-
-
Notifications
You must be signed in to change notification settings - Fork 603
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add test for regression and fix directory exclusion without wildcards #489
Conversation
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: I110829ef960e3ee146f47871ef076491244bf4fa Signed-off-by: Dean Troyer <dtroyer@gmail.com>
* Update python-openstackclient from branch 'master' - Blacklist Bandit 1.6.0 due to directory exclusion bug Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: I110829ef960e3ee146f47871ef076491244bf4fa Signed-off-by: Dean Troyer <dtroyer@gmail.com>
I tested locally, and unfortunately this isn't restoring the exclude behavior that was available on 1.5.1. 1.5.1:
1.6.0+PR489
|
However, it I prepend
|
Thanks for the review, when I get the chance I'll add more tests and fix for this. |
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Id944054deedd545c34fc28ccf043dd72e5f31220
* Update neutron from branch 'master' - Blacklist bandit 1.6.0 due to directory exclusion bug Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Id944054deedd545c34fc28ccf043dd72e5f31220
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Id29f06b68a95f53ad62bdc597bbb0f12bc4d6a60
* Update neutron-lib from branch 'master' - Blacklist bandit 1.6.0 due to directory exclusion bug Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Id29f06b68a95f53ad62bdc597bbb0f12bc4d6a60
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2
* Update keystone from branch 'master' - Blacklist bandit 1.6.0 There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2 (cherry picked from commit ebac833)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: Idead9b4198c6b05d72bae60dee06e5aebc223822 Reference: PyCQA/bandit#489
* Update oslo.policy from branch 'master' - Cap Bandit below 1.6.0 and update Sphinx requirement Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: Idead9b4198c6b05d72bae60dee06e5aebc223822 Reference: PyCQA/bandit#489
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2 (cherry picked from commit ebac833)
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2 (cherry picked from commit ebac833)
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2 (cherry picked from commit ebac833)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: I4ee88377e7123c165434765a73f27cabec8c8177 Reference: PyCQA/bandit#489
* Update oslo.cache from branch 'master' - Cap Bandit below 1.6.0 and update Sphinx requirement Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: I4ee88377e7123c165434765a73f27cabec8c8177 Reference: PyCQA/bandit#489
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ie4dbfb3f54e4aac00e0537d5760b7a8fc81b35a2 (cherry picked from commit ebac833)
@ericwb This PR is ready for a re-review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, this change still isn't excluding files that Bandit would have exclude in 1.5.1. I ran your patch again and got this result:
browne-a02:workspace browne$ bandit/.tox/py36/bin/bandit -r column/ -x tests
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.6.7
Run started:2019-05-14 17:59:55.499331
Test results:
No issues identified.
Code scanned:
Total lines of code: 1395
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 0.0
Total issues (by confidence):
Undefined: 0.0
Low: 0.0
Medium: 0.0
High: 0.0
Files skipped (0):
In 1.5.1, the total scanned lines comes out to 1100 instead of 1395.
bandit/core/manager.py
Outdated
@@ -363,7 +366,8 @@ def _is_file_included(path, included_globs, excluded_path_strings, | |||
# if this is matches a glob of files we look at, and it isn't in an | |||
# excluded path | |||
if _matches_glob_list(path, included_globs) or not enforce_glob: | |||
if not _matches_glob_list(path, excluded_path_strings): | |||
if not _matches_glob_list(path, excluded_path_strings) and \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: It's preferable to use ( )
instead of \
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: If86c82e0f4a519baca664af79352846c4af9a01c Reference: PyCQA/bandit#489
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 This also reverts 7a1de10 which changed tox.ini to use the incorrect argument. Change-Id: Ifc2cc9c15ccc93ce947f8bfefce83d58fd06f5a1
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Co-Authored-By: Jake Yip <jake.yip@unimelb.edu.au> Task: 33401 Story: 2005740 Change-Id: I34dc36c5236debc42424073af2c2d2104e18179a
* Update magnum from branch 'master' - Blacklist bandit 1.6.0 and cap Sphinx on Python2 There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Co-Authored-By: Jake Yip <jake.yip@unimelb.edu.au> Task: 33401 Story: 2005740 Change-Id: I34dc36c5236debc42424073af2c2d2104e18179a
