Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use .gitignore as basis of default excludes #826

Open
ericwb opened this issue Feb 25, 2022 · 1 comment · May be fixed by #1090
Open

Use .gitignore as basis of default excludes #826

ericwb opened this issue Feb 25, 2022 · 1 comment · May be fixed by #1090
Labels
enhancement New feature or request

Comments

@ericwb
Copy link
Member

ericwb commented Feb 25, 2022

Is your feature request related to a problem? Please describe.
Currently, constants.py defines some standard excludes hardcoded in a file. While this hasn't generally been an issue thus far, it does get complicated if someone wishes to override those values.

Describe the solution you'd like
Rather than hardcode in Bandit source, make use of a project's defined .gitignore file instead. It's very common to only scan the source that is part of the git repo anyway.

Describe alternatives you've considered
This solution would apply only to Git source control. So if someone uses SVN, CVS, etc, it may not be of much help.

Additional context
https://git-scm.com/docs/gitignore
https://github.com/PyCQA/bandit/blob/7fbf9d517b900936ac97e7debbd16dc7e532bc27/bandit/core/constants.py

@ericwb ericwb added the enhancement New feature or request label Feb 25, 2022
@ericwb
Copy link
Member Author

ericwb commented Jan 8, 2024

Currently constants.EXCLUDE is used in https://github.com/PyCQA/bandit/blob/main/bandit/cli/main.py#L339 as the default for excluded files. However, if files are given to the exclude CLI argument, then constants.EXCLUDE is overridden.

One solution might be to make use of an existing dependency, GitPython, to load a Repo object if the target given to scan is a single directory. We can then assume this directory is the root of a git-based project and attempt to load the .gitignore. Baseline (https://github.com/PyCQA/bandit/blob/main/bandit/cli/baseline.py#L202) does this today. However, the only function on Repo to check if files are ignored is https://gitpython.readthedocs.io/en/stable/reference.html#git.repo.base.Repo.ignored. As Bandit processed files, it would need to filter using this function.

@ericwb ericwb linked a pull request Jan 9, 2024 that will close this issue
ericwb added a commit to ericwb/bandit that referenced this issue Jan 20, 2024
When using Bandit to scan projects based on Git source control,
it would be benefitual to ignore files based on the patterns
in the .gitignore file.

Today, Bandit has some default excludes that get overridden if
a user passes in other excludes. This is a bit confusing to the
end user. But it also serves a purpose similar to .gitignore in
that the paths excluded by default are typically included in a
.gitignore.

Note, it will only check for .gitignore files in top-level directories
specified on the Bandit command line as targets. It does not recursive
look for .gitignore files. This is done because recursive searching
for .gitignore files would be complex to add to Bandit existing
file discovery.

This change adds a new Apache 2 licensed dependency of ignorelib.

Fixes PyCQA#826

Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Jan 20, 2024
When using Bandit to scan projects based on Git source control,
it would be benefitual to ignore files based on the patterns
in the .gitignore file.

Today, Bandit has some default excludes that get overridden if
a user passes in other excludes. This is a bit confusing to the
end user. But it also serves a purpose similar to .gitignore in
that the paths excluded by default are typically included in a
.gitignore.

Note, it will only check for .gitignore files in top-level directories
specified on the Bandit command line as targets. It does not recursive
look for .gitignore files. This is done because recursive searching
for .gitignore files would be complex to add to Bandit existing
file discovery.

This change adds a new Apache 2 licensed dependency of ignorelib.

Fixes PyCQA#826

Signed-off-by: Eric Brown <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant