Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to find qualified name #907

Closed
bje- opened this issue Jun 9, 2022 · 5 comments · Fixed by #1094 · May be fixed by #941
Closed

Unable to find qualified name #907

bje- opened this issue Jun 9, 2022 · 5 comments · Fixed by #1094 · May be fixed by #941
Labels
bug Something isn't working

Comments

@bje-
Copy link

bje- commented Jun 9, 2022

Describe the bug

Running bandit on a single source file in the current directory does not seem to work. It produces a warning:

WARNING Unable to find qualified name for module

I am not sure what the warning is trying to achieve?

Reproduction steps

1. $ touch dummy.py
2. $ bandit dummy.py  # produces the warning
3. $ bandit ./dummy.py  # does not produce the warning

Expected behavior

No warning should be produced.

Bandit version

1.7.4 (Default)

Python version

3.8

Additional context

No response

@bje- bje- added the bug Something isn't working label Jun 9, 2022
@mportesdev
Copy link
Contributor

It's just a warning which doesn't mean that the file is not processed. If you add some content to dummy.py (e.g. exec('pass')) you will see that bandit dummy.py and bandit ./dummy.py will yield the same test results.

@bje-
Copy link
Author

bje- commented Jun 9, 2022

That warning is produced in both cases.

$ cat dummy.py 
exec('pass')
$ bandit dummy.py | grep WARN
[node_visitor]	WARNING	Unable to find qualified name for module: dummy.py

@mportesdev
Copy link
Contributor

Yes, but despite the warning, bandit will do the job, i.e. scan the file and report the issue. The warning is emitted in cases where the python file is not a submodule of a package.

@bje-
Copy link
Author

bje- commented Jun 10, 2022

OK. I have some driver scripts that sit at the top-level of my source tree and every bandit run produces this warning. Could it be suppressed with -q?

@mportesdev
Copy link
Contributor

I guess it would make sense to increase the logging level to ERROR in quiet mode -- would be consistent with the CLI help message only show output in the case of an error (source) and the manager docstring :param quiet: Whether to only show output in the case of an error (source).

ericwb added a commit to ericwb/bandit that referenced this issue Jan 16, 2024
The get_module_qualname_from_path() function called by the node
visistor expects that all files are explicitly named with a
"head" and "tail" which are path delimiters to denote where the
file is within a python project.

However, if someone uses the command line and simply asks bandit
to scan dummy.py in the current working directory, it will be
missing the explicit "./" prefix in order for get_module_qualname_from_path
to run and determine the module fully qualified name from the path.

So this fix simply prepends a dot and delimiter to explicitly denote
a file in the current working directory as given from the CLI.

Fixes PyCQA#907

Signed-off-by: Eric Brown <[email protected]>
ericwb added a commit to ericwb/bandit that referenced this issue Jan 16, 2024
The get_module_qualname_from_path() function called by the node
visistor expects that all files are explicitly named with a
"head" and "tail" which are path delimiters to denote where the
file is within a python project.

However, if someone uses the command line and simply asks bandit
to scan dummy.py in the current working directory, it will be
missing the explicit "./" prefix in order for get_module_qualname_from_path
to run and determine the module fully qualified name from the path.

So this fix simply prepends a dot and delimiter to explicitly denote
a file in the current working directory as given from the CLI.

Fixes PyCQA#907

Signed-off-by: Eric Brown <[email protected]>
sigmavirus24 pushed a commit that referenced this issue Jan 20, 2024
The get_module_qualname_from_path() function called by the node
visistor expects that all files are explicitly named with a
"head" and "tail" which are path delimiters to denote where the
file is within a python project.

However, if someone uses the command line and simply asks bandit
to scan dummy.py in the current working directory, it will be
missing the explicit "./" prefix in order for get_module_qualname_from_path
to run and determine the module fully qualified name from the path.

So this fix simply prepends a dot and delimiter to explicitly denote
a file in the current working directory as given from the CLI.

Fixes #907

Signed-off-by: Eric Brown <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
2 participants