Bandit

JSON report ignores #nosec and severity

Bug #1432012 reported by David Wyde on 2015-03-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Bandit	Fix Released	High	Dave Belcher

Bug Description

Bandit's JSON report doesn't exclude lines marked #nosec. The JSON report also doesn't respect the `-l` CLI flag, which only shows higher-severity issues in the text report. The command `bandit -f json -lll examples/skip.py` demonstrates both issues.

As an aside, perhaps #nosec lines shouldn't be scored at all. Right now it's up to the individual reports to filter out these lines. That's the reason `tests/test_functional:FunctionalTests.test_skip` is skipped right now: #nosec lines receive a score.

Travis McPeak (travis-mcpeak) on 2015-03-16

Changed in bandit:
importance:	Undecided → High
assignee:	nobody → Travis McPeak (travis-mcpeak)

Travis McPeak (travis-mcpeak) on 2015-03-16

Changed in bandit:
assignee:	Travis McPeak (travis-mcpeak) → Dave Belcher (ukbelch)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-16: Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/164808

Changed in bandit:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-03-16: Fix merged to bandit (master)

Reviewed: https://review.openstack.org/164808
Committed: https://git.openstack.org/cgit/stackforge/bandit/commit/?id=359124bd30b1c45744a46bec8faec94ebcedb3e7
Submitter: Jenkins
Branch: master

commit 359124bd30b1c45744a46bec8faec94ebcedb3e7
Author: Dave Belcher <email address hidden>
Date: Mon Mar 16 18:07:16 2015 +0000

Fixed nosec flagging

    nosec flags are now detected at the end of any line (even within multi-line
    statements), and that line only is skipped (no tests are run).
    The nosec flag is detected in a comment at the end of a line, and the check
    is both case insensitive, and ignores whitespace.
    As this fix is in the testing logic, rather than the reporting logic, nosec
    will be honoured for all reporting mediums.

Change-Id: I95940ea06827a567eb2acae7071914f6f535fe10
Closes-Bug: #1432012

Changed in bandit:
status:	In Progress → Fix Committed

Revision history for this message

David Wyde (david-wyde) wrote on 2015-03-16:

This is really two bugs in one. The #nosec issues looks to be fixed now, which is awesome. The JSON report doesn't respect severity levels yet.

Revision history for this message

Travis McPeak (travis-mcpeak) wrote on 2015-03-16:

David - good point about severity level in JSON reporting... that should be a fairly trivial fix at this point. I can probably pick that up tomorrow.

Travis McPeak (travis-mcpeak) on 2015-03-18

Changed in bandit:
status:	Fix Committed → In Progress

Travis McPeak (travis-mcpeak) on 2015-03-19

Changed in bandit:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.