bandit: Bandit 1.6.0 no longer respects excluded directories

Describe the bug Prior to the bandit 1.6.0 release, I was using bandit like so:

bandit -r . -x ./mymodule1/tests/,./mymodule2/tests/

However, with bandit 1.6.0 the ./mymodule1/tests/ and ./mymodule2/tests/ directories are included in the results. I have confirmed that you can exclude individual files still, just not directories.

To Reproduce Steps to reproduce the behavior:

  1. Create a directory with a vulnerability in it somewhere
  2. Run bandir -r . -x ./your-new-dir/
  3. See vulnerability results that should be excluded

Expected behavior Bandit should be excluding the directories entirely that are passed as args to the -x flag.

Bandit version

bandit 1.6.0
  python version = 3.6.5 (default, Jun 17 2018, 12:13:06) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 32
  • Comments: 25 (4 by maintainers)

Commits related to this issue

Most upvoted comments

This issue still exists nearly one year later on Bandit 1.6.2. Unclear why it is closed.

While it makes very little sense, -x or --exclude seems to require a ./-prefaced relative path.

E.g. if you have a venv in your current directory:

python -m bandit --exclude ./venv --recursive --output bandit.json --format json .

will work as intended whereas

python -m bandit --exclude venv --recursive --output bandit.json --format json .
python -m bandit --exclude "${PWD}/venv" --recursive --output bandit.json --format json .

Will attempt to scan all of venv/.

The current arg is:

    parser.add_argument(
        '-x', '--exclude', dest='excluded_paths', action='store',
        default=','.join(constants.EXCLUDE),
        help='comma-separated list of paths (glob patterns '
             'supported) to exclude from scan '
             '(note that these are in addition to the excluded '
             'paths provided in the config file) (default: ' +
        ','.join(constants.EXCLUDE) + ')'
    )

Which gets passed to discover_files():

https://github.com/PyCQA/bandit/blob/c6b1302e7b1ab1ad78799264d8ca7222f2c3d428/bandit/cli/main.py#L457

Independent of this issue, it might be sensible to add venv to constants.EXCLUDE.

+19
bsolomon1124 on Apr 1, 2020

@ericwb please reopen based on ample evidence above.

+10
bsolomon1124 on Jun 9, 2021

The help output says that it excludes .tox by default, but my tox-dir is still scanned which is quite useless.

This is certainly not resolved and needs to be reopened.

+6
dromer on Aug 16, 2021

I am trying to use bandit 1.6.2 and excluded directories are not respected. This issue does not appear to be fixed.

+6
LefterisJP on Jan 26, 2020

Interestingly, specifying an absolute target path combined with absolute exclusion paths seems to work:

$ bandit -x $(pwd)/.tox/ -r $(pwd)
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.6.8
Run started:2019-10-10 08:51:10.630871

Test results:
...
Code scanned:
	Total lines of code: 70
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 2.0
		Medium: 0.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 2.0
Files skipped (0):

tox.ini

Also, specifying all absolute paths in a Tox target, a section in tox.ini, “fixes” the issue:

[testenv:bandit]
deps = bandit
commands = bandit -x {toxinidir}/.git,{toxinidir}/.tox,{toxinidir}/tests -r {toxinidir}

$ tox -e bandit
bandit installed: bandit==1.6.2,gitdb2==2.0.6,GitPython==3.0.3,pbr==5.4.3,PyYAML==5.1.2,six==1.12.0,smmap2==2.0.5,stevedore==1.31.0
bandit run-test-pre: PYTHONHASHSEED='2508293914'
bandit runtests: commands[0] | bandit --exclude /home/foo/example-flask/.git,/home/foo/example-flask/.tox,/home/foo/example-flask/tests -r /home/foo/example-flask
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	running on Python 3.6.8
Run started:2019-10-10 08:53:59.209246

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 26
	Total lines skipped (#nosec): 0

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
Files skipped (0):
__________________________________________________ summary __________________________________________________
  bandit: commands succeeded
  congratulations :)

Looks like there is still some hidden issue that needs fixing.

+6
bittner on Oct 10, 2019

I’ve faced just the same issue on 1.7. This command is hanging for several minutes:

bandit -lll -r -x tests .

as well as this one:

bandit -lll -r -x "tests/*" .

but this one works just as expected:

bandit -lll -r -x "./tests/*" .
+5
dolfinus on Jul 8, 2021

Still having this issue in 1.7.0, pinning to 1.5.1 doesn’t help. For gitlab reasons I had to include the virtualenv inside the project_root and bandit ignores all attempts to ignore that folder… Command: bandit --exclude .pipenv/* -r -ll .

+5
KayleeTheMech on Feb 8, 2021

Can confirm here than it still doesn’t work when I add exclude tests to pyproject.toml

[tool.bandit]
exclude = "./tests/*"
+3
demberto on Mar 10, 2022

Just confirming that this issue still persists in 1.7

+2
scott-nordicwi on Jun 8, 2021

@zelenyjan There are a few interesting facts about the information your share:

  • Where did you get the exclude_dirs option from? It’s neither in the documentation (which says, exclude) nor in the CLI help screen, Only from the code this can be seen. Which suggests that we have a bug in the docs.
  • Interestingly enough, the exclude_dirs option covers not only directories: You can specify a path to a single file, which then also gets excluded, specifically. (The naming seems a bit misleading.)
  • The Bandit source code suggests that you have a Bandit INI file present that gets read (because reading the excluded dirs from TOML doesn’t seem to be logged, which is what my local tests confirm).
  • The option considered in an INI file is called exclude, which is consistent with the docs but inconsistent with what is considered from a TOML (or YAML) file.

Can you share your complete Bandit (and Tox) configuration, please?

Also, can you try to run against . instead of src (which will likely walk directories like .git, .tox and .venv if they are not ignored effectively)?

bandit -c pyproject.toml -r .

Related: #528

And yes, the implementation of the config parsing is super-complicated and probably warrants a complete rewrite. 😟

+1
bittner on Apr 3, 2022

Coming back here include my workaround.

Using absolute paths has worked, but since that wasn’t an option for gitlab i found that

bandit --exclude ./.pipenv/* -r -ll .

seems to respect the excluded folder.

+1
KayleeTheMech on Jun 8, 2021

@LefterisJP I’m using bandit 1.6.2 and it works, however it depends on how you specify all paths. I’m using all full relative paths (eg. bandit -x './tests' -r .). If I omit ./ at the beginning of the exclude directory, that directory is not considered in the exclusion. It seems also that this behavior is the same with the full path, as stated by @bittner . There is definitively an issue on path handling

+1
Enrico204 on Feb 6, 2020

I tried to play a little with exclude directory in 1.6.0.

After changing bandit -r anitya/ anitya_schema/anitya_schema/ -x anitya/db/migrations -ll to bandit -r anitya/ anitya_schema/anitya_schema/ -x anitya/db/migrations/* -ll, the excluded folders are no longer ignored.

So before 1.6.1 is out, you could use the above.

+1
Zlopez on May 20, 2019
Read more comments on GitHub
← pycord: Link Buttons are changing there position, after making interaction and stopping them or timeout...
bandit: Bandit 1.6.3 does not respect excluded paths from .bandit file →