Ignore virtualenv and __pycache__ directories #543
Comments
Glyphack
pushed a commit
to Glyphack/bandit
that referenced
this issue
Feb 27, 2020
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
Glyphack
pushed a commit
to Glyphack/bandit
that referenced
this issue
Feb 27, 2020
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Aug 25, 2021
This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com>
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Aug 25, 2021
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Jan 7, 2022
This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com>
mikespallino
pushed a commit
to mikespallino/bandit
that referenced
this issue
Jan 7, 2022
Resolves PyCQA#548 Add code of conduct. Add links to contributing.md file. Fix typo. Fix docs for B610,B611,B703 (PyCQA#555) * Fix docs for B610,B611,B703 * Address flake8 notice by adding blank line * Fix long lines Use SPDX license identifier instead of bulky headers (PyCQA#530) * Use SPDX license identifier instead of bulky headers There exists a nice, consistent way to denote licenses in source files. It's called SPDX and further information is here [1]. This commit migrates the bulky apache-2 license headers with the SPDX short identifier equivalent. [1] https://spdx.org/ids-how Signed-off-by: Eric Brown <browne@vmware.com> * Update test-requirements.txt Add a section explaining "nosec" (PyCQA#554) * Add a section explaining "nosec" References PyCQA#553 * Remove duplicated "in your code" replace 'then' with 'than' Signed-off-by: Pablo Woolvett <pablo.wooveltt@iconstruye.onmicrosoft.com> Add sha1 to the list of insecure hashes The hashlib.new test plugin was only checking for MD4 and MD5. This patch extends the list of insecure hashes to include SHA1, which has known exploits. Fixes PyCQA#560 Signed-off-by: Eric Brown <browne@vmware.com> Use GitHub Actions to run CI (PyCQA#565) * Use GitHub Actions to run CI This change utilizes GitHub Actions to run the CI for our unit tests instead of the current Travis-CI. * Delete .travis.yml Ignore common directories by default This fix follows the example of flake8 in that it sets a default list of common directories and filename patterns to exclude. Fixes PyCQA#543 Signed-off-by: Eric Brown <browne@vmware.com> Add push and pull request to GH Action trigger It appears that Actions are not triggered for all pull requests. I suspect the Actions need to register for event push and pull_request in order to run CI on commits. Signed-off-by: Eric Brown <browne@vmware.com> Fix grammar issues and typos. Fix more grammar issues Added @lukehinds text about commit messages and squash commits from https://gist.githubusercontent.com/lukehinds/3337941149fc25ed91567037a0ebf026/raw/c1db6186c7e14ff316db2fe61fa046ab07251275/gistfile1.txt Remove extra parentheses
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
N/A
Describe the solution you'd like
When a project that has made use of virtualenv or tox, there is usually a directory named
.venv,.toxor the like. As a result when bandit scans this project, it automatically scans all of the virtualenv site-packages. This can be many many python files that don't need to be scanned.Similarly,
__pycache__directories are created by the compiler. Bandit can also safely ignore those.Bandit should really attempt to ignore all hidden directories by default. I suggest a config option of
include_hiddenthat defaults toFalse.Describe alternatives you've considered
The alternative is to default this new config setting to
True.Another alternative is to provide the option in the command line if useful. How often do people desire to scan the dependencies of a project in the virtualenv directory?
Additional context
N/A
The text was updated successfully, but these errors were encountered: