Bandit

Bandit help is incorrect and needs adjustment

Bug #1475510 reported by Rajyalakshmi Marathu
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
Fix Released
Low
Dave Walker

Bug Description

Bandit help shows the default location of bandit file is /etc/bandit/bandit.yaml or ./bandit.yaml if not given explicitly. But it does not seem to be picking from the path mentioned in the help

Here is the help for bandit
----------------------------------------------------------------

[root@ip9-114-226-27 rmarathu]# bandit -h
usage: bandit [-h] [-r] [-a {file,vuln}] [-n CONTEXT_LINES] [-c CONFIG_FILE]
              [-p PROFILE] [-l] [-f {csv,json,txt,xml}] [-o OUTPUT_FILE] [-v]
              [-d]
              targets [targets ...]

Bandit - a Python source code analyzer.

positional arguments:
  targets source file(s) or directory(s) to be tested

optional arguments:
  -h, --help show this help message and exit
  -r, --recursive process files in subdirectories
  -a {file,vuln}, --aggregate {file,vuln}
                        group results by vulnerability type or file it occurs
                        in
  -n CONTEXT_LINES, --number CONTEXT_LINES
                        max number of code lines to display for each issue
                        identified
  -c CONFIG_FILE, --configfile CONFIG_FILE
                        test config file, defaults to /etc/bandit/bandit.yaml,
                        or./bandit.yaml if not given
  -p PROFILE, --profile PROFILE
                        test set profile in config to use (defaults to all
                        tests)
  -l, --level results level filter
  -f {csv,json,txt,xml}, --format {csv,json,txt,xml}
                        specify output format
  -o OUTPUT_FILE, --output OUTPUT_FILE
                        write report to filename
  -v, --verbose show extra information like excluded and included
                        files
  -d, --debug turn on debug mode
-------------------------------------------------------------------------------------------
And here is the actual output

bandit -r /usr/lib/python2.7/site-packages/keystone -ll
no config found, tried ...
        bandit.yaml
        /root/.config/bandit/bandit.yaml
        /usr/lib/python2.7/site-packages/bandit/config/bandit.yaml

The above shows it looks in a different directory.
The help needs adjustment here.

Dave Walker (davewalker)
Changed in bandit:
assignee: nobody → Dave Walker (davewalker)
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to bandit (master)

Fix proposed to branch: master
Review: https://review.openstack.org/203451

Changed in bandit:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to bandit (master)

Reviewed: https://review.openstack.org/203451
Committed: https://git.openstack.org/cgit/openstack/bandit/commit/?id=80c7798e5140203ae8d48d11a3de660db1de8f80
Submitter: Jenkins
Branch: master

commit 80c7798e5140203ae8d48d11a3de660db1de8f80
Author: Dave Walker (Daviey) <email address hidden>
Date: Sun Jul 19 21:41:50 2015 +0100

    Actually default to /etc/ rather than just claim

    Previously, we were claiming to default to
    /etc/bandit/bandit.yaml for config location, but we were
    neither installing a config there, nor trying to use it at
    run time.

    This makes use of appdirs for locations to use platform
    declared config locations. This also tries to install
    the bandit.yaml in /etc/bandit.yaml. (Or on a local
    pip install: /usr/local/etc/bandit/bandit.yaml)

    The searched paths are also added to the README to help
    avoid ambiguity.

    Change-Id: I29a9ff738ebb402a069b9750d26e4c94f85e861a
    Closes-Bug: #1475510
    Signed-off-by: Dave Walker (Daviey) <email address hidden>

Changed in bandit:
status: In Progress → Fix Committed
Revision history for this message
Eric Brown (ericwb) wrote :

Fix released in 0.13.0

Changed in bandit:
importance: Undecided → Low
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.