Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document how to use Bandit #603

Closed
bittner opened this issue Apr 22, 2020 · 1 comment · Fixed by #773
Closed

Document how to use Bandit #603

bittner opened this issue Apr 22, 2020 · 1 comment · Fixed by #773

Comments

@bittner
Copy link
Contributor

bittner commented Apr 22, 2020

There are several issues open that suggest that it is unclear how Bandit is meant to be executed. In fact, there are no usage instructions at all in the Bandit docs.

Describe the solution you'd like

There should be simple, crisp, usage instructions in the Bandit docs, e.g.

Install Bandit:

pip install bandit

Run Bandit over your entire project:

bandit

(Obviously, the instructions above don't work for the current version 1.6.2.)

Apart from updating the docs, while this is likely the most important place to start, the problem domain may entail that the usage in general must be made simple:

  • Sensible defaults should prevail
  • Overriding defaults should be simple and intuitive
  • Common patterns of use (aka "developer behavior") should be taken into account

Describe alternatives you've considered

Setting default options in tox.ini and/or .bandit, and wrap it with Tox. See #396 (comment).

Not nice, with limited success, and not universally usable for everyone.

Additional context

Bandit doesn't current traverse the entire project tree, and it doesn't ignore (common) hidden folders by default, e.g. .git, .tox. It also reports security issues in tests that make little sense to report (e.g. "Use of assert detected", "Possible hardcoded password", "Starting a process with a partial executable path", etc. – that's just the natural way you implement tests).

Codacy also uses Bandit and reports all issues related to test implementations. It's unclear how they use the tool, but it's likely a rather custom way.

Long story short: There are a lot of things unclear when it comes to using Bandit. A tool that is – I would guess – meant to be simple to use. Not to say, trying to get out of your way.

Possibly related issues

@diegovalenzuelaiturra
Copy link

diegovalenzuelaiturra commented Nov 17, 2021

Hi, I think this may be helpful here.

Here is my current approach to configure bandit to avoid raising B101 assert_used warnings on python tests.

  • [optional] Use the Bandit Config Generator to generate an optional profile and save it to a YAML file

    bandit-config-generator --out bandit.yml
  • Edit the profile configuration file

    • bandit.yml - based on the comment: Interpret wildcards in the file exclusion list #450 (comment)

      # https://github.com/PyCQA/bandit/pull/450#issuecomment-724777229
      assert_used:
          skips: ["*/test_*.py"]
    • .bandit config file example

      [bandit]
      # targets: comma separated list of target dirs/files to run bandit on
      # exclude: comma separated list of excluded paths
      # skips  : comma separated list of tests to skip
      # tests  : comma separated list of tests to run
      targets = .
      
      recursive = true
  1. Run bandit
    # you may want to provide full paths instead
    bandit --configfile bandit.yml --ini .bandit

If you are using VSCode, you can include the following in your settings.json .

// settings.json
{
    "python.linting.enabled": true,
    "python.linting.lintOnSave": true,
    "python.linting.banditEnabled": true,
    //  https://code.visualstudio.com/docs/editor/variables-reference
    "python.linting.banditArgs": [
        // "-ll",
        // "-ii",
        "--configfile=${workspaceFolder}/bandit.yml",
        "--ini=${workspaceFolder}/.bandit",
    ],
    "files.associations": {
        ".bandit": "ini",
    },
}

bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
- Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
bittner added a commit to behave/behave-django that referenced this issue Jan 10, 2022
Bandit UX is seriously broken, only <1.6 works predictably.

Exclude/ignore of files is currently broken in Bandit:
- PyCQA/bandit#693
- PyCQA/bandit#490
- PyCQA/bandit#438 (comment)

Reading settings from configuration files is broken:
- PyCQA/bandit#753
- PyCQA/bandit#595

Reading from pyproject.toml not yet functional:
Must install "toml" package and use "-c pyproject.toml".
- PyCQA/bandit#758

INI file configuration and CLI usage is unclear:
- PyCQA/bandit#603
- PyCQA/bandit#467
- PyCQA/bandit#396
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants