Add skip configuration to assert_used

[wilbertom]

Adding this configuration allows the user to skip the assert_used check
against some files. This is useful because asserts are very common
in test files when using pytest.

Specifying this configuration:

assert_used:
  skips: ['test.py$', '^test']

would skip all asserts against a test file.

Resolves #346

Thank you for the awesome project and your time!

[wilbertom]

Fixing the failed checks now.

[wilbertom]

@azrdev sorry for the late reply. I completely missed this notification.

I would like to edit this PR to use fnmatch instead of regular expressions. They're much more intuitive for this:

assert_used:
  skips: ['*_test.py', 'test_*.py']

I was not aware of this module when I wrote this PR.

[wilbertom]

OK, the checks are passing.

As I said, I would prefer using fnmatch before this gets merged because it would be a breaking change.

Is there a way to run the unit/functional tests locally? I'm trying with pytest but a lot seem to be failing. Do we have docs on doing that?

I would like to implement the same thing for random tests. While I agree that it's good to warn about it not being cryptographically secure, in tests randomly choosing data can be useful. I know this would be best served as a separate PR but like to be able to run the unit tests before then.

[lukehinds]

@wilbertom see CI for how to run tests (we use tox):

bandit/.github/workflows/pythonpackage.yml

Lines 117 to 124 in 539da77

	- name: Install dependencies
	run: |
	python -m pip install --upgrade pip
	pip install -r requirements.txt
	pip install -r test-requirements.txt
	pip install tox
	- name: Run tox
	run: tox -e py38

[wilbertom]

@lukehinds perfect. Thank you.

[wilbertom]

This is ready for a review to be merged. I replaced re with fnmatch and added documentation.

[copdips]

@wilbertom
Thx for this PR, could you please provide a full config example ?
I tried .bandit and .bandit.yml, none of them works, I think my config file is not good, and search in the online docs, I can not find an full exmaple.

assert_used:
   skips: ['*_test.py', 'test_*.py']

[copdips]

@wilbertom
Thx for this PR, could you please provide a full config example ?
I tried .bandit and .bandit.yml, none of them works, I think my config file is not good, and search in the online docs, I can not find an full exmaple.

assert_used:
   skips: ['*_test.py', 'test_*.py']

I find the solution, the skips is applied on the file path not the file name

[arthurio]

@copdips Could you elaborate? I can't get it to work either.

Ok I figured it out... You need both an ini file for the targets and a yaml file for the configuration...

# .bandit
[bandit]
targets: src,tests

# bandit.yaml
assert_used:
   skips: ['tests/**']

Then:

$ bandit --ini .bandit -c bandit.yaml -r
[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for selected targets
[main]	INFO	Using command line arg for recursive scan
[main]	INFO	Using command line arg for aggregate output type
[main]	INFO	Using command line arg for max code lines output for issue
[main]	INFO	Using command line arg for severity level
[main]	INFO	Using command line arg for confidence level
[main]	INFO	Using command line arg for output format
[main]	INFO	Using command line arg for output file
[main]	INFO	profile include tests: None
[main]	INFO	profile exclude tests: None
[main]	INFO	cli include tests: None
[main]	INFO	cli exclude tests: None
[main]	INFO	using config: bandit.yaml
[main]	INFO	running on Python 3.9.1
Run started:2021-05-26 06:12:07.353758

Test results:
	No issues identified.

Code scanned:
	Total lines of code: 70
	Total lines skipped (#nosec): 8

Run metrics:
	Total issues (by severity):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
	Total issues (by confidence):
		Undefined: 0.0
		Low: 0.0
		Medium: 0.0
		High: 0.0
Files skipped (0):

[sshishov]

How to put everything inside on pyproject.toml file? We are not using ini or yaml configurations, therefore for us the fix is not working.