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: I4ee88377e7123c165434765a73f27cabec8c8177 Reference: PyCQA/bandit#489 (cherry picked from commit 3e06753)
@mattjegan Sorry for my late reply. It does look like you're testing the same way as me. Let me retry again. |
bandit/core/manager.py
Outdated
@@ -363,7 +366,8 @@ def _is_file_included(path, included_globs, excluded_path_strings, | |||
# if this is matches a glob of files we look at, and it isn't in an | |||
# excluded path | |||
if _matches_glob_list(path, included_globs) or not enforce_glob: | |||
if not _matches_glob_list(path, excluded_path_strings): | |||
if (not _matches_glob_list(path, excluded_path_strings) | |||
and not any(x in path for x in excluded_path_strings)): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please move the and
up on the previous line? This gets flagged as pep8 W503 in my IDE (yeah, we should probably be checking in pep8 in tox.ini)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No worries, fixed in be614aa
I tried this again, in Linux env instead of Mac and it checks out. |
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. This commit also aligns Sphinx requirement with the requirements project [2]. This is required to pass requirements-check. The lower bound for sphinx was missing and requirements-check now requires it, so the lower bound sphinx >=1.6.2 was added. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 [2] https://review.opendev.org/#/c/657890/ Change-Id: I937cfa722f5234ca4d5506047001d9cb07728cd8
* Update python-neutronclient from branch 'master' - Blacklist bandit 1.6.0 due to directory exclusion bug Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. This commit also aligns Sphinx requirement with the requirements project [2]. This is required to pass requirements-check. The lower bound for sphinx was missing and requirements-check now requires it, so the lower bound sphinx >=1.6.2 was added. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 [2] https://review.opendev.org/#/c/657890/ Change-Id: I937cfa722f5234ca4d5506047001d9cb07728cd8
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: I34dc36c5236debc42424073af2c2d2104e18179a
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: I4ee88377e7123c165434765a73f27cabec8c8177 Reference: PyCQA/bandit#489 (cherry picked from commit 03f1840)
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ieabcd4e8c5e5354125a63e89b9b60931c760858a (cherry picked from commit 011fa22)
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Co-Authored-By: Jake Yip <jake.yip@unimelb.edu.au> Task: 33401 Story: 2005740 Change-Id: I34dc36c5236debc42424073af2c2d2104e18179a (cherry picked from commit 913636b)
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Ignore the bandit check B413, which was added in bandit 1.5.0 and prevents importing PyCrypto. PyCrypto wasn't removed from Heat until Queens. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: Ieabcd4e8c5e5354125a63e89b9b60931c760858a Co-Authored-By: Zane Bitter <zbitter@redhat.com> Depends-On: https://review.opendev.org/662335 (cherry picked from commit 011fa22)
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: I4429614a57fb512fe2bfdf0686c3eff0adc2a2f4
* Update kolla from branch 'master' - Merge "Blacklist bandit 1.6.0" - Blacklist bandit 1.6.0 There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Change-Id: I4429614a57fb512fe2bfdf0686c3eff0adc2a2f4
An ever-increasing number of projects are needing to add and backport 1.6.0 exclusions until this fix appears in a new release. Any chance of tagging something along the lines of a 1.6.1 hotfix release in the near future? |
There's a regression[0] in bandit 1.6.0 which causes bandit to stop respecting excluded directories, and our tests throw a bunch of violations. Blacklist this version, but allow newer versions as there is already a pull request[1] to fix it, and I expect it will be included in the next release. Also fix the requirements job which was broken by https://review.opendev.org/657890 adding a cap on Sphinx on Python 2. [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 Co-Authored-By: Jake Yip <jake.yip@unimelb.edu.au> Task: 33401 Story: 2005740 Change-Id: I34dc36c5236debc42424073af2c2d2104e18179a (cherry picked from commit 913636b) (cherry picked from commit eec7184)
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. (Original commit is based on Id944054deedd545c34fc28ccf043dd72e5f31220) neutron-lbaas is retired [2], so networking-odl dependencies must be removed. Trunk constants were moved to neutron-lib from neutron with [3] from 1.25.0, and were removed from neutron with [4], thus lower-constraints must point to at least 1.25.0. To pass the gate fix sphinx requirements for python>3.4 (Original Change-Id: I6e709385fefe12123ecab150237956297cc7e09f) [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 [2] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006158.html [3] https://review.opendev.org/636989 [4] https://review.opendev.org/649672 Change-Id: I698caa93a188f7be206c18d79152dd81eb4029d3
