Rework GitPython dependency to be an extra for bandit-baseline

The only piece of code that requires GitPython is bandit-baseline. There tends to be an abundance of CVEs in the GitPython library due to its dependency on Git. By making GitPython optional via an extra, users who mostly use just the bandit command line and not bandit-baseline can benefit. However, this will require different install if a user wants to use bandit-baseline. This is now noted in the Getting Started doc, but you simply do: pip install bandit[GitPython] FYI, this option was suggested in PR PyCQA#976. PyCQA#976 Signed-off-by: Eric Brown <eric_wade_brown@yahoo.com>
ericwb · Jan 20, 2024 · 3bac53a · 3bac53a
1 parent 0779eb0
commit 3bac53a
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 16 deletions.
diff --git a/bandit/cli/baseline.py b/bandit/cli/baseline.py
@@ -19,7 +19,10 @@
 import sys
 import tempfile
 
-import git
+try:
+    import git
+except ImportError:
+    git = None
 
 bandit_args = sys.argv[1:]
 baseline_tmp_file = "_bandit_baseline_run.json_"
@@ -198,23 +201,27 @@ def initialize():
     report_fname = f"{report_basename}.{output_format}"
 
     # #################### Check Requirements #################################
-    try:
-        repo = git.Repo(os.getcwd())
+    if git is not None:
+        try:
+            repo = git.Repo(os.getcwd())
 
-    except git.exc.InvalidGitRepositoryError:
-        LOG.error("Bandit baseline must be called from a git project root")
-        valid = False
+        except git.exc.InvalidGitRepositoryError:
+            LOG.error("Bandit baseline must be called from a git project root")
+            valid = False
 
-    except git.exc.GitCommandNotFound:
-        LOG.error("Git command not found")
-        valid = False
+        except git.exc.GitCommandNotFound:
+            LOG.error("Git command not found")
+            valid = False
 
+        else:
+            if repo.is_dirty():
+                LOG.error(
+                    "Current working directory is dirty and must be resolved"
+                )
+                valid = False
     else:
-        if repo.is_dirty():
-            LOG.error(
-                "Current working directory is dirty and must be " "resolved"
-            )
-            valid = False
+        LOG.error("Git not available, reinstall with GitPython extra")
+        valid = False
 
     # if output format is specified, we need to be able to write the report
     if output_format != default_output_format and os.path.exists(report_fname):

diff --git a/doc/source/start.rst b/doc/source/start.rst
@@ -31,6 +31,13 @@ If you want to include TOML support, install it with the `toml` extras:
 
     pip install bandit[toml]
 
+If you want to use the bandit-baseline CLI, install it with the `GitPython`
+extras:
+
+.. code-block:: console
+
+    pip install bandit[GitPython]
+
 Run Bandit:
 
 .. code-block:: console

diff --git a/requirements.txt b/requirements.txt
@@ -1,7 +1,6 @@
 # The order of packages is significant, because pip processes them in the order
 # of appearance. Changing the order has an impact on the overall integration
 # process, which may cause wedges in the gate later.
-GitPython>=3.1.30 # BSD License (3 clause)
 PyYAML>=5.3.1 # MIT
 stevedore>=1.20.0 # Apache-2.0
 colorama>=0.3.9;platform_system=="Windows" # BSD License (3 clause)

diff --git a/setup.cfg b/setup.cfg
@@ -38,7 +38,7 @@ toml =
 
 [entry_points]
 console_scripts =
-    bandit = bandit.cli.main:main
+    bandit = bandit.cli.main:main [GitPython]
     bandit-config-generator = bandit.cli.config_generator:main
     bandit-baseline = bandit.cli.baseline:main
 bandit.blacklists =

diff --git a/test-requirements.txt b/test-requirements.txt
@@ -10,3 +10,4 @@ testtools>=2.3.0 # MIT
 tomli>=1.1.0;python_version<"3.11" # MIT
 beautifulsoup4>=4.8.0 # MIT
 pylint==1.9.4 # GPLv2
+GitPython # BSD License (3 clause)