Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exclude paths in config file ignored if passing specific files to Bandit CLI #499

Closed
dolan-a opened this issue May 28, 2019 · 18 comments · Fixed by #722
Closed

Exclude paths in config file ignored if passing specific files to Bandit CLI #499

dolan-a opened this issue May 28, 2019 · 18 comments · Fixed by #722
Labels
bug Something isn't working

Comments

@dolan-a
Copy link

dolan-a commented May 28, 2019

UPDATE: please see my below comment for an updated description of the problem.

Describe the bug
When using the pre-commit hook, my excluded paths listed in .bandit are still processed by bandit.

To Reproduce
Steps to reproduce the behavior:

  1. Create a .bandit config file with exclusions. For example:
    [bandit]
    exclude: ./node_modules/*,./tests/*
  2. Run bandit via command line (bandit -r .), verify exclusions ignored.
  3. Run bandit on all files via pre-commit hook: pre-commit run --all-files bandit
  4. See that excluded files are processed by bandit

Expected behavior
I expect the excluded paths to be ignored.

Bandit version

bandit 1.6.0
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]
@retpolanne
Copy link

retpolanne commented May 28, 2019

@pydolan I think it is a duplicate of #488

You can find a workaround at #488 (comment) or by pinning bandit to 1.5.1

@dolan-a
Copy link
Author

dolan-a commented May 28, 2019

@vinicyusmacedo -- My issue is actually unrelated to #488 and exists in 1.5.1 as well.

After further investigation, what's actually happening is that the excluded paths in the config file are being ignored when passing specific files to bandit -- even though excluding from the CLI works:

In v1.5.1:

$ bandit --version
bandit 1.5.1
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

$ cat .bandit
[bandit]
exclude: node_modules

$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...

$ bandit -x node_modules ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...

In v1.6.0:

$ bandit --version
bandit 1.6.0
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

$ cat .bandit
[bandit]
exclude: ./node_modules/*

$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...

$ bandit -x "./node_modules/*" ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...

I believe the two excluding methods should have consistent behavior, which is to not process the file in either case. This is especially important if one wants to exclude paths with the pre-commit hook.

Thanks!

@retpolanne
Copy link

retpolanne commented May 28, 2019 via email

@dolan-a dolan-a changed the title Running via pre-commit hook not reading excluded paths from .bandit file Exclude paths in config file ignored if passing specific files to Bandit CLI May 28, 2019
@ericwb ericwb added the bug Something isn't working label May 28, 2019
@amacfie
Copy link
Contributor

amacfie commented Jan 1, 2020

In this scenario the .bandit file is completely ignored. Bandit only looks for config files where the target is, or recursively in subdirectories.

The relevant code is in bandit.cli.main._get_options_from_ini.

@amacfie
Copy link
Contributor

amacfie commented Jan 1, 2020

Actually, if the target is a file, Bandit doesn't look for a .bandit file anywhere; see #332.

@jugmac00
Copy link
Contributor

jugmac00 commented Feb 9, 2020

Is there a current workaround? bandit is unusable at the moment as all test files are marked as false positives because of the usage of assert.

@Cielquan
Copy link

I do not use a config file but have also regarding problems with pre-commit.

When I run bandit -x "./.tox/*,./.eggs/*,./tests/*" -r . it works just fine.

When I run bandit with pre-commit I get an "error" in the output:
--exclude ./.tox/*,./.eggs/*,./tests/* (No such file or directory)

pre-commit-config.yaml:

  - repo: https://github.com/PyCQA/bandit
    rev: 1.6.2
    hooks:
      - id: bandit
        args: ["--exclude ./.tox/*,./.eggs/*,./tests/*"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

And when I run bandit -x .tox,.eggs,tests -r . it is not working because the ignores get ignored and bandit checks everything. I get the same result when I run bandit -r .. Here the .tox directory gets also checked though it should not because of the default ignores.

@adamwojt
Copy link

adamwojt commented Feb 28, 2021

ini file for dir exclusion doesn't work with -roption. It's super confusing.

My .bandit

[bandit]
exclude: test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests
skips: B101,B311

Running with bandit -r .

[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for skipped tests

Tests dirs and files are not ignored but everything works fine with bandit -x "test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests" -r .

I am confused.

@exhuma
Copy link
Contributor

exhuma commented Mar 17, 2021

I just ran into the same issue. Which makes this pretty bad for me right now is that bandit is executed via a CI-pipeline defined by a centrally configured GitLab instance. This always runs bandit using bandit -r <package_name> and I don't have direct control over this in the project.

In my project I have some files that I want to exclude and wrote them into .bandit

Yet, the pipeline still fails because of this issue.

So now I'm forced to write # nosec comments into all files in a given subfolder even though that particular subfolder only contains utilities which never receive end-user input and could be ignored alltogether.

@ceteri
Copy link

ceteri commented Mar 23, 2021

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

@Cielquan
Copy link

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

Yeah, I think that could be the case.
In the meantime I change from directly running bandit to running it via flake8-bandit and running flake8 via flakehell which enables you to customize the behavior auf every single flake8 extension for each and very file for example.

@tobias-feil-by
Copy link

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

How did you even find out about the possibility of mentioning args in the config file? The docs don't mention this

@jugmac00
Copy link
Contributor

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

How did you even find out about the possibility of mentioning args in the config file? The docs don't mention this

This refers to pre-commit - not to bandit - for those you do not run bandit directly, but via pre-commit - highly recommended to run linters.

@devNan0
Copy link

devNan0 commented Nov 11, 2021

Nice. Could we get a release for this? @sigmavirus24

@sigmavirus24
Copy link
Member

That's my plan, yes

@exhuma
Copy link
Contributor

exhuma commented Mar 28, 2022

Has this been released yet? I'm currently on bandit 1.7.4 and it still behaves the same way.

I have a package in the enm subfolder and the following .bandit file:

---
targets: "enm"
exclude: "enm/vendor"

and I'm calling it as follows (execution line is out of my control as it is in a CI pipeline):

bandit -r enm

And even though the config-file exists, it still drills into the enm/vendor folder causing the pipeline to fail.

@ChaseDDevelopment
Copy link

I am also seeing this issue on 1.7.4

I have the following in my bandit file:

exclude_dirs:
  - ./build
  - ./src/project/research
  - ./tests

My pipelines also fail, But I am using

pipenv run python -m bandit -r . -lll as my command

@mpas
Copy link

mpas commented Nov 3, 2022

Running into the same problem. Tried all combinations of ini, pyproject, yaml. Unable to exclude. Can this issue be reopened?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.