I've been using the flake8-bandit plugin. But recently, a new positional argument fdata was recently added to the BanditNodeVisitor function in version 1.7.3, causing a TypeError as follows

multiprocessing.pool.RemoteTraceback: 
"""
Traceback (most recent call last):
  File "/mnt/home/liurenmi/software/anaconda3/envs/geneplexus/lib/python3.8/multiprocessing/pool.py", line 125, in worker
    result = (True, func(*args, **kwds))
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 687, in _run_checks
    return checker.run_checks()
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 597, in run_checks
    self.run_ast_checks()
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8/checker.py", line 500, in run_ast_checks
    for (line_number, offset, text, _) in runner:
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8_bandit.py", line 85, in run
    for warn in self._check_source():
  File "/mnt/ufs18/home-026/liurenmi/repo/GeneplexusPublic/.tox/flake8/lib/python3.8/site-packages/flake8_bandit.py", line 59, in _check_source
    bnv = BanditNodeVisitor(
TypeError: __init__() missing 1 required positional argument: 'metrics'
"""

Would it be possible to make a patch for this?

https://github.com/tylerwince/flake8-bandit/blob/4043bc51fcb2327da4b0ae82cab3b7a4a8bdbe87/flake8_bandit.py#L10

This flake8 commit removed it.

There are a few things from flake8's head that I need, but I'd also like to use flake8-bandit, so this is a bit of a pickle for me

With Python 3.7 on Ubuntu 16.04, flake8-bandit will fail on the following test script:

def test():
    try:
        a = A()
        a = A()
    except A:
        pass

with the following output:

"pyflakes" failed during execution due to "'ExceptHandler' object has no attribute 'depth'"
Run flake8 with greater verbosity to see more details

Verbose doesn't help with finding out any additional info: https://hastebin.com/suxebuxebo.txt

This issue only occurs with flake8-bandit installed, and occurs with all versions after 1.0.2. Pinning to 1.0.2 does not cause the same issue, but this isn't a great resolution.

I have tried reproducing the issue on an arch based environment without luck, as it only seems to occur on Ubuntu 16.04.

Attempt at fixing https://github.com/tylerwince/flake8-bandit/issues/33 by refactoring from flake8<5.0.0's ConfigFileFinder to flake8>=5.0.0,<6.0.0's load_config.

Description

I have:

• Windows 10
• Clean conda Python 3.6 env

I ran pip install flake8-bandit

and got Successfully installed GitPython-2.1.11 PyYAML-3.13 bandit-1.5.1 flake8-3.5.0 flake8-bandit-1.0.2 flake8-polyfill-1.0.2 gitdb2-2.0.4 mccabe-0.6.1 pbr-4.3.0 pycodestyle-2.3.1 pyflakes-1.6.0 six-1.11.0 smmap2-2.0.4 stevedore-1.29.0

I have a Python module with the following contents:

# -*- coding: UTF-8 -*-
"""Module docstring."""
print('hello') # э

I run flake8 C:\Development\Flake8PluginDev\foo.py

an error is produced.

(BanditDebug) C:\Users\user>flake8 C:\Development\Flake8PluginDev\foo.py
Traceback (most recent call last):
  File "c:\anaconda3\envs\banditdebug\lib\runpy.py", line 193, in _run_module_as_main
    "__main__", mod_spec)
  File "c:\anaconda3\envs\banditdebug\lib\runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "C:\Anaconda3\envs\BanditDebug\Scripts\flake8.exe\__main__.py", line 9, in <module>
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\cli.py", line 16, in main
    app.run(argv)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\application.py", line 396, in run
    self._run(argv)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\application.py", line 384, in _run
    self.run_checks()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\main\application.py", line 310, in run_checks
    self.file_checker_manager.run()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 321, in run
    self.run_serial()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 305, in run_serial
    checker.run_checks()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 579, in run_checks
    self.run_ast_checks()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 486, in run_ast_checks
    checker = self.run_check(plugin, tree=ast)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8\checker.py", line 435, in run_check
    return plugin['plugin'](**arguments)
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8_bandit.py", line 35, in __init__
    self._load_source()
  File "c:\anaconda3\envs\banditdebug\lib\site-packages\flake8_bandit.py", line 73, in _load_source
    self.source = f.read()
  File "c:\anaconda3\envs\banditdebug\lib\encodings\cp1252.py", line 23, in decode
    return codecs.charmap_decode(input,self.errors,decoding_table)[0]
UnicodeDecodeError: 'charmap' codec can't decode byte 0x8d in position 68: character maps to <undefined>

To Reproduce

If I have

# -*- coding: UTF-8 -*-
"""Module docstring."""
print('hello') # й

I run flake8 C:\Development\Flake8PluginDev\foo.py

and get C:\Development\Flake8PluginDev\foo.py:3:15: E261 at least two spaces before inline comment

It works fine.

Now if we change the Cyrillic # й comment into either the # э, # я, or # с (with all three characters typed with Russian keyboard layout, mind Russian C) and run flake8 C:\Development\Flake8PluginDev\foo.py

an error is produced.

It seems as bandit has problems with only three Russian letters эяс because when running the flake8 with the comment containing all Russian letters except эяс, it works fine:

# -*- coding: UTF-8 -*-
"""Module docstring."""
print('hello') # йцукенгшщзхъфывапролджё

Expected behavior Bandit should handle all Cyrillic characters without throwing UnicodeDecodeError error.

