-
-
Notifications
You must be signed in to change notification settings - Fork 616
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bandit 1.6.3 does not respect excluded paths from .bandit file #657
Comments
Bandit 1.6.3 contains a bug with excluded paths: PyCQA/bandit#657
To perhaps save a maintainer a couple minutes of searching, it looks to me like this commit most likely causes the breaking behavior. Edit: |
I can also reproduce this regression. |
Due to PyCQA/bandit#657 Signed-off-by: Kevin Locke <[email protected]>
Still broken in 1.7.0 :-( |
We also ran into this issue when upgrading from what could be a proposed fix? I don't know the codebase (yet), but could help |
I believe this commit has broken things: What's interesting though, |
I'm still pretty sure that 5ac8b8b is the culprit. It added a default value for the excluded paths command line argument. That argument overrides the configuration file's excluded paths, rather than merging with it, like the documentation / help message suggests. So now, the excluded paths in the configuration file are always overridden. |
Yes, you are right, the default seems to be the problem. It needs to be added at a later point. |
Or it could be made so that the command line argument does in fact merge with the config file's exclusions. The help text for that argument says "note that these are in addition to the excluded paths provided in the config file", which is incorrect. |
No, I wouldn't do that. That would be backwards incompatible, and we won't see a fix released until kingdom come. |
For the same reason we did it in: uktrade/lite-api#666 because of an upstream bug in 1.6.3: PyCQA/bandit#657
Until PyCQA/bandit#657 is fixed, specify --excludes when invoking bandit. Remove version exclusion for bandit 1.6.3 since 1.7.0 has the same issue. Signed-off-by: Kevin Locke <[email protected]>
Is there a conclusion to this issue? |
running into this issue as well - has there been a fix? |
Release 1.7.4 - not resolved ( |
…onsidered (relates to PyCQA/bandit#657)
I confirm, last version doesn't fix the problem, it still scans the bandit -r -x "$(pwd)/.venv/" . Edit:With this command that works good : bandit -r . -x */.venv/* |
Looks like Release 1.7.5 - resolved it!? works fine for me |
If I run the following script: echo 'assert 2 > 1' >assert.py
cat >.bandit <<BANDIT
[bandit]
exclude: assert.py
BANDIT
bandit -r . The test fails with "Issue: [B101:assert_used]..." on 1.7.0 and passes with "No issues identified." in 1.7.1. Bisecting shows that this was fixed by #722. |
Still an issue with 1.7.9 |
With a .bandit file with the contents
1.6.2 gives
1.6.3 ignores the exluded paths
The text was updated successfully, but these errors were encountered: