Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bandit linter incorrectly highlights the first column in a line

See original GitHub issue

Environment data

VS Code version: 1.45.0
Extension version: 2020.5.80290 (and master)
OS and version: macOS 10.15
Type of virtual environment used (N/A | venv | virtualenv | conda | …): venv
Relevant/affected Python packages and their versions: bandit 1.6.3

Reproduce

Enable the bandit linter in the user settings
Install the latest version of bandit
Create a script where the offending code is nested by whitespace (i.e. within a function or block), e.g.,

import subprocess

def main(opt):
    subprocess.call(opt), shell=True)

Expected behavior

Linter to highlight the entire line or highlight the correct column

Actual behavior

Linter highlights the whitespace on the 0th column in the whitespace instead of in the right position

This is because bandit.ts hardcodes the column position to 0: https://github.com/microsoft/vscode-python/blob/master/src/client/linters/bandit.ts#L27

Bandit doesn’t currently support reporting on column offset (see Fixes).

Logs

##########Linting Output - bandit##########
1,0,LOW,B404:Consider possible security implications associated with subprocess module.
12,0,HIGH,B602:subprocess call with shell=True identified, security issue.
13,0,HIGH,B602:subprocess call with shell=True identified, security issue.

Fix

Option 1: Report the column offset from bandit

I’ve raised a PR with bandit to expose the col_offset of the AST node in the custom format reporter, https://github.com/PyCQA/bandit/pull/618

Once this PR is merged, update the bandit custom format string to include the column offset. I’ve tried this in a branch of this plugin and it works nicely:

However, it would assume that the user has the latest version of bandit installed

Option 2: Change the Linter API to highlight the entire line

Currently, the linter service doesn’t distinguish between the reported column being 0 or the column being unknown.

LinterMessage just has a non-nullable field for column which defaults to 0. If any of the linters can’t work out the column, then you get this issue by highlighting the wrong part of the line.

Alternatively, the LinterMessage interface could be extended to set column as nullable and then underline the whole line if the column is null, or have an extra field like isWholeLine.

P.S. I’m happy to submit a PR for either fix if you share the preferred approach

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

tonybaloneycommented, Dec 18, 2020

Has a PR attached now

0reactions

luabudcommented, Jan 22, 2021

Closing as fixed!

Top Results From Across the Web

Bandit Documentation - Read the Docs

Bandit allows specifying the path of a baseline report to compare against using the base line argument (i.e. -b.

Welcome to Bandit — Bandit documentation

Bandit is a tool designed to find common security issues in Python code. To do this, Bandit processes each file, builds an AST...

Advanced Visual Studio Code for Python Developers

In this first section, you'll explore how to tailor VS Code to support how ... For example, Bandit is a linter for security...

Static Application Security Testing (SAST) - GitLab Docs

If you're using GitLab CI/CD, you can use Static Application Security Testing (SAST) to check your source code for known vulnerabilities.

cDb - River Thames Conditions - Environment Agency - GOV.UK

#Wh/l meaning, Top gun large coed, Nueva reforma fiscal 2013, Maximum films mp3 songs, Saturn beinasco orari apertura, One column into two excel, ......