bandit
bandit copied to clipboard
PyCQA
pre-commit hook can't read version --> wrong URL generated
Describe the bug
When running in pre-commit a wrong URL pointing to the documentation is generated. This seems to be due to some bug in the environment that no longer allows the version of bandit to be read somehow.
Reproduction steps
- Have some code that causes an issue, e.g.:
import sqlite3
table_name: str = "test"
schema: str = "uuid TEXT"
with sqlite3.connect("my.db") as conn:
cur: sqlite3.Cursor = conn.cursor()
cur.execute(f"CREATE TABLE IF NOT EXISTS {table_name} ({schema})")
cur.close()
- Run bandit on the code:
$ bandit --version && bandit test.py
bandit 1.7.10
python version = 3.11.2 (main, Sep 14 2024, 03:00:30) [GCC 12.2.0]
[main] INFO profile include tests: None
[main] INFO profile exclude tests: None
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO running on Python 3.11.2
Run started:2024-11-18 12:03:24.263167
Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Medium
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b608_hardcoded_sql_expressions.html
Location: ./test.py:6:4
5 cur: sqlite3.Cursor = conn.cursor()
6 cur.execute(f"CREATE TABLE IF NOT EXISTS {table_name} ({schema})")
7 cur.close()
--------------------------------------------------
Code scanned:
Total lines of code: 7
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 1
High: 0
Total issues (by confidence):
Undefined: 0
Low: 1
Medium: 0
High: 0
Files skipped (0):
- Run the same code in
pre-commitusing the following.pre-commit-config.yaml
...
- repo: https://github.com/PyCQA/bandit
rev: 1.7.10
hooks:
- id: bandit
args: ["-c", "pyproject.toml"]
additional_dependencies: ["bandit[toml]"]
exclude:
some_stuff_unrelated_to_the_current_file_but_mentioned_to_be_complete_if_necessary
...
yields
$ pre-commit run bandit --file test.py
bandit...................................................................Failed
- hook id: bandit
- exit code: 1
[main] INFO profile include tests: None
[main] INFO profile exclude tests: B404,B603
[main] INFO cli include tests: None
[main] INFO cli exclude tests: None
[main] INFO using config: pyproject.toml
[main] INFO running on Python 3.11.2
Run started:2024-11-18 11:40:13.841442
Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
Severity: Medium Confidence: Medium
CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
More Info: https://bandit.readthedocs.io/en/0.0.0/plugins/b608_hardcoded_sql_expressions.html
Location: ./test.py:6:4
5 cur: sqlite3.Cursor = conn.cursor()
6 cur.execute(f"CREATE TABLE IF NOT EXISTS {table_name} ({schema})")
7 cur.close()
--------------------------------------------------
Code scanned:
Total lines of code: 7
Total lines skipped (#nosec): 0
Run metrics:
Total issues (by severity):
Undefined: 0
Low: 0
Medium: 1
High: 0
Total issues (by confidence):
Undefined: 0
Low: 1
Medium: 0
High: 0
Files skipped (0):
Expected behavior
More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b608_hardcoded_sql_expressions.html instead of More Info: https://bandit.readthedocs.io/en/0.0.0/plugins/b608_hardcoded_sql_expressions.html
Bandit version
1.7.10 (Default)
Python version
3.11
Additional context
Debian 12.8, kernel 6.1.0-27 but I assume that should be irrelevant.
