Bandit linter incorrectly highlights the first column in a line

[tonybaloney]

Environment data

• VS Code version: 1.45.0

• Extension version: 2020.5.80290 (and master)

• OS and version: macOS 10.15

• Type of virtual environment used (N/A | venv | virtualenv | conda | ...): venv

• Relevant/affected Python packages and their versions: bandit 1.6.3

Reproduce

1. Enable the bandit linter in the user settings
2. Install the latest version of bandit
3. Create a script where the offending code is nested by whitespace (i.e. within a function or block), e.g.,

import subprocess

def main(opt):
    subprocess.call(opt), shell=True)

Expected behavior

Linter to highlight the entire line or highlight the correct column

Actual behavior

Linter highlights the whitespace on the 0th column in the whitespace instead of in the right position

This is because bandit.ts hardcodes the column position to 0:
https://github.com/microsoft/vscode-python/blob/master/src/client/linters/bandit.ts#L27

Bandit doesn't currently support reporting on column offset (see Fixes).

Logs

##########Linting Output - bandit##########
1,0,LOW,B404:Consider possible security implications associated with subprocess module.
12,0,HIGH,B602:subprocess call with shell=True identified, security issue.
13,0,HIGH,B602:subprocess call with shell=True identified, security issue.

Fix

Option 1: Report the column offset from bandit

I've raised a PR with bandit to expose the col_offset of the AST node in the custom format reporter, PyCQA/bandit#618

Once this PR is merged, update the bandit custom format string to include the column offset. I've tried this in a branch of this plugin and it works nicely:

However, it would assume that the user has the latest version of bandit installed

Option 2: Change the Linter API to highlight the entire line

Currently, the linter service doesn't distinguish between the reported column being 0 or the column being unknown.

LinterMessage just has a non-nullable field for column which defaults to 0. If any of the linters can't work out the column, then you get this issue by highlighting the wrong part of the line.

Alternatively, the LinterMessage interface could be extended to set column as nullable and then underline the whole line if the column is null, or have an extra field like isWholeLine.

P.S. I'm happy to submit a PR for either fix if you share the preferred approach

[karthiknadig]

What happens when the user has a older version of bandit? If you do Option 2, when people install the latest bandit, it will start behaving similar to how it was for option 1 right? That is if a column is available it will work as expected. But if a column is not available then it will highlight the whole line.

[brettcannon]

Because we have not heard back with the information we requested, we are closing this issue for now. If you are able to provide the info later on then we will be happy to re-open this issue to pick up where we left off.

[tonybaloney]

The PR to the bandit project has just been merged PyCQA/bandit#618

Please can you reopen this issue and I can submit a PR to use the column offset field to highlight the correct token in the editor.

To answer the question - what happens if the user is using an old version of bandit? It will default to the old behaviour

[brettcannon]

@tonybaloney re-opened.

[tonybaloney]

Has a PR attached now

[luabud]

Closing as fixed!