-
-
Notifications
You must be signed in to change notification settings - Fork 621
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exclude paths in config file ignored if passing specific files to Bandit CLI #499
Comments
@pydolan I think it is a duplicate of #488 You can find a workaround at #488 (comment) or by pinning bandit to 1.5.1 |
@vinicyusmacedo -- My issue is actually unrelated to #488 and exists in 1.5.1 as well. After further investigation, what's actually happening is that the excluded paths in the config file are being ignored when passing specific files to bandit -- even though excluding from the CLI works: In v1.5.1: $ bandit --version
bandit 1.5.1
python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]
$ cat .bandit
[bandit]
exclude: node_modules
$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...
$ bandit -x node_modules ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
... In v1.6.0: $ bandit --version
bandit 1.6.0
python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]
$ cat .bandit
[bandit]
exclude: ./node_modules/*
$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...
$ bandit -x "./node_modules/*" ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
... I believe the two excluding methods should have consistent behavior, which is to not process the file in either case. This is especially important if one wants to exclude paths with the pre-commit hook. Thanks! |
I noticed this as well on my environment. By using the config file,
exclusion is not working even if it is already as the workaround.
…On Tue, May 28, 2019, 17:29 Dolan Antenucci ***@***.***> wrote:
@vinicyusmacedo <https://github.com/vinicyusmacedo> -- My issue is
actually unrelated to #488 <#488>
and exists in 1.5.1 as well.
After further investigation, what's actually happening is that the
excluded paths in the config file are being ignored when passing specific
files to bandit -- even though excluding from the CLI works:
*In v1.5.1:*
$ bandit --version
bandit 1.5.1
python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]
$ cat .bandit
[bandit]
exclude: node_modules
$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...
$ bandit -x node_modules ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...
*In v1.6.0:*
$ bandit --version
bandit 1.6.0
python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]
$ cat .bandit
[bandit]
exclude: ./node_modules/*
$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...
$ bandit -x "./node_modules/*" ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...
I believe the two excluding methods should have consistent behavior, which
is to not process the file in either case. This is especially important if
one wants to exclude paths with the pre-commit hook.
Thanks!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#499?email_source=notifications&email_token=ABZTCFNY4WJDMOVIL4BBZCTPXWI3BA5CNFSM4HQGDTP2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWNLBBY#issuecomment-496676999>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABZTCFINZOQUS2RGXRVETOLPXWI3BANCNFSM4HQGDTPQ>
.
|
In this scenario the The relevant code is in |
Actually, if the target is a file, Bandit doesn't look for a |
Is there a current workaround? bandit is unusable at the moment as all test files are marked as false positives because of the usage of |
I do not use a config file but have also regarding problems with pre-commit. When I run When I run bandit with pre-commit I get an "error" in the output: pre-commit-config.yaml:
I also tried And when I run |
ini file for dir exclusion doesn't work with My [bandit]
exclude: test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests
skips: B101,B311 Running with
Tests dirs and files are not ignored but everything works fine with I am confused. |
I just ran into the same issue. Which makes this pretty bad for me right now is that bandit is executed via a CI-pipeline defined by a centrally configured GitLab instance. This always runs bandit using In my project I have some files that I want to exclude and wrote them into Yet, the pipeline still fails because of this issue. So now I'm forced to write |
@Cielquan, you probably need to use the following instead:
|
Yeah, I think that could be the case. |
This refers to |
Nice. Could we get a release for this? @sigmavirus24 |
That's my plan, yes |
Has this been released yet? I'm currently on bandit 1.7.4 and it still behaves the same way. I have a package in the
and I'm calling it as follows (execution line is out of my control as it is in a CI pipeline):
And even though the config-file exists, it still drills into the |
I am also seeing this issue on 1.7.4 I have the following in my bandit file:
My pipelines also fail, But I am using
|
Running into the same problem. Tried all combinations of ini, pyproject, yaml. Unable to exclude. Can this issue be reopened? |
UPDATE: please see my below comment for an updated description of the problem.
Describe the bug
When using the pre-commit hook, my excluded paths listed in .bandit are still processed by bandit.
To Reproduce
Steps to reproduce the behavior:
[bandit] exclude: ./node_modules/*,./tests/*
bandit -r .
), verify exclusions ignored.pre-commit run --all-files bandit
Expected behavior
I expect the excluded paths to be ignored.
Bandit version
The text was updated successfully, but these errors were encountered: