Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Corrected documentation on configuration #868

Merged
merged 4 commits into from
Apr 24, 2022
Merged

Corrected documentation on configuration #868

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e4de402
.bandit is INI file
a-takahashi223 Mar 31, 2022
a7bd46a
Describe how to make Bandit read an INI file
a-takahashi223 Apr 1, 2022
c4b2d52
Remove descriptions about "profile"
a-takahashi223 Apr 1, 2022
2d6cd55
Revert "Remove descriptions about "profile""
a-takahashi223 Apr 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 11 additions & 7 deletions doc/source/config.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Configuration
Bandit Settings
---------------

Projects may include a YAML file named `.bandit` that specifies command line
Projects may include an INI file named `.bandit` that specifies command line
arguments that should be supplied for that project. The currently supported
arguments are:

Expand All @@ -14,21 +14,25 @@ arguments are:
- skips: comma separated list of tests to skip
- tests: comma separated list of tests to run

To use this, put a YAML file named `.bandit` in your project's directory.
To use this, put an INI file named `.bandit` in your project's directory.
Command line arguments must be in `[bandit]` section.
For example:

::

[bandit]
exclude: /test

::

tests:
- B101
- B102
- B301
[bandit]
tests = B101,B102,B301


Note that Bandit will look for `.bandit` file only if it is invoked with `-r` option.
If you do not use `-r` or the INI file's name is not `.bandit`, you can specify
the file's path explicitly with `--ini` option.

Exclusions
----------
In the event that a line of code triggers a Bandit issue, but that the line
Expand Down Expand Up @@ -74,7 +78,7 @@ look like the following:

.. code-block:: yaml

### profile may optionally select or skip tests
### configuration may optionally select or skip tests

# (optional) list included tests here:
tests: ['B201', 'B301']
Expand Down
5 changes: 0 additions & 5 deletions doc/source/start.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,6 @@ context and only reporting on the high-severity issues::

bandit examples/*.py -n 3 -lll

Bandit can be run with profiles. To run Bandit against the examples directory
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bandit does still have an option to specify profiles to load via the -p or --profile argument.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I cloned PyCQA/bandit:main, ran python setup.py install and pip -r requirements.txt, then ran bandit examples/*.py -p ShellInjection. The output is below:

[main]  ERROR   Unable to find profile (ShellInjection) in config file: None

This result suggests that profile is not built-in, but something we define ourselves. So how do we define it?
Where is it written in the documentation?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, creating profiles is still possible via the bandit.yaml file. They are not built-in. And you can create a config yaml file bandit-config-generator

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I ran bandit-config-generator -o bandit.yaml then bandit examples/*.py -p ShellInjection -c bandit.yaml. The output is:

[main]  ERROR   Unable to find profile (ShellInjection) in config file: bandit.yaml

Again, how can I define profile in a configuration file?

After some trial and error, a configuration file as below finally worked.

profiles:
  ShellInjection:
    # ...

But I got the message below.

[config]        WARNING Config file 'bandit.yaml' contains deprecated legacy config data. Please consider upgrading to the new config format. The tool 'bandit-config-generator' can help you with this. Support for legacy configs will be removed in a future bandit version.

This is probably the best evidence that profile is deprecated and should not be used.
Therefore, all descriptions about profile should be removed from the documentation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even if it's "deprecated" (which it isn't) it shouldn't be removed in this pull request

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Reverted in 2d6cd55

using only the plugins listed in the ``ShellInjection`` profile::

bandit examples/*.py -p ShellInjection

Bandit also supports passing lines of code to scan using standard input. To
run Bandit with standard input::

Expand Down