* Update networking-odl from branch 'master' - Blacklist bandit, bump neutron-lib and retire neutron-lbaas Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. (Original commit is based on Id944054deedd545c34fc28ccf043dd72e5f31220) neutron-lbaas is retired [2], so networking-odl dependencies must be removed. Trunk constants were moved to neutron-lib from neutron with [3] from 1.25.0, and were removed from neutron with [4], thus lower-constraints must point to at least 1.25.0. To pass the gate fix sphinx requirements for python>3.4 (Original Change-Id: I6e709385fefe12123ecab150237956297cc7e09f) [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 [2] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006158.html [3] https://review.opendev.org/636989 [4] https://review.opendev.org/649672 Change-Id: I698caa93a188f7be206c18d79152dd81eb4029d3
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: Ib7f8df3fc5b83520b179d0a260c54e015c042b17 Reference: PyCQA/bandit#489 (cherry picked from commit 016904f) (cherry picked from commit 85df332)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: Ib7f8df3fc5b83520b179d0a260c54e015c042b17 Reference: PyCQA/bandit#489 (cherry picked from commit 016904f)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: Idead9b4198c6b05d72bae60dee06e5aebc223822 Reference: PyCQA/bandit#489 (cherry picked from commit 1d7ca8a)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Conflicts: doc/requirements.txt test-requirements.txt Change-Id: I4ee88377e7123c165434765a73f27cabec8c8177 Reference: PyCQA/bandit#489 (cherry picked from commit 03f1840) (cherry picked from commit 7704635)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Change-Id: Idead9b4198c6b05d72bae60dee06e5aebc223822 Reference: PyCQA/bandit#489 (cherry picked from commit 1d7ca8a) (cherry picked from commit 3a22403)
Bandit 1.6.0 accidentally changed how the exclusion list option is handled and breaks our use of it. Cap to the previous version until Bandit has fixed the problem. Sphinx 2.0 no longer works on python 2.7, so we need to start capping it there as well. Note(elod.illes): lower constraint of 'requests' needed to be upgraded to make lower-constraints job pass, which involves a lower version of idna as it is upper constrained in that version of requests. Change-Id: I659571d084247a6a180d5b665921791d3647038f Reference: PyCQA/bandit#489 (cherry picked from commit 3e5a18c)
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. (Original commit is based on Id944054deedd545c34fc28ccf043dd72e5f31220) neutron-lbaas is retired [2], so networking-odl dependencies must be removed. Trunk constants were moved to neutron-lib from neutron with [3] from 1.25.0, and were removed from neutron with [4], thus lower-constraints must point to at least 1.25.0. To pass the gate fix sphinx requirements for python>3.4 (Original Change-Id: I6e709385fefe12123ecab150237956297cc7e09f) Conflicts: .zuul.d/project.yaml doc/requirements.txt lower-constraints.txt networking_odl/tests/unit/journal/test_full_sync.py requirements.txt test-requirements.txt [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 [2] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006158.html [3] https://review.opendev.org/636989 [4] https://review.opendev.org/649672 Change-Id: I698caa93a188f7be206c18d79152dd81eb4029d3
Bandit 1.6.0 introduces a regression[0] with the -x option, a fix is expected to be included in 1.6.1 soon. (Original commit is based on Id944054deedd545c34fc28ccf043dd72e5f31220) neutron-lbaas is retired [2], so networking-odl dependencies must be removed. Trunk constants were moved to neutron-lib from neutron with [3] from 1.25.0, and were removed from neutron with [4], thus lower-constraints must point to at least 1.25.0. To pass the gate fix sphinx requirements for python>3.4 (Original Change-Id: I6e709385fefe12123ecab150237956297cc7e09f) Conflicts: .zuul.d/project.yaml .zuul.d/jobs.yaml doc/requirements.txt requirements.txt [0] PyCQA/bandit#488 [1] PyCQA/bandit#489 [2] http://lists.openstack.org/pipermail/openstack-discuss/2019-May/006158.html [3] https://review.opendev.org/636989 [4] https://review.opendev.org/649672 Change-Id: I698caa93a188f7be206c18d79152dd81eb4029d3
Fixes #488
I've added a test to make sure that both wildcard directory exclusion and the
1.5.1
version of directory exclusion work.