codacy / codacy-bandit Goto Github PK

Codacy reports a few patterns, I would say falsely, that are very commonplace in test development.

Examples

• "Use of assert detected" – using assert is the main pattern when using pytest
• "Possible hardcoded password" – making your test simple entails using hardcoded input values and testing the outcome in a hardcoded way again
• "Starting a process with a partial executable path" – mimicking the natural use of a CLI, for example

Sane Defaults vs. Custom Configuration

The result of Codacy's current defaults is that we have projects where 100% of the reported issues are in the test suite, e.g. https://app.codacy.com/manual/VSHN/concierge-cli/issues/index

I'm aware that Bandit has its own shortcomings (see PyCQA/bandit#603) and the reported issues come directly from the tool. But given the fact that you seem to run a custom approach, you as a code quality platform should probably set the standards here (read: sane, intuitive defaults).

The names of the Bandit rules on Codacy include spurious Markdown code from the permalinks in the original documentation:

observed

If .bandit file is found, it is run with bandit -c .bandit. (see above)
This is wrong.

expected

.bandit file is expected to be in INI format and must be run with bandit --ini .bandit.

https://bandit.readthedocs.io/en/latest/config.html#

To use this, put an INI file named .bandit in your project’s directory. [...]

contact

BTW: the bandit.yml is a config, not an INI, and is correctly called with bandit -c bandit.yml

It would be great for codacy to support [bandit] section in setup.cfg file and alternatively [tool.bandit] in pyproject.toml file.
The detected configuration files at the moment (.bandit and bandit.yml) are most definitely less often used in repos than the setup.cfg/pyproject.toml variants as they are employed to combine settings for many such static analysis/testing tools.

Hi,

would it be possible to use also .bandit name for the config file, since it is the default?

Or at least write somewhere a note to be able to get the right name easily, so people do not need to go through the code:
https://github.com/codacy/codacy-bandit/blob/master/src/main/scala/codacy/bandit/Bandit.scala#L68

Thanks in advance!

Dependabot couldn't authenticate with https://pypi.python.org/simple/.

You can provide authentication details in your Dependabot dashboard by clicking into the account menu (in the top right) and selecting 'Config variables'.

View the update logs.

This is running a patched version of 1.02. Bandit 1.4.0 is out and fixes some bugs, such as openstack-archive/bandit@e98515f
Please consider upgrading here and at https://github.com/codacy/bandit