Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bandit 1.6.0 no longer respects excluded directories

See original GitHub issue

Describe the bug Prior to the bandit 1.6.0 release, I was using bandit like so:

bandit -r . -x ./mymodule1/tests/,./mymodule2/tests/

However, with bandit 1.6.0 the ./mymodule1/tests/ and ./mymodule2/tests/ directories are included in the results. I have confirmed that you can exclude individual files still, just not directories.

To Reproduce Steps to reproduce the behavior:

Create a directory with a vulnerability in it somewhere
Run bandir -r . -x ./your-new-dir/
See vulnerability results that should be excluded

Expected behavior Bandit should be excluding the directories entirely that are passed as args to the -x flag.

Bandit version

bandit 1.6.0
  python version = 3.6.5 (default, Jun 17 2018, 12:13:06) [GCC 4.2.1 Compatible Apple LLVM 9.1.0 (clang-902.0.39.2)]

Issue Analytics

State:
Created 4 years ago
Reactions:32
Comments:25 (4 by maintainers)

Top GitHub Comments

19reactions

bsolomon1124commented, Apr 1, 2020

This issue still exists nearly one year later on Bandit 1.6.2. Unclear why it is closed.

While it makes very little sense, -x or --exclude seems to require a ./-prefaced relative path.

E.g. if you have a venv in your current directory:

python -m bandit --exclude ./venv --recursive --output bandit.json --format json .

will work as intended whereas

python -m bandit --exclude venv --recursive --output bandit.json --format json .
python -m bandit --exclude "${PWD}/venv" --recursive --output bandit.json --format json .

Will attempt to scan all of venv/.

The current arg is:

    parser.add_argument(
        '-x', '--exclude', dest='excluded_paths', action='store',
        default=','.join(constants.EXCLUDE),
        help='comma-separated list of paths (glob patterns '
             'supported) to exclude from scan '
             '(note that these are in addition to the excluded '
             'paths provided in the config file) (default: ' +
        ','.join(constants.EXCLUDE) + ')'
    )

Which gets passed to discover_files():

https://github.com/PyCQA/bandit/blob/c6b1302e7b1ab1ad78799264d8ca7222f2c3d428/bandit/cli/main.py#L457

Independent of this issue, it might be sensible to add venv to constants.EXCLUDE.

8reactions

bsolomon1124commented, Jun 9, 2021

@ericwb please reopen based on ample evidence above.

Top Results From Across the Web

Configuration — Bandit documentation - Read the Docs

To use this, put an INI file named .bandit in your project's directory. ... FILE: .bandit [bandit] exclude = tests,path/to/file tests = B201,B301...

Bandit Documentation - Read the Docs

Safely creating a temporary file or directory means following a number of rules (see the references for more details). This plugin test looks ......

Release notes — Scrapy 2.7.1 documentation

It is no longer possible to set a proxy URL through the proxy metadata but set the ... The startproject command works with...

bandit Changelog - pyup.io

Delete releasenotes directory (more openstack leftovers) by ericwb in ... Show usage with no arguments by ericwb in https://github.com/PyCQA/bandit/pull/814

Release notes — conda 22.11.1.post14+4f2f30268 ...

See the conda documentation for more information. ... Remove .empty directory even when rsync is not installed (#10331) ...