flake8-bugbear: Codes B301-B306 conflict with openstack/bandit (via. flake8-bandit)

Similar situation to #20, there are conflicts across codes B301-B306.

https://github.com/openstack/bandit:

The following tests were discovered and loaded:
  ...
  B301  pickle
  B302  marshal
  B303  md5
  B304  ciphers
  B305  cipher_modes
  B306  mktemp_q

In my situation:

  • When both are installed, bandit is still available while bugbear is deactivated
  • If I uninstall bandit, bugbear is activated and works as expected

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 19 (3 by maintainers)

Most upvoted comments

@ambv You hit the nail on the head about Vim Syntastic:

  • changing codes to use more than one character might not work with your editor integrations (like Syntastic) because the authors often use a very limited regex that was only tested with the builtin warnings.

And I was mistaken when I said:

The thing is that it works fine with other plugins, such as displaying the RSTxxx violations, etc. So there must be a way to do it.

I’ve since tried to fix the Flake8 syntax checker used by Syntastic and I’ve filed a bug on their issue tracker.

No need to respond; just giving credit where it’s due.

+2
myii on Apr 1, 2018

@tylerwince Thanks for that. Upgraded to 1.0.2 and all working well.

@ambv Since we’ve got a resolution, I’m closing this issue. Thanks for the feedback above.

+2
myii on Mar 29, 2018

@tylerwince Something like the following:

setup.py:

@@ -78,7 +78,7 @@
     license="MIT",
     entry_points={
         "flake8.extension": [
-            "B=flake8_bandit:BanditTester",
+            "BAN=flake8_bandit:BanditTester",
         ],
     },
     classifiers=[

flake8_bandit.py:

@@ -42,8 +42,8 @@
         issues = []
         for item in b_mgr.get_issue_list():
             i = {}
-            i["test_id"] = item.test_id
-            i["issue_text"] = item.text
+            i["test_id"] = item.test_id.replace('B', 'BAN')
+            i["issue_text"] = 'Bandit [{0}]: {1}'.format(item.test_id, item.text)
             i["line_number"] = item.lineno
             issues.append(i)
         try:

Sample output:

./.../setup.py:14:1: BAN110 Bandit [B110]: Try, Except, Pass detected.
  • This way, at least the exact bandit code is displayed in text of the error
+1
myii on Mar 28, 2018

@tylerwince Appreciate the prompt response.

This is incredibly naive, since I’m unfamiliar with the internals of Flake8 (see my wonderful workaround above) but is there any mileage in simply using something like BAN as the entry point for all bandit codes? Something like:

BAN = flake8_bandit:BanditTester

That way, nothing would have to be done for either of the well-established bugbear and bandit projects. The coercion would be done within flake8-bandit, with a simple conversion of B*** to BAN***.

I’ve actually had a quick go at the above and it seems to hold together. However, I don’t know how that works for users who want the exact bandit codes.

+1
myii on Mar 28, 2018
Read more comments on GitHub
← flake8-bugbear: bugbear 21.4.1 + 21.4.2 fails with AttributeError
flake8-docstrings: List of missing arguments not displayed in D417 Missing argument description error →