Add support for disabling individual test numbers #211

ericwb · 2018-04-27T16:44:32Z

It would be nice to be able to disable specific bandit test numbers, like:

def mybadfunction(token='notreallyasecret'): # no-sec-b900

ehooo · 2018-05-17T22:33:49Z

Hi I found a bug related with the way that "nosec " comment is checked.
For example vulnerable_call(param="#nosec") this line will be scaped

calve · 2018-06-28T14:01:36Z

I'm willing to help on this one when I have some time. I originally posted a question at https://answers.launchpad.net/bandit/+question/664861

Shall we discuss of the syntax here ?

(my original message for reference)

Hi,

is there any way to selectively filter #nosec tags to filter only acceptable vulnerabilties.
I'm looking for something like
   # we know this triggers B101 but would still report B133
   assert 1=random.randint(0, 2) # nosec #B101
Thanks :)

posita · 2018-09-12T04:49:42Z

~~@ehooo, that sounds like a separate issue. You might might want to file it as such?~~

UPDATE: Filed as #383.

posita · 2018-09-12T04:57:38Z

May I request that whatever syntax is adopted, that it play nice with other source code analyzers' line comment directives? Consider someone who uses Mypy notations, pyflakes, pylint, and bandit:

… # type: … # noqa: E501 ; pylint: disable=line-too-long # nosec …
-or-
… # type: … # nosec … # noqa: E501 # pylint: disable=line-too-long

calve · 2018-09-12T08:33:57Z

… # type: … # noqa: E501 ; pylint: disable=line-too-long # nosec … is ok for me

posita · 2018-09-12T17:09:30Z

Apologies for the confusion. What I meant was that both formats should be supported. Currently # type: … # noqa: E501 # pylint: disable=line-too-long # nosec … will confuse pylint, but bandit should support its own line comment directives no matter the order they appear. So far, the convention has been to use # as a delimiter between different analyzers directives. (But see pylint-dev/pylint#2297.) Mypy and pylint are currently too opinionated, though (Mypy requires type comments appear first, and anything coming after pylint comments confuse pylint. (See pylint-dev/pylint#2485.)

- allow disabling tests by id and by name (e.g. B602,assert_used) - update nosec_lines to be a dict keyed on line number to a set of tests to ignore - use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests) - use None to indicate that there was no nosec comment on the line in question - track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

- allow disabling tests by id and by name (e.g. B602,assert_used) - update nosec_lines to be a dict keyed on line number to a set of tests to ignore - use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests) - use None to indicate that there was no nosec comment on the line in question - track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore Resolves PyCQA#211 See also PyCQA#418

As noted in PyCQA/bandit#452, escape and quoteattr are not riskier than the defusedxml alternatives. Note: Can't disable specific bandit tests: PyCQA/bandit#211 Signed-off-by: Kevin Locke <kevin@kevinlocke.name>

- allow disabling tests by id and by name (e.g. B602,assert_used) - update nosec_lines to be a dict keyed on line number to a set of tests to ignore - use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests) - use None to indicate that there was no nosec comment on the line in question - track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore Resolves PyCQA#211 See also PyCQA#418

ericwb added the enhancement New feature or request label May 3, 2018

posita mentioned this issue Sep 12, 2018

#nosec string outside of a comment is treated as a comment #383

Closed

ericwb added this to the Near Future milestone May 9, 2019

stephen-dexda mentioned this issue Nov 19, 2019

More specific nosec options #418

Closed

sigmavirus24 closed this as completed in 11fd1a2 Feb 4, 2022

comc mentioned this issue Dec 13, 2022

New exclude_regex Filter to Address False Positives on Password Tests #973

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for disabling individual test numbers #211

Add support for disabling individual test numbers #211

ericwb commented Apr 27, 2018

ehooo commented May 17, 2018

calve commented Jun 28, 2018

posita commented Sep 12, 2018 •

edited

Loading

posita commented Sep 12, 2018 •

edited

Loading

calve commented Sep 12, 2018

posita commented Sep 12, 2018

Add support for disabling individual test numbers #211

Add support for disabling individual test numbers #211

Comments

ericwb commented Apr 27, 2018

ehooo commented May 17, 2018

calve commented Jun 28, 2018

posita commented Sep 12, 2018 • edited Loading

posita commented Sep 12, 2018 • edited Loading

calve commented Sep 12, 2018

posita commented Sep 12, 2018

posita commented Sep 12, 2018 •

edited

Loading

posita commented Sep 12, 2018 •

edited

Loading