Hi!
Code comments in bandit describe a "candidate issues" feature, where if a baseline
is used and a new issue is detected that matches another issue already in the baseline,
both issues will be displayed in the report:
For example, let's say we find a new command injection issue in a file
which used to have two. Bandit can't tell which of the command injection
issues in the file are new, so it will show all three. The user should
be able to pick out the new one.
However, it looks like this feature never actually worked; what actually happens
is any issue that evaluates equal to an issue already in the baseline will always
be ignored. (This if statement will never be true: https://github.com/openstack/bandit/blob/5fe2f01e5ba3ec5c2770492d735ffaf548e2ed4a/bandit/core/manager.py#L391)
That function was later "simplified" to code that has the same problem: https://github.com/openstack/bandit/blob/d159335700938f25ebd2606c066e3895e2a3d577/bandit/core/manager.py#L376
From the code comments it sounds like the function was intended to do this:
def _compare_baseline_results(baseline, results):
unmatched_issues = []
baseline_copy = copy.deepcopy(baseline)
for new_issue in results:
try:
baseline_copy.remove(new_issue)
except ValueError:
unmatched_issues.append(new_issue)
return unmatched_issues
This makes bandit behave in the way described in the code comments: if the baseline contains
one issue, but a bandit run detects two issues, both issues will be displayed (as "candidate
issues"). The current behavior is that neither issue would be displayed (the run would be clean),
which sounds like a bug, unless this was the intent and the code comments are wrong.
Hi!
Code comments in bandit describe a "candidate issues" feature, where if a baseline
is used and a new issue is detected that matches another issue already in the baseline,
both issues will be displayed in the report:
However, it looks like this feature never actually worked; what actually happens
is any issue that evaluates equal to an issue already in the baseline will always
be ignored. (This if statement will never be true: https://github.com/openstack/bandit/blob/5fe2f01e5ba3ec5c2770492d735ffaf548e2ed4a/bandit/core/manager.py#L391)
That function was later "simplified" to code that has the same problem: https://github.com/openstack/bandit/blob/d159335700938f25ebd2606c066e3895e2a3d577/bandit/core/manager.py#L376
From the code comments it sounds like the function was intended to do this:
This makes bandit behave in the way described in the code comments: if the baseline contains
one issue, but a bandit run detects two issues, both issues will be displayed (as "candidate
issues"). The current behavior is that neither issue would be displayed (the run would be clean),
which sounds like a bug, unless this was the intent and the code comments are wrong.