Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More specific nosec options #418

Closed
tobywf opened this issue Nov 2, 2018 · 5 comments
Closed

More specific nosec options #418

tobywf opened this issue Nov 2, 2018 · 5 comments
Labels
enhancement New feature or request
Milestone
Near Future

Comments

@tobywf
Copy link

tobywf commented Nov 2, 2018

Is your feature request related to a problem? Please describe.

I couldn't find any way to specify # nosec for a particular bandit issue, which means # nosec could accidentally mask multiple issues. I have a contrived example:

import yaml
assert yaml.load("{}") == []  # nosec

This results in B101:assert_used and B506:yaml_load. Obviously, it could trivially be split up over several lines, but illustrates the issue how # nosec can mask more than one issue. This may have happened over time, for example the assert may have been assert foo = [] previously, and the load vulnerability was introduced later.

TL;DR: I'd like to be able to suppress just one issue.

Additionally, it would be nice to be able to suppress some issues on a per file/module basis. For most use-cases, exclude probably works fine, but again it's either all or nothing. Happy to submit a different feature request for this.

Describe the solution you'd like

I think pylint does this well. As stated in their FAQ:

4.1 Is it possible to locally disable a particular message?
[...] by adding "#pylint: disable=some-message,another-one" at the desired block level or at the end of the desired line of code
4.2 Is there a way to disable a message for a particular module only?
Yes [...] at the module level by adding the corresponding option in a comment at the top of the file

flake8 also offers fine-grained ignores via e.g. # noqa: E731.

For bandit then, it could be something like:

assert yaml.load("{}") == []  # nosec: disable=B101
assert yaml.load("{}") == []  # nosec: disable=assert_used

or

assert yaml.load("{}") == []  # nosec: B101

Describe alternatives you've considered

  • Use nosec and hope it doesn't mask any issues down the line
  • Disable a certain issue globally and hope it doesn't occur anywhere in the codebase

Additional context
@ericwb ericwb added the enhancement New feature or request label Nov 12, 2018
@riconnon
Copy link

riconnon commented Feb 5, 2019

Would love to see this. Similar to how flake8 handles # noqa

@thanatos
Copy link

And please use the english identifiers, e.g., assert_used; forcing someone to guess what B101 means / forcing me to look it up is just annoying.

@thanatos thanatos mentioned this issue Mar 28, 2019
Open
@ericwb ericwb added this to the Near Future milestone May 9, 2019
@spaceone
Copy link

I would like to see it as well, but I prefer the short-cuts e.g.: # nosec: B101,B102

@stephen-dexda
Copy link

Duplicate of #211.

@ericwb
Copy link
Member

ericwb commented Nov 19, 2019

Thanks @stephen-dexda . Closing as Duplicate of #211

@ericwb ericwb closed this as completed Nov 19, 2019
@mikespallino mikespallino mentioned this issue Apr 7, 2020
Merged
mikespallino added a commit to mikespallino/bandit that referenced this issue Apr 7, 2020
@mikespallino
support for disabling individual tests
98c8d12 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Aug 4, 2020
@mikespallino
support for disabling individual tests
01def46 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Mar 4, 2021
@mikespallino
support for disabling individual tests
674e5de 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Aug 25, 2021
@mikespallino
support for disabling individual tests
e73f5f9 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Aug 25, 2021
@mikespallino
support for disabling individual tests
f67796f 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 7, 2022
@mikespallino
support for disabling individual tests
d691144 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 7, 2022
@mikespallino
support for disabling individual tests
5d44457 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 7, 2022
@mikespallino
support for disabling individual tests
b9d406c 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 7, 2022
@mikespallino
support for disabling individual tests
433fb15 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 26, 2022
@mikespallino
support for disabling individual tests
d73041c 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 28, 2022
@mikespallino
support for disabling individual tests
03025aa 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Jan 28, 2022
@mikespallino
support for disabling individual tests
4dda362 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Feb 2, 2022
@mikespallino
support for disabling individual tests
ab13f41 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
mikespallino added a commit to mikespallino/bandit that referenced this issue Feb 2, 2022
@mikespallino
support for disabling individual tests
bfa9288 
- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves PyCQA#211
See also PyCQA#418
sigmavirus24 pushed a commit that referenced this issue Feb 4, 2022
@mikespallino
Suport disabling individual tests
11fd1a2 
This adds support to the `# nosec` comment to specify specific tests to disable.

- allow disabling tests by id and by name (e.g. B602,assert_used)
- update nosec_lines to be a dict keyed on line number to a set of tests to ignore
- use an empty set to indicate a blanket nosec (i.e. just #nosec, no individual tests)
- use None to indicate that there was no nosec comment on the line in question
- track and report metrics on the number of tests skipped by specific tests and the number of tests that fail because they were not included in the list of specific tests to ignore

Resolves #211
See also #418
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
Near Future
Development

No branches or pull requests
6 participants
@thanatos @spaceone @riconnon @tobywf @ericwb @stephen-dexda