-
-
Notifications
You must be signed in to change notification settings - Fork 610
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
# nosec with bandit ID doesn't work properly sometimes #1092
Comments
* Used nosec for false various positives * Switched to usage of defusedxml * Fixed the empty try-except-pass to have code in the except block. Fixes PyCQA#1092 Signed-off-by: Eric Brown <[email protected]>
* Used nosec for false various positives. 1. xml.etree is used only for XML generation not parsing 2. "0.0.0.0" is used in the plugin itself 3. Various strings of temp directories are used in the plugin itself. 4. The subprocess call does use user input, but only from the command line itself that is running baseline. Although maybe this could be argued as an issue though. * Fixed the empty try-except-pass to have code in the except block. Fixes PyCQA#1092 Signed-off-by: Eric Brown <[email protected]>
ok to close now @ericwb ? |
No, it's still an issue. The example I gave, still shows the warning in the logs. |
I have the same issue. My code looks approximately like this:
Regardless of which of these lines I put the # nosec on (any of lines 205-210), or how many of them I have (used to have one each on lines 206-208), I get the following warnings:
Also note the double entry for line 209, which in fact doesn't even have the issue. If I remove the # nosec, then Bandit fails with B108. |
In the example I gave, it actually is functioning as you'd expect. The line: return {"tmp_dirs": ["/tmp", "/var/tmp", "/dev/shm"]} # nosec: B108 The plugin A more ideal solution would be do nosec processing by line, not by test result encounter since you can have multiple strings per line obviously. |
Describe the bug
Using nosec with a bandit ID like
# nosec: B108
doesn't appear to always work. See reproduction steps.Reproduction steps
# nosec: B108
Expected behavior
The nosec should not trigger a warning that the issue wasn't found.
Bandit version
1.7.6 (Default)
Python version
3.12 (Default)
Additional context
I suspect the issue is the algorithm in how tester.py:run_tests() is determining whether a test is skipped or not. If it finds no issue for any test ID, it then falls over to the warning message. But this doesn't always happen depending on the order of tests it iterates over and the ID to be skipped.
The text was updated successfully, but these errors were encountered: