search

tylerwince / flake8-bandit

Automated security testing using bandit and flake8.
MIT License
111 stars 23 forks source link

Change plugin prefix to not conflict with Bugbear #2

Closed ambv closed 5 years ago

ambv commented 6 years ago

Bugbear is an official PyCQA plugin for flake8 that's been around for several years.

Your new plugin shadows the letter B and in fact deregisters Bugbear if used in the same configuration.

Please choose a new non-conflicting prefix for your plugin.

For reference, see: https://github.com/PyCQA/flake8-bugbear/issues/37

myii commented 6 years ago

@tylerwince @ambv I've made a further comment at https://github.com/PyCQA/flake8-bugbear/issues/37. I'm quoting the salient points below:

The conflict is not with flake8-bandit but rather with openstack/bandit

There are two projects that are involved here:

  1. https://github.com/openstack/bandit

    1. Project started on 16 July 2014
    2. This is the main project, where the conflicts are arising

  2. https://github.com/tylerwince/flake8-bandit

    1. Project started on 29 Oct 2017
    2. However, this is just a wrapper around bandit
    3. They have no control over the error codes that are supplied by bandit

The OpenStack Bandit project has been using B30x codes for a few years as well

Taking B301 as the earliest example in both projects:

  1. Bandit: https://github.com/openstack/bandit/commit/c364408faa25ccdc378b72c0a9e2150d20a94cba

    1. This commit was made on 22 Jan 2016

  2. Bugbear: https://github.com/PyCQA/flake8-bugbear/commit/0fb7d8dcadeea6505e1c1506d10fe5f86f44c95e

    1. This commit was made on 8 Jun 2016
tylerwince commented 6 years ago

Thanks @myii and @ambv.

Some comments I made on issue at https://github.com/PyCQA/flake8-bugbear/issues/37 and reposting here to keep track of things:

We could always handle this internally in flake8-bandit. Definitely not a long term solution but a workaround until we can figure out which codes to be used by each project.

What are the thoughts around flake8-bandit changing the openstack/bandit code to be S30x for the time being? (quick look and it doesn't appear any other plugins are using S30x and S makes sense for "security")

Is anyone using flake8-bandit and comparing those results to the openstack/bandit cli output? That is the only time I could see this causing an issue as the codes won't match up

I've opened up an issue with openstack/bandit to see if we can pull them into the discussion here: https://bugs.launchpad.net/bandit/+bug/1759643

tylerwince commented 5 years ago

This have been closed. Please see the final discussion here: https://github.com/PyCQA/flake8-bugbear/issues/37