fname) as f:
+            reader = csv.DictReader(f, ['line', 'col', 'severity', 'message'])
+            data = six.next(reader)
+            self.assertEqual(six.text_type(self.context['lineno']),
+                             data['line'])
+            self.assertEqual(six.text_type(self.context['col_offset']),
+                             data['col'])
+            self.assertEqual(self.issue.severity, data['severity'])
+            self.assertEqual(self.issue.text, data['message'])