Bandit version

(BanditDebug) C:\Users\user>bandit --version
bandit 1.5.1
  python version = 3.6.6 |Anaconda, Inc.| (default, Jun 28 2018, 11:21:07) [MSC v.1900 32 bit (Intel)]

flake8          3.5.0
flake8-bandit   1.0.2

• Updated flake8-bandit to support all .bandit config options including targets and excludes
• cache config parsing so it can be re-used as needed

Breaking change:

• python >= 3.6 required

I'm using a number of more modern python features, could of course rewrite with older methods but wanted to write the simple way first unless there are objections; for most projects I've worked on and other frequently used tools, it seems like python 3.6 is a reasonable minimum version (black, pydantic, etc).

Implements additional features as discussed in #3

• remove obsolete "sudo" keyword
• remove old dev versions
• remove matrix

modified: .travis.yml

P.S.: As I never used the "allow_failures" directive before, I am not sure whether I used the correct syntax (outside matrix). If not, I'll update the pr.

I have noticed that the project currently says it is on version 4.1.0, and there is a tag and GitHub release with the same name, but there hasn't been a release on PyPI since 3.0.0.

There seems to be a release CI setup, but it hasnt really worked from a quick look at the past runs. I will try to see the following days anything needs to be done to fix it (if its even broken).

Making this quick issue to bring it to your attention :)

Fixes: #21

flake8-bandit 1.7.3 (PyCQA/bandit#496) introduced an fdata argument and this just passes a None to make things work with the latest version of bandit.

Reproduction steps:

0. Use windows
1. Install flake8-bandit
2. Create a python file with print('Привет, бандиты!') unicode contents
3. Try to run flake8 your_file.py

It will fail with something like this:

c:\users\appveyor\appdata\local\pypoetry\cache\virtualenvs\wemake-python-styleguide-py3.6\lib\site-packages\flake8\checker.py:451: in run_check
    return plugin["plugin"](**arguments)
c:\users\appveyor\appdata\local\pypoetry\cache\virtualenvs\wemake-python-styleguide-py3.6\lib\site-packages\flake8_bandit.py:35: in __init__
    self._load_source()
c:\users\appveyor\appdata\local\pypoetry\cache\virtualenvs\wemake-python-styleguide-py3.6\lib\site-packages\flake8_bandit.py:73: in _load_source
    self.source = f.read()
C:\Python36\lib\encodings\cp1252.py:23: in decode
    return codecs.charmap_decode(input,self.errors,decoding_table)[0]
E   UnicodeDecodeError: 'charmap' codec can't decode byte 0x81 in position 14170: character maps to <undefined>

Original issue: https://github.com/wemake-services/wemake-python-styleguide/issues/337 Log: https://ci.appveyor.com/project/wemake-services/wemake-python-styleguide/build/job/185lp386ce91jtsy

Bugbear is an official PyCQA plugin for flake8 that's been around for several years.

Your new plugin shadows the letter B and in fact deregisters Bugbear if used in the same configuration.

Please choose a new non-conflicting prefix for your plugin.

For reference, see: https://github.com/PyCQA/flake8-bugbear/issues/37

File "/home/runner/work/renault-api/renault-api/.nox/pre-commit/lib/python3.10/site-packages/flake8_bandit.py", line 10, in <module>
    from flake8.options.config import ConfigFileFinder

Hello,

the following code leads to different error codes, depending on the Python version:

import hashlib

h = hashlib.md5()

Python 3.8:

example.py:3:1: S303 Use of insecure MD2, MD4, MD5, or SHA1 hash function.

Python 3.9:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

Python 3.10:

example.py:3:1: S324 Use of weak MD4, MD5, or SHA1 hash for security. Consider usedforsecurity=False

The installed package versions seems to be equal:

$ python --version
Python 3.8.10

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.8.10 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pkg_resources   0.0.0
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version
Python 3.9.1

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.9.1 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

$ python --version           
Python 3.10.2

$ flake8 --version
4.0.1 (flake8-bandit: 3.0.0, mccabe: 0.6.1, pycodestyle: 2.8.0, pyflakes: 2.4.0) CPython 3.10.2 on Linux

$ pip list
Package         Version
--------------- -------
bandit          1.7.4
flake8          4.0.1
flake8-bandit   3.0.0
flake8-polyfill 1.0.2
gitdb           4.0.9
GitPython       3.1.27
mccabe          0.6.1
pbr             5.9.0
pip             22.1
pycodestyle     2.8.0
pyflakes        2.4.0
PyYAML          6.0
setuptools      62.3.0
smmap           5.0.0
stevedore       3.5.0

Any idea what's going on here? Is it a flake8-bandit issue or a bandit one?

Thanks a lot!

fin swimmer

Hi,

since version 3.0.0, I get a the error Unable to find qualified name for module: file.py. when I run flake8.

How to reproduce

• Directory Structure:

test/
└── file.py

file.py:

import numpy as np

print("Oh no!")

• Expected Result:

> flake8 .
./file.py:1:1: F401 'numpy as np' imported but unused

running flake8 . actually works:

• Actual Result:

> flake8 file.py
Unable to find qualified name for module: file.py
file.py:1:1: F401 'numpy as np' imported but unuse

Running flake8 file.py does not work. As you can see, flake8 throws Unable to find qualified name for module: file.py.

• Additional Informations:
  • when I remove flake8-bandit from my environment, the error disappears
  • I'm using flake8 4.0.1 and flake8-bandit 3.0.0.

I'm looking forward to your reply.

C

Currently if one wants to skip a bandit message for "raw" bandit checks (using the bandit executable) in addition to ones done via flake8-bandit, both the noqa and nosec comments need to be used. For example:

assert True  # noqa: S101 # nosec: B101

The noqa: S101 is required for flake8 to not flag the use of assert, but that's not enough for "raw" bandit. For that the nosec: B101 is needed. But that has no effect on flake8-bandit, so both are needed.

Would be good if the nosec comment was enough for both, maybe flake8-bandit can do something about it?