Do the right thing for multiple bandit files in separate subdirectories

Bug #1613418 reported by mcandre
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
Incomplete
Wishlist
Unassigned

Bug Description

Don't raise an error when running bandit on a parent directory whose child directories each contain a bandit configuration. Instead, do what most other linters do (e.g. JSHint): Limit the scope of configuration files to the hosting directory and its children, but not to parent directories.

Example scenario: alarms/.bandit and sudoku/.bandit configure slightly different skips rule exclusion lists for the alarms/ and sudoku/ directories, respectively.

src/
  hello.py

  alarms/
    alarm.py
    .bandit

  sudoku/
    sudoku.py
    .bandit

When running bandit from src/, it gives a cruddy error message:

src$ bandit -r .
[main] ERROR Multiple .bandit files found - scan separately or choose one with --ini
 ./alarms/.bandit, ./sudoku/.bandit

Please don't do that. Do the right thing, as most other linters do.

description: updated
Changed in bandit:
importance: Undecided → Wishlist
Revision history for this message
Stanislaw Pitucha (stanislaw-pitucha) wrote :

Thanks for the report Andrew. I think the older comment from https://bugs.launchpad.net/bandit/+bug/1570440 still applies:

"""
The reason we chose not to use setup.cfg is because nested '.bandit' or 'setup.cfg' files mess us up. We didn't want to get into complicated hierarchy rules, and sometimes projects have other projects in subdirectories. We thought having this file called '.bandit' implies more intent to use this just for Bandit and so we can safely ignore other files like 'setup.cfg'.
"""

Do you have some specific situation that is hard to handle with multiple runs / with `-x excluded_directory`? Or did you mainly want to get merged results from multiple trees at once?

Trying to find out what was the motivation for this report. We could do it if there's some good reason / hard to work around case.

Changed in bandit:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.