wanderu / pytest-bandit Goto Github PK

I can find no way to configure pytest.ini so that we can have this plugin installed and configured but off by default. using addopts= -pno:bandit does disable the plugin as it should, but it is not possible to then turn it on again from command line (-pbandit or -ppytest_bandit, do not work).

It looks like the --bandit flag was supposed to activate this plugin - implying that it was intended to be off by default. It appears that flag actually does nothing. Not sure what is the right fix at this point since people may be using this and expecting the plugin to run automatically.

I suggest the solution is to change the meaning of the --bandit flag just a little bit. It should go from doing nothing to overriding the '--nobandit' flag. Then, add a --nobandit flag.

People like me will then be able to add --nobandit in pytest.ini and then have this overridden when we want to run from cmd line by adding --bandit

Current tests were just to gain understanding of how pytest plugins are expected to be tested. We should write more.

First off, thanks for publishing this pytest plugin. Looking forward to future improvements :)

The version specified in pytest_bandit/init.py is not the same as in setup.py

• The plugin shouldn't be enabled by default as it currently is. Specifically, there is supposed to be a --bandit argument that is passable to the addopts option in the pytest configuration.

• bandit is useless if I can't skip specific issues. As such, a bandit_skips or bandit_ini option is a must.

• As for bandit_recurse, I can't think of a good reason why it should ever be false. Why does this user option need to exist?

Currently only wheels are published in pypi.org.

To enable repackaging for Conda, it would be beneficial to also publish source archives (python -m setuptools sdist). Conda PyPi skeleton builder knows to look for source archives, but not for wheels.

There is an issue with where we run the tests, we can't modify the session's testsfailed and shouldfail values. Haven't quite gotten to the bottom of it yet.

Some work needs to be done ahead of publishing to ensure proper ownership. But this can track that.

https://github.com/Wanderu/pytest-bandit/blob/42af2fd72e385502bac3258f31fb2f868d20b640/setup.py#L26

The trove classifiers do not include 2.7, though, and if you try to run with it, a TypeError occurs on super:
https://github.com/Wanderu/pytest-bandit/blob/42af2fd72e385502bac3258f31fb2f868d20b640/pytest_bandit/controller.py#L20

From travis-ci.org

Please be aware travis-ci.org will be shutting down in several weeks, with all accounts migrating to travis-ci.com. Please stay tuned here for more information.

From https://blog.travis-ci.com/2020-11-02-travis-ci-new-billing

• We will be offering an allotment of OSS minutes that will be reviewed and allocated on a case by case basis. Should you want to apply for these credits please open a request with Travis CI support stating that you’d like to be considered for the OSS allotment. Please include:
  • Your account name and VCS provider (like travis-ci.com/github/[your account name] )
  • How many credits (build minutes) you’d like to request (should your run out of credits again you can repeat the process to request more or discuss a renewable amount)

The documentation specifies that this plugin works up until python 3.9 but the setup.py is enforcing the usage of only python 3.4 which has reached end of life since March 18th, 2019. I do not know for which versions this plugin is tested and if these tests are meaningful and complete, hence the issue instead of a pull request to update the setup.py

It would be great to have a way to output a JSON report for Sonar to pick up
https://docs.sonarqube.org/display/PLUG/Import+Bandit+Issues+Reports

Although the bandit_exclude parameter is not documented it is used in the code but it makes pytest crash when we actually use it.

Here's a pytest.ini to test it:

[pytest]
bandit_exclude = somedir

I made a quick fix there if you are ok with it: #10

When running pytest-bandit on Windows (Python 3.5, 3.6, 3.7) I get the following message.

INTERNALERROR> Traceback (most recent call last):
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\_pytest\main.py", line 206, in wrap_session
INTERNALERROR>     session.exitstatus = doit(config, session) or 0
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\_pytest\main.py", line 250, in _main
INTERNALERROR>     config.hook.pytest_runtestloop(session=session)
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\pluggy\hooks.py", line 289, in __call__
INTERNALERROR>     return self._hookexec(self, self.get_hookimpls(), kwargs)
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\pluggy\manager.py", line 87, in _hookexec
INTERNALERROR>     return self._inner_hookexec(hook, methods, kwargs)
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\pluggy\manager.py", line 81, in <lambda>
INTERNALERROR>     firstresult=hook.spec.opts.get("firstresult") if hook.spec else False,
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\pluggy\callers.py", line 203, in _multicall
INTERNALERROR>     gen.send(outcome)
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\pytest_bandit\plugin.py", line 172, in pytest_runtestloop
INTERNALERROR>     bandit_failures = BanditItem(compat_session).runtest()
INTERNALERROR>   File "C:\Users\VssAdministrator\AppData\Roaming\Python\Python35\site-packages\pytest_bandit\controller.py", line 53, in runtest
INTERNALERROR>     sys.stdout.write(os.linesep)
INTERNALERROR> ValueError: underlying buffer has been detached

==================== 3 passed, 15 skipped in 1.46 seconds =====================
Exception ignored in: <_io.TextIOWrapper mode='w' encoding='cp1252'>
ValueError: underlying buffer has been detached
##[error]Cmd.exe exited with code '3'.
##[section]Finishing: Tests

When using this plugin against pytest 6.1.0, I get the following error:

INTERNALERROR> Failed: Direct construction of BanditItem has been deprecated, please use BanditItem.from_parent.
INTERNALERROR> See https://docs.pytest.org/en/stable/deprecations.html#node-construction-changed-to-node-from-parent for more details.

Is this plugin compatible with the 6.x versions of pytest?