Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ini "exclude" config is ignored #693

Open
RobGThai opened this issue Feb 15, 2021 · 11 comments
Open

ini "exclude" config is ignored #693

RobGThai opened this issue Feb 15, 2021 · 11 comments
Labels
bug Something isn't working

Comments

@RobGThai
Copy link

RobGThai commented Feb 15, 2021
edited
Loading

Describe the bug
exclude configuration inside .bandit ini file is always ignored due to default cli argument.

To Reproduce
Steps to reproduce the behavior:

  1. Create . bandit file with the following.
[bandit]
targets: .
exclude: ./tests
  1. Run CLI with bandit --ini .bandit -r in a directory with .bandit file.
  2. You should now see that Bandit is prefer CLI argument for exclude over ini.
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for selected targets

Expected behavior
Bandit should use .bandit configuration as there's no CLI argument supplied then append default value to it as specified in argparse.

  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        comma-separated list of paths (glob patterns supported) to exclude
                        from scan (note that these are in addition to the excluded paths
                        provided in the config file) (default:
                        .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)

Bandit version

bandit 1.7.0
  python version = 3.8.0 (default, Sep  3 2020, 18:08:13) [Clang 11.0.3 (clang-1103.0.32.62)]

Additional context
I believe this happens due to the default value for -x given to argparse. This means the ini configuration is always ignored as the code take default value as supplied CLI.

Workaround
Supplied exclude via CLI when running Bandit regardless of your ini. bandit -x ./tests --ini .bandit -r .
@RobGThai RobGThai added the bug Something isn't working label Feb 15, 2021
@bsolomon1124
Copy link

Yep, _log_option_source() is broken. It will early-return if it gets a "truthy" arg_val. A command line default satisfies that.

bandit/bandit/cli/main.py

Line 83 in 6765a57

def _log_option_source(arg_val, ini_val, option_name):

@bsolomon1124
Copy link

Coupled with #595, #657, and #488 (unceremoniously closed for no reason), I'd venture to say 'exclude' is pretty much nonfunctional at this point.

@bsolomon1124
Copy link

bsolomon1124 commented Mar 1, 2021
edited
Loading

5ac8b8b is the commit that introduced this. (Looks like Bandit 1.6.3 + 1.7.0.) Though arguably it's _log_option_source() that is the issue; adding CLI defaults just exposed the issue with it.

@RobGThai
Copy link
Author

RobGThai commented Mar 3, 2021

From what I can understand, _log_option_source early return is because it finds the default value supplied via CLI instead of the ini configuration. I'm not sure what should take precedent between CLI and ini. I felt like allowing CLI to override the ini rule. can be useful but I digress. If the CLI should take precedent over CLI then _log_option_source is working as intended. Without early return then we must know which configuration to choose from or merge them together. Merging configuration would allow default value to works accordingly.

I'm willing to work on this but I'm also new to contribution as well so please guide me on what action I should take here.

@benvdh
Copy link

benvdh commented Mar 16, 2021

@RobGThai in case it helps to get started: Bandit has pretty good contribution guidelines, which might help you to get started:

https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md#your-first-code-contribution

I'm not a bandit dev, but I have made some opensource contributions over the years, and CONTRIBUTING.md is usually where I start.

@devNan0 devNan0 mentioned this issue Mar 19, 2021
Closed
SteveClement added a commit to CybersecurityLuxembourg/bo-api that referenced this issue Apr 9, 2021
@SteveClement
chg: [ci] Bandit seems to have an exclude bug: PyCQA/bandit#693 and P…
cedad5c 
…yCQA/bandit#488
@fjsj
Copy link

fjsj commented May 5, 2021

Any easy workaround instead of passing all excludes as a CLI argument?
This issue broke several of my CIs.

@frenzymadness
Copy link

And moreover, it seems that it's not possible to use exclude in pre-commit because there is no straightforward way to set CLI arguments in pre-commit-config.yaml 😞

@stuertz
Copy link

stuertz commented Aug 11, 2021
edited
Loading

As a workaoround I call bandit -x "" So that _log_option_source doesn't get the defaults. Or for .pre-commit-config.yaml:

    - repo: https://github.com/PyCQA/bandit
      rev: 1.7.0
      hooks:
          - id: bandit
            args: ['--ini', '.bandit', '-x', '']

@soltanoff
Copy link

@stuertz, thank you! It's work

@lukegil
Copy link

lukegil commented Nov 15, 2021

This workaround appears to have been broken by #753 . Using 1.7.1, you need to remove the -x "" options

bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
bbab906 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
- Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
a361ac9 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
@bittner bittner mentioned this issue Jan 10, 2022
Merged
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
@bittner
Restore older Bandit version for predictive setup
93f1146 
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
@mpas
Copy link

mpas commented Nov 2, 2022

Is there any work around for this issue? I tried using ini, yaml etc.. but the exclude settings (also exclude_dirs in yaml) seems not to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@mpas @RobGThai @fjsj @lukegil @stuertz @benvdh @frenzymadness @soltanoff @bsolomon1124