B322 input listed as high severity, high confidence... when running python3

[geokala]

Describe the bug
When running bandit under python 3, B322 'The input method in Python 2...' is listed as a high severity issue with high confidence.

At best, this should be lower confidence, but ideally it shouldn't complain on python 3 as (as it asserts itself) it's safe in python 3.

To Reproduce
Steps to reproduce the behavior:
While running in a python 3 virtualenv:
echo "test = input('Say something')" > test.py
bandit test.py

Expected behavior
No complaint about input is issued because this does not apply in python 3.

Bandit version

bandit 1.5.1
  python version = 3.4.3 (default, Nov 28 2017, 16:41:13) [GCC 4.8.4]

Additional context
N/A

[ericwb]

This has come up before. I think I was the one who talked about it in IRC. So the tricky bit is that Bandit doesn't know what version of Python is being used to run the code its inspecting. I guess one workaround might be using the classifier defined in setup.py for the project and that may help some scenarios. But when discussed, the opinion was that the warning reported should advise the user that it only applies to code running in a Python2 environment. So we could improve the documentation also.

[pzelnip]

So is the workaround to just disable B322 when your project is Python 3?

Could a possible fix be to allow one to specify the version of Python your project targets as a switch to bandit? Ie bandit -r --python3 /path/to/my/code?

[geokala]

@ericwb Does @pzelnip's suggestion sound reasonable, or at least to be the basis of something useful (e.g. some sort of mark/tag system similar to pytest- though that may be overkill for this)?

[ML-Chen]

This was resolved for me when I updated from Bandit 1.6 (from conda-forge) to 1.7 (from Pip). Yeah, this bug is a duplicate of #596, which was resolved by #662 which was merged into 1.7.0.

[ericwb]

The blacklist check for input() was removed with PR #662