Exclude paths in config file ignored if passing specific files to Bandit CLI

[dolan-a]

UPDATE: please see my below comment for an updated description of the problem.

Describe the bug
When using the pre-commit hook, my excluded paths listed in .bandit are still processed by bandit.

To Reproduce
Steps to reproduce the behavior:

1. Create a .bandit config file with exclusions. For example:

   [bandit]
   exclude: ./node_modules/*,./tests/*

2. Run bandit via command line (bandit -r .), verify exclusions ignored.
3. Run bandit on all files via pre-commit hook: pre-commit run --all-files bandit
4. See that excluded files are processed by bandit

Expected behavior
I expect the excluded paths to be ignored.

Bandit version

bandit 1.6.0
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

[retpolanne]

@pydolan I think it is a duplicate of #488

You can find a workaround at #488 (comment) or by pinning bandit to 1.5.1

[dolan-a]

@vinicyusmacedo -- My issue is actually unrelated to #488 and exists in 1.5.1 as well.

After further investigation, what's actually happening is that the excluded paths in the config file are being ignored when passing specific files to bandit -- even though excluding from the CLI works:

In v1.5.1:

$ bandit --version
bandit 1.5.1
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

$ cat .bandit
[bandit]
exclude: node_modules

$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...

$ bandit -x node_modules ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...

In v1.6.0:

$ bandit --version
bandit 1.6.0
  python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)]

$ cat .bandit
[bandit]
exclude: ./node_modules/*

$ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 46
...

$ bandit -x "./node_modules/*" ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py
...
Total lines of code: 0
...

I believe the two excluding methods should have consistent behavior, which is to not process the file in either case. This is especially important if one wants to exclude paths with the pre-commit hook.

Thanks!

[retpolanne]

I noticed this as well on my environment. By using the config file, exclusion is not working even if it is already as the workaround.

…

On Tue, May 28, 2019, 17:29 Dolan Antenucci ***@***.***> wrote: @vinicyusmacedo <https://github.com/vinicyusmacedo> -- My issue is actually unrelated to #488 <#488> and exists in 1.5.1 as well. After further investigation, what's actually happening is that the excluded paths in the config file are being ignored when passing specific files to bandit -- even though excluding from the CLI works: *In v1.5.1:* $ bandit --version bandit 1.5.1 python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)] $ cat .bandit [bandit] exclude: node_modules $ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py ... Total lines of code: 46 ... $ bandit -x node_modules ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py ... Total lines of code: 0 ... *In v1.6.0:* $ bandit --version bandit 1.6.0 python version = 3.7.3 (default, May 27 2019, 05:16:50) [Clang 10.0.0 (clang-1000.10.44.4)] $ cat .bandit [bandit] exclude: ./node_modules/* $ bandit ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py ... Total lines of code: 46 ... $ bandit -x "./node_modules/*" ./node_modules/node-gyp/gyp/pylib/gyp/xml_fix.py ... Total lines of code: 0 ... I believe the two excluding methods should have consistent behavior, which is to not process the file in either case. This is especially important if one wants to exclude paths with the pre-commit hook. Thanks! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#499?email_source=notifications&email_token=ABZTCFNY4WJDMOVIL4BBZCTPXWI3BA5CNFSM4HQGDTP2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWNLBBY#issuecomment-496676999>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABZTCFINZOQUS2RGXRVETOLPXWI3BANCNFSM4HQGDTPQ> .

[andrew222651]

In this scenario the .bandit file is completely ignored. Bandit only looks for config files where the target is, or recursively in subdirectories.

The relevant code is in bandit.cli.main._get_options_from_ini.

[andrew222651]

Actually, if the target is a file, Bandit doesn't look for a .bandit file anywhere; see #332.

[jugmac00]

Is there a current workaround? bandit is unusable at the moment as all test files are marked as false positives because of the usage of assert.

[Cielquan]

I do not use a config file but have also regarding problems with pre-commit.

When I run bandit -x "./.tox/*,./.eggs/*,./tests/*" -r . it works just fine.

When I run bandit with pre-commit I get an "error" in the output:
--exclude ./.tox/*,./.eggs/*,./tests/* (No such file or directory)

pre-commit-config.yaml:

  - repo: https://github.com/PyCQA/bandit
    rev: 1.6.2
    hooks:
      - id: bandit
        args: ["--exclude ./.tox/*,./.eggs/*,./tests/*"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

And when I run bandit -x .tox,.eggs,tests -r . it is not working because the ignores get ignored and bandit checks everything. I get the same result when I run bandit -r .. Here the .tox directory gets also checked though it should not because of the default ignores.

[adamwojt]

ini file for dir exclusion doesn't work with -roption. It's super confusing.

My .bandit

[bandit]
exclude: test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests
skips: B101,B311

Running with bandit -r .

[main]	INFO	Found project level .bandit file: ./.bandit
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for skipped tests

Tests dirs and files are not ignored but everything works fine with bandit -x "test_*.py,./venv/,./env/,./node_modules/,./cacheback/,./.env,./.venv,migrations,tests" -r .

I am confused.

[exhuma]

I just ran into the same issue. Which makes this pretty bad for me right now is that bandit is executed via a CI-pipeline defined by a centrally configured GitLab instance. This always runs bandit using bandit -r <package_name> and I don't have direct control over this in the project.

In my project I have some files that I want to exclude and wrote them into .bandit

Yet, the pipeline still fails because of this issue.

So now I'm forced to write # nosec comments into all files in a given subfolder even though that particular subfolder only contains utilities which never receive end-user input and could be ignored alltogether.

[ceteri]

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

[Cielquan]

@Cielquan, you probably need to use the following instead:

args: ["--exclude", ".tox,.eggs,tests"]

I also tried args: ["--exclude .tox,.eggs,tests"] without success.

Yeah, I think that could be the case.
In the meantime I change from directly running bandit to running it via flake8-bandit and running flake8 via flakehell which enables you to customize the behavior auf every single flake8 extension for each and very file for example.