ini "exclude" config is ignored

[RobGThai]

Describe the bug
exclude configuration inside .bandit ini file is always ignored due to default cli argument.

To Reproduce
Steps to reproduce the behavior:

1. Create . bandit file with the following.

[bandit]
targets: .
exclude: ./tests

2. Run CLI with bandit --ini .bandit -r in a directory with .bandit file.
3. You should now see that Bandit is prefer CLI argument for exclude over ini.

[main]	INFO	Using command line arg for excluded paths
[main]	INFO	Using ini file for selected targets

Expected behavior
Bandit should use .bandit configuration as there's no CLI argument supplied then append default value to it as specified in argparse.

  -x EXCLUDED_PATHS, --exclude EXCLUDED_PATHS
                        comma-separated list of paths (glob patterns supported) to exclude
                        from scan (note that these are in addition to the excluded paths
                        provided in the config file) (default:
                        .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)

Bandit version

bandit 1.7.0
  python version = 3.8.0 (default, Sep  3 2020, 18:08:13) [Clang 11.0.3 (clang-1103.0.32.62)]

Additional context
I believe this happens due to the default value for -x given to argparse. This means the ini configuration is always ignored as the code take default value as supplied CLI.

Workaround
Supplied exclude via CLI when running Bandit regardless of your ini. bandit -x ./tests --ini .bandit -r .

[bsolomon1124]

Yep, _log_option_source() is broken. It will early-return if it gets a "truthy" arg_val. A command line default satisfies that.

bandit/bandit/cli/main.py

Line 83 in 6765a57

def _log_option_source(arg_val, ini_val, option_name):

[bsolomon1124]

Coupled with #595, #657, and #488 (unceremoniously closed for no reason), I'd venture to say 'exclude' is pretty much nonfunctional at this point.

[bsolomon1124]

5ac8b8b is the commit that introduced this. (Looks like Bandit 1.6.3 + 1.7.0.) Though arguably it's _log_option_source() that is the issue; adding CLI defaults just exposed the issue with it.

[RobGThai]

From what I can understand, _log_option_source early return is because it finds the default value supplied via CLI instead of the ini configuration. I'm not sure what should take precedent between CLI and ini. I felt like allowing CLI to override the ini rule. can be useful but I digress. If the CLI should take precedent over CLI then _log_option_source is working as intended. Without early return then we must know which configuration to choose from or merge them together. Merging configuration would allow default value to works accordingly.

I'm willing to work on this but I'm also new to contribution as well so please guide me on what action I should take here.

[benvdh]

@RobGThai in case it helps to get started: Bandit has pretty good contribution guidelines, which might help you to get started:

https://github.com/PyCQA/bandit/blob/master/CONTRIBUTING.md#your-first-code-contribution

I'm not a bandit dev, but I have made some opensource contributions over the years, and CONTRIBUTING.md is usually where I start.

[fjsj]

Any easy workaround instead of passing all excludes as a CLI argument?
This issue broke several of my CIs.

[frenzymadness]

And moreover, it seems that it's not possible to use exclude in pre-commit because there is no straightforward way to set CLI arguments in pre-commit-config.yaml 😞

[stuertz]

As a workaoround I call bandit -x "" So that _log_option_source doesn't get the defaults. Or for .pre-commit-config.yaml:

    - repo: https://github.com/PyCQA/bandit
      rev: 1.7.0
      hooks:
          - id: bandit
            args: ['--ini', '.bandit', '-x', '']

[soltanoff]

@stuertz, thank you! It's work

[lukegil]

This workaround appears to have been broken by #753 . Using 1.7.1, you need to remove the -x "" options

[mpas]

Is there any work around for this issue? I tried using ini, yaml etc.. but the exclude settings (also exclude_dirs in yaml) seems not to work.