Corrected documentation on configuration #868
Conversation
"Profile" is deprecated, legacy and undocumented. Note: decriptions about profile are still in man pages or help messages.
a-takahashi223
requested review from
ericwb,
lukehinds,
ghugo and
sigmavirus24
as code owners
|
Hello. Is there any problem with this PR? |
|
Hi @ericwb @lukehinds @ghugo @sigmavirus24 , Am I violating the contribute guideline? I read https://bandit.readthedocs.io/en/latest/config.html trying to get Bandit to ignore B101 and was very annoyed that it didn't work. If such problems are reduced, Bandit, which is a great tool, will be easier to use. |
I don't see a violation here but I'm also carrying for my newborn child and not paying close attention. Did someone tell you that you were? |
Congratulations on the birth of your baby. That must be very busy.
No, but this PR seems to be ignored, and I was concerned that the contribution guideline violation might be the reason. |
doc/source/start.rst
Outdated
| @@ -40,11 +40,6 @@ context and only reporting on the high-severity issues:: | |||
|
|
|||
| bandit examples/*.py -n 3 -lll | |||
|
|
|||
| Bandit can be run with profiles. To run Bandit against the examples directory | |||
There was a problem hiding this comment.
Bandit does still have an option to specify profiles to load via the -p or --profile argument.
There was a problem hiding this comment.
I cloned PyCQA/bandit:main, ran python setup.py install and pip -r requirements.txt, then ran bandit examples/*.py -p ShellInjection. The output is below:
[main] ERROR Unable to find profile (ShellInjection) in config file: None
This result suggests that profile is not built-in, but something we define ourselves. So how do we define it?
Where is it written in the documentation?
There was a problem hiding this comment.
Yes, creating profiles is still possible via the bandit.yaml file. They are not built-in. And you can create a config yaml file bandit-config-generator
There was a problem hiding this comment.
Thank you. I ran bandit-config-generator -o bandit.yaml then bandit examples/*.py -p ShellInjection -c bandit.yaml. The output is:
[main] ERROR Unable to find profile (ShellInjection) in config file: bandit.yaml
Again, how can I define profile in a configuration file?
After some trial and error, a configuration file as below finally worked.
profiles:
ShellInjection:
# ...But I got the message below.
[config] WARNING Config file 'bandit.yaml' contains deprecated legacy config data. Please consider upgrading to the new config format. The tool 'bandit-config-generator' can help you with this. Support for legacy configs will be removed in a future bandit version.
This is probably the best evidence that profile is deprecated and should not be used.
Therefore, all descriptions about profile should be removed from the documentation.
There was a problem hiding this comment.
Even if it's "deprecated" (which it isn't) it shouldn't be removed in this pull request
There was a problem hiding this comment.
I see. Reverted in 2d6cd55
This reverts commit c4b2d52.
As mentioned in #606 (comment) , there are some errors in the configuration documentation.
This has been corrected.
Note that only the documentation has been corrected, not the man page or help messages.