Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Corrected documentation on configuration #868

Merged
merged 4 commits into from
Apr 24, 2022
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 11 additions & 7 deletions doc/source/config.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Configuration
Bandit Settings
---------------

Projects may include a YAML file named `.bandit` that specifies command line
Projects may include an INI file named `.bandit` that specifies command line
arguments that should be supplied for that project. The currently supported
arguments are:

Expand All @@ -14,21 +14,25 @@ arguments are:
- skips: comma separated list of tests to skip
- tests: comma separated list of tests to run

To use this, put a YAML file named `.bandit` in your project's directory.
To use this, put an INI file named `.bandit` in your project's directory.
Command line arguments must be in `[bandit]` section.
For example:

::

[bandit]
exclude: /test

::

tests:
- B101
- B102
- B301
[bandit]
tests = B101,B102,B301


Note that Bandit will look for `.bandit` file only if it is invoked with `-r` option.
If you do not use `-r` or the INI file's name is not `.bandit`, you can specify
the file's path explicitly with `--ini` option.

Exclusions
----------
In the event that a line of code triggers a Bandit issue, but that the line
Expand Down Expand Up @@ -74,7 +78,7 @@ look like the following:

.. code-block:: yaml

### profile may optionally select or skip tests
### configuration may optionally select or skip tests

# (optional) list included tests here:
tests: ['B201', 'B301']
Expand Down
5 changes: 0 additions & 5 deletions doc/source/start.rst
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,6 @@ context and only reporting on the high-severity issues::

bandit examples/*.py -n 3 -lll

Bandit can be run with profiles. To run Bandit against the examples directory
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bandit does still have an option to specify profiles to load via the -p or --profile argument.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cloned PyCQA/bandit:main, ran python setup.py install and pip -r requirements.txt, then ran bandit examples/*.py -p ShellInjection. The output is below:

[main]  ERROR   Unable to find profile (ShellInjection) in config file: None

This result suggests that profile is not built-in, but something we define ourselves. So how do we define it?
Where is it written in the documentation?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, creating profiles is still possible via the bandit.yaml file. They are not built-in. And you can create a config yaml file bandit-config-generator

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I ran bandit-config-generator -o bandit.yaml then bandit examples/*.py -p ShellInjection -c bandit.yaml. The output is:

[main]  ERROR   Unable to find profile (ShellInjection) in config file: bandit.yaml

Again, how can I define profile in a configuration file?

After some trial and error, a configuration file as below finally worked.

profiles:
  ShellInjection:
    # ...

But I got the message below.

[config]        WARNING Config file 'bandit.yaml' contains deprecated legacy config data. Please consider upgrading to the new config format. The tool 'bandit-config-generator' can help you with this. Support for legacy configs will be removed in a future bandit version.

This is probably the best evidence that profile is deprecated and should not be used.
Therefore, all descriptions about profile should be removed from the documentation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if it's "deprecated" (which it isn't) it shouldn't be removed in this pull request

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Reverted in 2d6cd55

using only the plugins listed in the ``ShellInjection`` profile::

bandit examples/*.py -p ShellInjection

Bandit also supports passing lines of code to scan using standard input. To
run Bandit with standard input::

Expand Down