candidate issues feature doesn't work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bandit |
New
|
Undecided
|
Unassigned |
Bug Description
Hi!
Code comments in bandit describe a "candidate issues" feature, where if a baseline
is used and a new issue is detected that matches another issue already in the baseline,
both issues will be displayed in the report:
```
For example, let's say we find a new command injection issue in a file
which used to have two. Bandit can't tell which of the command injection
issues in the file are new, so it will show all three. The user should
be able to pick out the new one.
```
However, it looks like this feature never actually worked; what actually happens
is any issue that evaluates equal to an issue already in the baseline will always
be ignored. (This if statement will never be true: https:/
That function was later "simplified" to code that has the same problem: https:/
From the code comments it sounds like the function was intended to do this:
```
def _compare_
unmatched_
baseline_copy = copy.deepcopy(
for new_issue in results:
try:
except ValueError:
return unmatched_issues
```
This makes bandit behave in the way described in the code comments: if the baseline contains
one issue, but a bandit run detects two issues, both issues will be displayed (as "candidate
issues"). The current behavior is that neither issue would be displayed (the run would be clean),
which sounds like a bug, unless this was the intent and the code comments are wrong.