bandit: Bandit 1.6.3 does not respect excluded paths from .bandit file
With a .bandit file with the contents
[bandit]
exclude: ./.tox,./tests
1.6.2 gives
$ bandit -r -ll -ii .
[main] INFO Found project level .bandit file: ./.bandit
[main] INFO Using ini file for excluded paths
[main] INFO Using command line arg for selected targets
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.5
114 [0.. 50.. 100.. ]
1.6.3 ignores the exluded paths
$ bandit -r -ll -ii .
[main] INFO Found project level .bandit file: ./.bandit
[main] INFO Using command line arg for excluded paths
[main] INFO Using command line arg for selected targets
[main] INFO Using command line arg for recursive scan
[main] INFO Using command line arg for aggregate output type
[main] INFO Using command line arg for max code lines output for issue
[main] INFO Using command line arg for severity level
[main] INFO Using command line arg for confidence level
[main] INFO Using command line arg for output format
[main] INFO Using command line arg for output file
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.7.5
549 [0.. 50.. 100.. 150.. 200.. 250.. 300.. 350.. 400.. 450.. 500.. ]
About this issue
- Original URL
- State: open
- Created 4 years ago
- Reactions: 30
- Comments: 15 (2 by maintainers)
Commits related to this issue
- Pin bandit to v1.6.2 Bandit 1.6.3 contains a bug with excluded paths: https://github.com/PyCQA/bandit/issues/657 — committed to uktrade/lite-api by kerin 4 years ago
- Exclude bandit 1.6.3 in requirements Due to PyCQA/bandit#657 Signed-off-by: Kevin Locke <kevin@kevinlocke.name> — committed to kevinoid/python-project-template by kevinoid 4 years ago
- Freeze bandit to 1.6.2 because of PyCQA/bandit#657 — committed to FussyFox/bandit by codingjoe 4 years ago
- Fix ini configuration was overriden by default values Fix #657 — committed to maresmar/bandit by maresmar 3 years ago
- pin bandit==1.6.2, above version exclude paths broken (https://github.com/PyCQA/bandit/issues/657) — committed to Ouranosinc/Magpie by fmigneault 3 years ago
- lock bandit version - see: https://github.com/PyCQA/bandit/issues/657 — committed to OperationCode/back-end by AllenAnthes 3 years ago
- Pin bandit version to 1.6.2 For the same reason we did it in: https://github.com/uktrade/lite-api/pull/666 because of an upstream bug in 1.6.3: https://github.com/PyCQA/bandit/issues/657 — committed to uktrade/lite-frontend by r4vi 3 years ago
- fix: pass --excludes to bandit Until PyCQA/bandit#657 is fixed, specify --excludes when invoking bandit. Remove version exclusion for bandit 1.6.3 since 1.7.0 has the same issue. Signed-off-by: Kev... — committed to kevinoid/python-project-template by kevinoid 3 years ago
- security check workaround to ignore misbehaving bandit excludes not considered (relates to https://github.com/PyCQA/bandit/issues/657) — committed to crim-ca/weaver by fmigneault 2 years ago
Still broken in 1.7.0 😦
I can also reproduce this regression.
To perhaps save a maintainer a couple minutes of searching, it looks to me like this commit most likely causes the breaking behavior.
Edit: Also, the documentation for that command line parameter appears to be wrong: it says it should act in addition to the setting in the config file, whereas it actually overrides the setting in the config file.
Release 1.7.4 - not resolved (
I’m still pretty sure that 5ac8b8bf0a364a5222080db7c7e1951c0901e7a2 is the culprit. It added a default value for the excluded paths command line argument. That argument overrides the configuration file’s excluded paths, rather than merging with it, like the documentation / help message suggests. So now, the excluded paths in the configuration file are always overridden.
Looks like Release 1.7.5 - resolved it!? works fine for me