No recommendations for how to resolve warnings

[mcandre]

Bandit reports a lot of "problems" without providing any direction for what kind of code to use instead. Bandit has no capability for detecting when sanitization is used, no whitelist of approved alternatives for the blacklisted methods.

For example, bandit excludes almost every known way to submit an HTTP request, such as the common urllib methods. Well, what should the programmer use instead, the requests package?

[ghugo]

Some of bandit's results do suggest using alternatives, such as B312 telnetlib which suggests using SSH/other encrypted protocol, the XML ones which recommend difusedxml, B325 tempnam, and B413 pycrypto import (which suggests cryptography).

HTTP is insecure, which is why bandit notifies you. This is simply a warning, the recommendation would be to use HTTPS, or triage the findings (if there is no danger of leaking sensitive data) and exclude the bandit code for that warning.

[ericwb]

I agree with @mcandre that the documentation needs a lot of improvement. I'd like to see something more descriptive where each Bandit check is listed with explanation, example, and how to remediate. And when the scan is run, preferably the more_info links point to this documentation.

[ghugo]

Of course, more documentation is always welcome!