Pass configuration to bandit

[phillbaker]

Thanks for putting this together - was just about to start something similar.

What do you think about adding the ability to pass configuration (exclude files, recursive, etc.) from the flake configuration?

[tylerwince]

@phillbaker -- I am just picking back up on this project and adding a few new features as well as cleaning up some of the codebase.

This plugin will follow your flake8 config already, are you thinking we should add support for the .bandit config file?

[phillbaker]

Hey @tylerwince, glad to hear! I think my suggestion was to put some of the .bandit options in the .flake8 file, e.g.

[flake8]
bandit-includes = *.py
bandit-exclude-dirs = /tests/, tests.py

But pulling from the bandit.yml file also seems great!

[tylerwince]

Ah, this makes sense. I think that seems like a reasonable thing.

Maybe something like:

if bandit_config_exists:
    use_bandit_config_options
elif bandit_options_in_flake8:
    use_bandit_options_in_flake8

[tylerwince]

Update on this:

flake8-bandit will now honor a .bandit config file which contains skips or tests for blacklisting or whitelisting tests.

[zgoda]

Either read .bandit file or [bandit] section in flake8 config. Now I can't get it to follow exclude_dirs directive in my .bandit file and eg. spills warnings related to use of assert statements in tests. Moreover, recent Bandit has 2 config files, .bandit for command line defaults and .bandit.yml for configuration options. Oh my.

[shapiromatron]

Does this still work? I'm trying w/ bandit==1.6.2 and flake8-bandit==2.1.2.

I have a .bandit:

[bandit]
exclude = /frontend,/scripts,/tests,/venv

This uses my exclude:

bandit -r -v .

But this doesn't:

$ flake8 .

./tests/apps/riskofbias/test_riskofbias_api.py:33:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:34:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:45:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:51:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:62:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:69:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:88:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:92:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:94:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:98:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:99:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
./tests/apps/riskofbias/test_riskofbias_api.py:106:1: S101 Use of assert detected. The enclosed code will be removed when compiling to optimised byte code

[shapiromatron]

If you'd accept a PR let me know and I can look into it...

[tylerwince]

@shapiromatron - I would definitely accept a PR! Thanks for taking a look

[shapiromatron]

Thanks @tylerwince can you confirm that this likely is an issue for others as well? Should I use the skips keyword above perhaps, (I tried but it didn't work) or is there some other way to get it to work?

[tylerwince]

It is likely a problem across the board. This was never really implemented fully and was kind of a hack when I first put it in. I think the main part of the codebase that applies is here:

flake8-bandit/flake8_bandit.py

Lines 46 to 57 in e5834e7

	try:
	config.read(ini_file)
	profile = {k: v.replace("S", "B") for k, v in config.items("bandit")}
	if profile.get("skips"):
	profile["exclude"] = profile.get("skips").split(",")
	if profile.get("tests"):
	profile["include"] = profile.get("tests").split(",")
	except (configparser.Error, KeyError, TypeError) as e:
	if str(e) != "No section: 'bandit'":
	import sys
	err = "Unable to parse config file: %s\n" % e
	sys.stderr.write(err)

[shapiromatron]

Thanks @tylerwince I'll have something soon...

[shapiromatron]

@tylerwince PR submitted #17 ; note that this bumps python minimum version to 3.6 as currently implemented.

[flickerfly]

Is this remaining open because we still can't pass a configuration of whatever name we'd like? This would be useful to pass the flake8 config with a [bandit] section in it and cleaning up my code root a bit.

[shapiromatron]

It looks like the latest version on pypi is before this change; the author hasn't released a new version to pypi.

https://pypi.org/project/flake8-bandit/#history
2.1.2
Oct 7, 2019

To use this feature, you'll need to pull the package from github.