Closed ericwb closed 5 years ago
I believe the issue is there is a syntax error in the code:
browne-a02:travel-preapproval browne$ python test.py
File "test.py", line 193
def Connect(host='localhost', port=443, user='root', pwd,
^
SyntaxError: non-default argument follows default argument
But Precaution shouldn't report overall status as Success for syntax errors. So still problem in the reporting here.
Until the third commit in your example you have a lot of issues - 20 to be exact: https://github.com/ericwb/bandit/pull/2/commits/f3b41ef88a427a336d561dff3a3fa9ed4b4387c7 the same amount of issues I found running Bandit locally.
Then when you look at the weak_crypto file from the fourth commit you don't get any errors by Precaution and the reason for that is because Bandit has a problem scanning the file "weak_crypto".
Overall our problem is that we don't get any feedback from Bandit when it has problems with parsing the AST.
It looks like this is not only a problem to code scanned by Bandit but also about code scanned by Gosec. This is my code:
when I run go run I get:
You expect that Precaution will catch this but it did not.
The problem is not that from more than 3 commits Precaution scan screws up but the problem is that Precaution doesn't catch problems from the ASTs used by Bandit and Gosec.
I created a new issue about it https://github.com/vmware/precaution/issues/144 and I think we can close this issue.
@MVrachev I don't know why we need another issue for this bug. In my second comment I clearly state root cause related to the syntax error.
I just wanted to clarify the bug in the PR message.
Describe the bug Something in the precaution scan is messing up when multiple commits are being added to a PR. On the 3rd or so update of a file, Precaution all the sudden reported Success, when it should still have been fail.
To Reproduce https://github.com/ericwb/bandit/pull/2/checks
Expected behavior I still expect errors since not all problems were resolved. Namely in this case, it no longer shows the errors on using requests module with verify=False (line 896)
Screenshots
Additional context