Do the right thing for multiple bandit files in separate subdirectories
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
Incomplete
|
Wishlist
|
Unassigned |
Bug Description
Don't raise an error when running bandit on a parent directory whose child directories each contain a bandit configuration. Instead, do what most other linters do (e.g. JSHint): Limit the scope of configuration files to the hosting directory and its children, but not to parent directories.
Example scenario: alarms/.bandit and sudoku/.bandit configure slightly different skips rule exclusion lists for the alarms/ and sudoku/ directories, respectively.
src/
hello.py
alarms/
alarm.py
.bandit
sudoku/
sudoku.py
.bandit
When running bandit from src/, it gives a cruddy error message:
src$ bandit -r .
[main] ERROR Multiple .bandit files found - scan separately or choose one with --ini
./alarms/.bandit, ./sudoku/.bandit
Please don't do that. Do the right thing, as most other linters do.
description: | updated |
Changed in bandit: | |
importance: | Undecided → Wishlist |
Thanks for the report Andrew. I think the older comment from https:/ /bugs.launchpad .net/bandit/ +bug/1570440 still applies:
"""
The reason we chose not to use setup.cfg is because nested '.bandit' or 'setup.cfg' files mess us up. We didn't want to get into complicated hierarchy rules, and sometimes projects have other projects in subdirectories. We thought having this file called '.bandit' implies more intent to use this just for Bandit and so we can safely ignore other files like 'setup.cfg'.
"""
Do you have some specific situation that is hard to handle with multiple runs / with `-x excluded_ directory` ? Or did you mainly want to get merged results from multiple trees at once?
Trying to find out what was the motivation for this report. We could do it if there's some good reason / hard to work around case.