-
-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make GitPython dependency optional? #976
Comments
Duplicate of #971 |
The baseline CLI requires GitPython. And even if that was changed to another library, it still fundamentally requires git to do its function. I don't think there is a solution other than removing the baseline CLI, but this CLI is useful and being used. So we don't want to break existing users. |
I don't see why a future major version of Bandit couldn't make |
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR #976. #976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
Describe the bug
CVE-2022-24439
landed today and is specifically related to GitPython. Per gitpython-developers/GitPython#1515, there isn't currently a fix planned. Since bandit requires this, the CVE extends to bandit, too.Is there a way that GitPython can be transitioned (either to a different lib or to a dev package, rather than one required by pip)?
Reproduction steps
Expected behavior
N/A
Bandit version
1.7.4 (Default)
Python version
3.11 (Default)
Additional context
No response
The text was updated successfully, but these errors were encountered: