Describe the bug
The results field of the output from a bandit-baseline execution does not contain the bandit issue for a positive test case and hence passes the bandit-baseline even though a bandit vulnerability is introduced.
To Reproduce
Steps to reproduce the behavior:
For demonstrating this case, I have chosen a file from openstack/horizon project and trying to introduce a B603 in addition to an existing B603 in the same file.
git clone https://git.openstack.org/openstack/horizon && cd horizon/bandit -t B603 -rf json -o banditresult.json horizon/test/firefox_binary.pyvi horizon/test/firefox_binary.py- Add a B603 issue into code by referring to lines 59:61
bandit -t B603 -b banditresult.json -rf json -o bandit_baseline.json horizon/test/firefox_binary.py
Expected behavior
The newly added bandit issue must be caught by the baseline program and must be reported in the "results": [] field and fail the command.
Bandit version
bandit 1.5.1
python version = 2.7.6 (default, Nov 13 2018, 12:45:42) [GCC 4.8.4]
Additional context
I also ran bandit -t B603 -rf json -o banditresult1.json horizon/test/firefox_binary.py after introducing the duplicate issue and did a diff banditresult.json banditresult1.json and found the issue to have been caught.
Describe the bug
The results field of the output from a bandit-baseline execution does not contain the bandit issue for a positive test case and hence passes the bandit-baseline even though a bandit vulnerability is introduced.
To Reproduce
Steps to reproduce the behavior:
For demonstrating this case, I have chosen a file from openstack/horizon project and trying to introduce a B603 in addition to an existing B603 in the same file.
git clone https://git.openstack.org/openstack/horizon && cd horizon/bandit -t B603 -rf json -o banditresult.json horizon/test/firefox_binary.pyvi horizon/test/firefox_binary.pybandit -t B603 -b banditresult.json -rf json -o bandit_baseline.json horizon/test/firefox_binary.pyExpected behavior
The newly added bandit issue must be caught by the baseline program and must be reported in the "results": [] field and fail the command.
Bandit version
bandit 1.5.1
python version = 2.7.6 (default, Nov 13 2018, 12:45:42) [GCC 4.8.4]
Additional context
I also ran
bandit -t B603 -rf json -o banditresult1.json horizon/test/firefox_binary.pyafter introducing the duplicate issue and did adiff banditresult.json banditresult1.jsonand found the issue to have been caught.