search

PyCQA / bandit

Bandit is a tool designed to find common security issues in Python code.
https://bandit.readthedocs.io
Apache License 2.0
6.52k stars 612 forks source link

Command line argument "number" cannot be supplied from the INI file #922

Closed KAUTH closed 2 years ago

KAUTH commented 2 years ago

Describe the bug

Adding the "number" argument in the Bandit configuration file and running Bandit returns an error.

Reproduction steps

  1. Put an INI file named .bandit in your project’s directory.

  2. Add the "number" command line argument, that defines the maximum number of code lines to output for each issue (https://bandit.readthedocs.io/en/latest/man/bandit.html?highlight=context%20lines#options), in the [bandit] section:

    [bandit]
number: 1

  3. Run from inside your project directory:

    bandit -r .

Expected behavior

Bandit outputs 1 code line for each issue.

Bandit version

1.7.4 (Default)

Python version

3.8

Additional context

Error message

[main]  INFO    Found project level .bandit file: ./.bandit
[main]  INFO    Using command line arg for selected targets
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.8.10
Traceback (most recent call last):
  File "/home/user/.local/lib/python3.8/site-packages/bandit/core/manager.py", line 188, in output_results
    report_func(
  File "/home/user/.local/lib/python3.8/site-packages/bandit/formatters/screen.py", line 216, in report
    bits.append(get_results(manager, sev_level, conf_level, lines))
  File "/home/user/.local/lib/python3.8/site-packages/bandit/formatters/screen.py", line 166, in get_results
    bits.append(_output_issue_str(issue, "", lines=lines))
  File "/home/user/.local/lib/python3.8/site-packages/bandit/formatters/screen.py", line 148, in _output_issue_str
    [indent + line for line in issue.get_code(lines, True).split("\n")]
  File "/home/user/.local/lib/python3.8/site-packages/bandit/core/issue.py", line 171, in get_code
    max_lines = max(max_lines, 1)
TypeError: '>' not supported between instances of 'int' and 'str'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/.local/bin/bandit", line 8, in <module>
    sys.exit(main())
  File "/home/user/.local/lib/python3.8/site-packages/bandit/cli/main.py", line 672, in main
    b_mgr.output_results(
  File "/home/user/.local/lib/python3.8/site-packages/bandit/core/manager.py", line 197, in output_results
    raise RuntimeError(
RuntimeError: Unable to output report using 'screen' formatter: '>' not supported between instances of 'int' and 'str'

Analysis

When we pass the "number" option from the command line it is stored as an int, see main.py:

parser.add_argument(
    "-n",
    "--number",
    dest="context_lines",
    action="store",
    default=3,
    type=int,
    help="maximum number of code lines to output for each issue",
)

However, when the same option is passed from the INI file it is stored as a string, see main.py:

args.context_lines = _log_option_source(
    parser.get_default("context_lines"),
    args.context_lines,
    ini_options.get("number"),
    "max code lines output for issue",
)

This will cause a runtime error in issue.py, get_code method, e.g.:

max_lines = max(max_lines, 1)