Wanted alive - Bandit config

[slmg]

Environment data

• VS Code version: 1.49.1
• Extension version (available under the Extensions sidebar): 2020.9.111407
• OS and version: Debian Buster
• Python version (& distribution if applicable, e.g. Anaconda): 3.8.5
• Type of virtual environment used (N/A | venv | virtualenv | conda | ...): N/A
• Relevant/affected Python packages and their versions: bandit 1.6.2
• Relevant/affected Python-related VS Code extensions and their versions: N/A
• Value of the python.languageServer setting: N/A

[NOTE: If you suspect that your issue is related to the Microsoft Python Language Server (python.languageServer: 'Microsoft'), please download our new language server Pylance from the VS Code marketplace to see if that fixes your issue]

Expected behaviour

Configure bandit to lint main project's files but ignore tests from a directory structured as such:

> tree
.
|-- .bandit
|-- project
|   |-- project.py
`-- tests
    |-- __init__.py
    `-- test_project.py

I would expect vscode to detect a .bandit file exists and automatically use it, as it is done for other linters (pylint, mypy, isort, etc...).

Actual behaviour

.bandit config does not seem detected and parsed by this extension, even when explicitly passed via vscode's settings.

This leads bandit to lint all files including the undesired tests folder (very noisy as it's full of assert statements).

Steps to reproduce:

[NOTE: Self-contained, minimal reproducing code samples are extremely helpful and will expedite addressing your issue]

1. Create the following .bandit config at the root of the project:

   [bandit]
   exclude = tests/
   targets = project/

2. To test bandit works, simply add assert True in both project.py and test_project.py. Then run:

   bandit -r --ini .bandit

3. Observe the config is ignored and warnings keep being reported for both project.py and test_project.py.

4. Explicitly tell vscode to run bandit with its config:

   {
       "python.linting.enabled": true,
       "python.linting.lintOnSave": true,
       "python.linting.banditEnabled": true,
       "python.linting.banditArgs": [
           "-r",
           "--ini",
           ".bandit"
       ],
   }

5. See this does not change anything and test_project.py keeps being linted.

Logs

Output for Python in the Output panel (View→Output, change the drop-down the upper-right of the Output panel to Python)

> /usr/local/bin/python ~/.vscode-server/extensions/ms-python.python-2020.9.111407/pythonFiles/pyvsc-run-isolated.py bandit -r --ini .bandit -f custom --msg-template {line},0,{severity},{test_id}:{msg} -n -1 ~/project/project/test_project.py
cwd: ~/project
...
##########Linting Output - bandit##########
23,0,LOW,B101:Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.

[karthiknadig]

Try with this:

{
    "python.linting.enabled": true,
    "python.linting.lintOnSave": true,
    "python.linting.banditEnabled": true,
    "python.linting.banditArgs": [
        "-r",
        "--ini",
        "${workspaceFolder}/.bandit"
    ],
}

[slmg]

Same outcome, tests get linted. The final argument seems to take precedence over the config.

> /usr/local/bin/python ~/.vscode-server/extensions/ms-python.python-2020.9.111407/pythonFiles/pyvsc-run-isolated.py bandit -r --ini ~/project/.bandit -f custom --msg-template {line},0,{severity},{test_id}:{msg} -n -1 ~/project/tests/test_project.py

If the path to the .bandit config was broken, bandit would complain btw:

> bandit -r --ini wrong/path/to/.bandit
[utils] WARNING Unable to parse config file wrong/path/to/.bandit or missing [bandit] section
[main]  ERROR   No targets found in CLI or ini files, exiting.

[karthiknadig]

@slmg Can you try running bandit using python -m bandit from your terminal and see if that picks up the .bandit. We don't do anything specific to other linters allowing them to pick this up. I am suspecting that bandit when run using the executable picks this but not when run as a module.

[slmg]

No bandit sadly does not pick up the .bandit present at the project root by default, I could see this was reported in PyCQA/bandit#606. It does not lint any file by default either.

> python -m bandit       
[main]  ERROR   No targets found in CLI or ini files, exiting.

Until bandit adds this, there does not seem to be a better way to pass it a config.

> python -m bandit -r --ini .bandit
[main]  INFO    Using ini file for excluded paths
[main]  INFO    Using ini file for selected targets
...

[karthiknadig]

Closing this since this is a upstream issue.

One thing you could try is set Bandit path ("python.linting.banditPath": "<path to badit executable>"), along with the args, and see if that helps:

{
    "python.linting.banditArgs": [
        "-r",
        "--ini",
        "${workspaceFolder}/.bandit"
    ],
    "python.linting.enabled": true,
    "python.linting.lintOnSave": true,
    "python.linting.banditEnabled": true,
    "python.linting.banditPath": "<full path to bandit executable>"
}