bandit linter doesn't seem to work inside vscode

[jcrmatos]

Environment data

• VS Code version: 1.30.0
• Extension version (available under the Extensions sidebar): 2018.12.1
• OS and version: Windows 7 Pro SP1 with all updates
• Python version (& distribution if applicable, e.g. Anaconda): 3.5.4
• Type of virtual environment used (N/A | venv | virtualenv | conda | ...): virtualenv
• Relevant/affected Python packages and their versions: bandit 1.4.0

Expected behaviour

These settings either in user settings or workspace settings should allow bandit to run

    "python.linting.banditArgs": [
        "-s", "B101",
        "-f", "csv",
    ],
    "python.linting.banditEnabled": true,

at it should return this

[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: B101
[main]  INFO    running on Python 3.5.4
filename,test_name,test_id,issue_severity,issue_confidence,issue_text,line_number,line_range
uniclave\uniclave_import.py,blacklist,B404,LOW,HIGH,Consider possible security implications associated with call module.,14,[14]
uniclave\uniclave_import.py,subprocess_without_shell_equals_true,B603,LOW,HIGH,subprocess call - check for execution of untrusted input.,59,"[59, 60]"

when it checks this line
from subprocess import call
in uniclave\uniclave_import.py

Actual behaviour

Doesn't show the message with the issue shown above. In fact it doesn't show anything.

If I run the command
bandit -s B101 -f csv uniclave\uniclave_import.py
from the integrated terminal or the cmd console it works and shows the message.

Steps to reproduce:

Shown above.

Logs

Output for Python in the Output panel (View→Output, change the drop-down the upper-right of the Output panel to Python)

There is no message in the Output panel.

Output from Console under the Developer Tools panel (toggle Developer Tools on under Help)

There is no output in the console from the Developer Tools.

flake8, pylint and mypy are running without a problem on the same file.

[brettcannon]

I can't reproduce as it works fine for me with the settings provided:

Do make sure that you installed bandit into the environment you selected in VS Code (easiest way to to run bandit for the Python you specified, e.g. /path/to/python -m bandit). Otherwise try specifying "python.linting.banditPath" to the one you used to run it manually.

If all of this fails then please come back and we can consider re-opening this issue to try to figure out the problem.

[jcrmatos]

Hello,

I can confirm that bandit is installed in the virtual environment selected in VS Code.

If I run
bandit -s B101 -f csv uniclave\uniclave_import.py
from the integrated terminal (which uses the selected virtual environment) it works and shows the message.

(uniclave) C:\Users\JMatos\OneDrive\Python\uniclave>bandit -s B101 -f csv uniclave\uniclave_import.py
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: B101
[main]  INFO    running on Python 3.5.4
filename,test_name,test_id,issue_severity,issue_confidence,issue_text,line_number,line_range
uniclave\uniclave_import.py,blacklist,B404,LOW,HIGH,Consider possible security implications associated with call module.,14,[14]
uniclave\uniclave_import.py,subprocess_without_shell_equals_true,B603,LOW,HIGH,subprocess call - check for execution of untrusted input.,59,"[59, 60]"

(uniclave) C:\Users\JMatos\OneDrive\Python\uniclave>

If I run
bandit -s B101 -f csv uniclave\uniclave_import.py
from the cmd console (with the same virtual environment activated, of course) it also works and shows the message.

I added the setting you mentioned:

    "python.linting.banditArgs": [
        "-s", "B101",
        "-f", "csv",
    ],
    "python.linting.banditEnabled": true,
    "python.linting.banditPath": "C:\\Users\\JMatos\\Envs\\uniclave\\Scripts\\bandit.exe",

but it still doesn't show the message.
It shows the messages from the other linters.

Best regards,

JM

[brettcannon]

Are you using the latest release? Does it make a difference if you leave out "python.linting.banditArgs"? And you should see ##########Linting Output - bandit########## in the Output panel when viewing the Python output. Do you see that when you run the Run Linting command?

[jcrmatos]

Hello,

No, it doesn't make a difference to leave out "python.linting.banditArgs".
I don't see anything like that in the Output.
I upgraded from bandit 1.4.0 to the latest 1.5.1 and it started working.

