-
-
Notifications
You must be signed in to change notification settings - Fork 622
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#nosec not working for multi-line strings in python 3.8 #658
Comments
PyCQA/bandit#658 The above bug currently makes Bandit report some security issues that are false positives because it ignores our # nosec comments. Signed-off-by: Jakob Sinclair <sinclair.jakob@mailbox.org>
PyCQA/bandit#658 The above bug currently makes Bandit report some security issues that are false positives because it ignores our # nosec comments. Signed-off-by: Jakob Sinclair <sinclair.jakob@mailbox.org>
In Python version 3.8, the #nosec stopped working, check it [here](PyCQA/bandit#658). For this reason, we'll use Python 3.7 until the problem is fixed
Confirming it's also a problem on 3.9.7 on Windows
|
Confirmed with 3.8 & 3.9 on Linux. It looks like the line number of the error is being reported as the first line of the multi line string (where we cannot put a nosec comment) whereas before it was the last line. Using the report above as an example:
The error is reported on line 2:
|
My workaround:
|
very nice. you also don't need that comma.
works too. |
A black compatible workaround # fmt: off
query = ( # nosec
f"""
SELECT something,
WHERE foobar = {bar}
"""
)
# fmt: on Still please fix. Especially using black this can be a pain in the ass ;-) |
I also just experienced this in my pipeline.
|
I'm not able to get any of the mentioned workarounds to work. Only thing that worked for me for now was downgrading back to bandit 1.6.2. |
I think this can be closed now. It is fixed by the linked pull request. |
I have this problem with bandit 1.7.5 and Python 3.10.9. I'm using this version of the workaround.
|
Can you share the whole piece of code (or minimal example) for which the bandit does not behave as expected? |
@nevdelap after switching to the latest bandit version I had to move SQL nosec comments to the end of multiline strings
after:
|
Thanks @GeyseR. That works. All good.
|
Thank you so much @CarliJoy! |
The Problem
Starting
python3.8
adding#nosec
after a multi-line string has no effect. This was not the case in python 3.6 (and I think also 3.7)How to Reproduce
Prepare two sample python source files
success.py
:fail.py
Set up
python3.6
andpython3.8
environmentsRun bandit using
python3.6
$ source ./venv36/bin/activate $ pip install bandit==1.6.3
Run bandit on
success.py
-- no issues.Run bandit on
fail.py
-- no issues either.Run bandit in
python3.8
$ source ./venv38/bin/activate $ pip install bandit==1.6.3
Run bandit on
success.py
-- no issues.Run bandit on
fail.py
-- one issue is reported.Expected Behaviour
The
#nosec
clause should work both inpython3.6
andpython3.8
. In this concrete examplebandit fail.py
should not fail inpython3.8
.Bandit Version
On
python3.6
:On
python3.8
The text was updated successfully, but these errors were encountered: