fix reading initial values from .bandit #722
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
alipqb
requested review from
ericwb,
ghugo,
lukehinds and
sigmavirus24
as code owners
sigmavirus24
approved these changes
Nov 11, 2021
This was referenced Jan 25, 2022
This was referenced Mar 17, 2023
kevinoid
added a commit
to kevinoid/python-project-template
that referenced
this pull request
Mar 17, 2023
Move the list of excluded files from --exclude in tox.ini to exclude_dirs in pyproject.toml to centralize configuration in pyproject.toml and make it accessible to tools and bandit invocations outside of tox. - Remove the comment that exclude is ignored by bandit 1.6.3+, which was fixed by PyCQA/bandit#722 in bandit 1.7.1. - Change exclude (which only works for INI files) to exclude_dirs (which only works for TOML and YAML files), as described in PyCQA/bandit#876 - Add /.git/ and /__pycache__/ to exclude_dirs to match --exclude. - Remove --exclude from invocation in tox.ini Signed-off-by: Kevin Locke <kevin@kevinlocke.name>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to fix reading .bandit initial values:
Previously bandit was not able to read initialization values from the .bandit file
like the
excludekeyword. This has caused a lot of CI pipelines that were usingbandit to fail. In this pull, I have tried to fix this problem.
What was the main problem that was causing this bug?
The CLI of bandit is written with python's popular library
argparse.The main problem was with the handling of default arguments' values
of the bandit command-line program. The program was not able to
distinguish between manually passed arguments and default arguments
values. Before In the first line of
_log_option_sourcefunction inbandit.cli.main.py, the function only checked whetherarg_valexistsor not. At first glance, it seems that this is a correct action, but the truth is
that this function fails when the default value of an argument is a string
like
--exclude. When we didn't pass an argument to--exclude, the valueof
arg_valwould be equal to default value of the argument and passedthe
ifcondition and will neglect the initial value in the .bandit file.Resolves: #499, #595