I still don't see anything in the Output related to linting, only this (I think it's related to the Python extension):

CODE SETTINGS SYNC UPLOAD SUMMARY
Version: 3.2.4
--------------------
GitHub Token: 9c8fcb015ff787b804e21fa3dd17be7264f742e5
GitHub Gist: bd654c93b810119a83a518ddcd74d679
GitHub Gist Type: Secret

Restarting Visual Studio Code may be required to apply color and file icon theme.
--------------------
Files Uploaded:
  extensions.json > extensions.json
  keybindings.json > keybindings.json
  settings.json > settings.json
  python.json > snippets|python.json

Extensions Ignored:
  No extensions ignored.

Extensions Removed:
  No extensions removed.

Extensions Added:
  Bookmarks v10.0.0
  code-settings-sync v3.2.4
  git-project-manager v1.7.1
  partial-diff v1.4.0
  python v2018.12.1
  vscode-great-icons v2.1.46
--------------------
Done.

Thanks,

JM

[brettcannon]

All of that is Settings Sync which means you're not quite looking at the right output from the Output panel. What you want is for your Output panel to look like this (notice the "Python"):

But since things are now working this isn't really that important.

[jcrmatos]

Didn't know about that selection of the Output panel. Thanks for info.
And thank you for the help.

[jcrmatos]

Hello,

I'm sorry to bother you again, but I began to check the Output panel (Python) when linting and noticed something strange.
I have 14 .py files opened in a single group.
When I run linting, the Output panel only shows 5 entries for each linter, instead of 14.
Is this normal?
Here is the Output panel:

##########Linting Output - flake8##########
##########Linting Output - flake8##########
##########Linting Output - bandit##########
##########Linting Output - bandit##########
##########Linting Output - bandit##########
##########Linting Output - flake8##########
##########Linting Output - flake8##########
##########Linting Output - flake8##########
##########Linting Output - bandit##########
##########Linting Output - mypy##########
##########Linting Output - pylint##########
##########Linting Output - bandit##########
##########Linting Output - mypy##########
##########Linting Output - mypy##########
##########Linting Output - pylint##########
##########Linting Output - mypy##########
uniclave\reporting.py:105: note: unused 'type: ignore' comment
uniclave\reporting.py:107: note: unused 'type: ignore' comment
uniclave\reporting.py:109: note: unused 'type: ignore' comment
uniclave\reporting.py:111: note: unused 'type: ignore' comment
uniclave\reporting.py:113: note: unused 'type: ignore' comment
uniclave\reporting.py:121: note: unused 'type: ignore' comment
uniclave\reporting.py:528: note: unused 'type: ignore' comment
uniclave\reporting.py:551: note: unused 'type: ignore' comment
uniclave\reporting.py:554: note: unused 'type: ignore' comment
uniclave\data_processing.py:63: note: unused 'type: ignore' comment
uniclave\data_processing.py:65: note: unused 'type: ignore' comment
##########Linting Output - mypy##########
uniclave\reporting.py:105: note: unused 'type: ignore' comment
uniclave\reporting.py:107: note: unused 'type: ignore' comment
uniclave\reporting.py:109: note: unused 'type: ignore' comment
uniclave\reporting.py:111: note: unused 'type: ignore' comment
uniclave\reporting.py:113: note: unused 'type: ignore' comment
uniclave\reporting.py:121: note: unused 'type: ignore' comment
uniclave\reporting.py:528: note: unused 'type: ignore' comment
uniclave\reporting.py:551: note: unused 'type: ignore' comment
uniclave\reporting.py:554: note: unused 'type: ignore' comment
uniclave\data_processing.py:63: note: unused 'type: ignore' comment
uniclave\data_processing.py:65: note: unused 'type: ignore' comment
##########Linting Output - pylint##########
##########Linting Output - pylint##########
##########Linting Output - pylint##########

Thanks,

JM

[brettcannon]

If the files are not within the workspace folder then yes it's fine. And if you are getting linting errors as expected then don't worry about it.

[jcrmatos]

The files are all in the same folder.

[jcrmatos]

I forgot to tell you that this time I upgraded all linters and dev tools. :)
It seems VSCode only linters files that are opened AND (that were changed OR had editor focus).

Is this right?

[brettcannon]

@jcrmatos we don't control when your linting executes, that's a VS Code thing, but in general they have to be opened and then VS Code won't re-lint until the files have been changed. But I believe you can configure this in VS Code.

[jcrmatos]

OK, thanks again.