Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pre-commit hook can't read version --> wrong URL generated #1202

Open
gothicVI opened this issue Nov 18, 2024 · 1 comment
Open

pre-commit hook can't read version --> wrong URL generated #1202

gothicVI opened this issue Nov 18, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@gothicVI
Copy link

gothicVI commented Nov 18, 2024

Describe the bug

When running in pre-commit a wrong URL pointing to the documentation is generated. This seems to be due to some bug in the environment that no longer allows the version of bandit to be read somehow.

Reproduction steps

  1. Have some code that causes an issue, e.g.:
import sqlite3
table_name: str = "test"
schema: str = "uuid TEXT"
with sqlite3.connect("my.db") as conn:
    cur: sqlite3.Cursor = conn.cursor()
    cur.execute(f"CREATE TABLE IF NOT EXISTS {table_name} ({schema})")
    cur.close()
  1. Run bandit on the code:
$ bandit --version && bandit test.py
bandit 1.7.10
  python version = 3.11.2 (main, Sep 14 2024, 03:00:30) [GCC 12.2.0]
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.11.2
Run started:2024-11-18 12:03:24.263167

Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Medium
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b608_hardcoded_sql_expressions.html
   Location: ./test.py:6:4
5   cur: sqlite3.Cursor = conn.cursor()
6   cur.execute(f"CREATE TABLE IF NOT EXISTS {table_name} ({schema})")
7   cur.close()

--------------------------------------------------

Code scanned:
        Total lines of code: 7
        Total lines skipped (#nosec): 0

Run metrics:
        Total issues (by severity):
                Undefined: 0
                Low: 0
                Medium: 1
                High: 0
        Total issues (by confidence):
                Undefined: 0
                Low: 1
                Medium: 0
                High: 0
Files skipped (0):
  1. Run the same code in pre-commit using the following .pre-commit-config.yaml
...
- repo: https://github.com/PyCQA/bandit
  rev: 1.7.10
  hooks:
  - id: bandit
    args: ["-c", "pyproject.toml"]
    additional_dependencies: ["bandit[toml]"]
    exclude:
      some_stuff_unrelated_to_the_current_file_but_mentioned_to_be_complete_if_necessary
...

yields

$ pre-commit run bandit --file test.py
bandit...................................................................Failed
- hook id: bandit
- exit code: 1

[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: B404,B603
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    using config: pyproject.toml
[main]  INFO    running on Python 3.11.2
Run started:2024-11-18 11:40:13.841442

Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Medium
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/0.0.0/plugins/b608_hardcoded_sql_expressions.html
   Location: ./test.py:6:4
5   cur: sqlite3.Cursor = conn.cursor()
6   cur.execute(f"CREATE TABLE IF NOT EXISTS {table_name} ({schema})")
7   cur.close()

--------------------------------------------------

Code scanned:
        Total lines of code: 7
        Total lines skipped (#nosec): 0

Run metrics:
        Total issues (by severity):
                Undefined: 0
                Low: 0
                Medium: 1
                High: 0
        Total issues (by confidence):
                Undefined: 0
                Low: 1
                Medium: 0
                High: 0
Files skipped (0):

Expected behavior

More Info: https://bandit.readthedocs.io/en/1.7.10/plugins/b608_hardcoded_sql_expressions.html instead of More Info: https://bandit.readthedocs.io/en/0.0.0/plugins/b608_hardcoded_sql_expressions.html

Bandit version

1.7.10 (Default)

Python version

3.11

Additional context

Debian 12.8, kernel 6.1.0-27 but I assume that should be irrelevant.

@gothicVI gothicVI added the bug Something isn't working label Nov 18, 2024
@gothicVI
Copy link
Author

Anything more I could provide?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant